SOX Section 404
Regulator: U.S. Securities and Exchange Commission, PCAOB
SOX 404 is fundamentally about financial controls, not technology. Signal Provenance is the evidence and integrity layer: it proves the controls operated, the records are intact, and the changes were authorized. It does not replace the financial control framework itself.
Scope
Sarbanes-Oxley Section 404 requires management assessment and external auditor attestation of internal controls over financial reporting (ICFR) for SEC-registered companies. SOX 404(a) is management's assessment; 404(b) is the auditor's attestation. Material weaknesses must be disclosed.
Control-by-control coverage
Every claim below traces to source code in the echology monorepo or to a deliverable template shipped with Signal Provenance. If the code does not do it, the row is not here.
| Control | Requirement | Coverage | Evidence mechanism | Source |
|---|---|---|---|---|
| Document control design | Management must document the design of internal controls over financial reporting | Strong | AI risk assessments document control objectives, tiers, registered risks, and mitigations per deployment. Deliverable templates structure the control narrative. | ops.db ai_risk_assessments, ops/deliverables/templates/ |
| Test operating effectiveness | Controls must be tested to confirm they operated as designed during the reporting period | Strong | Review gates document that each control operated: reviewer identity, timestamp, decision. The Aletheia ledger is the test evidence ledger. verify_chain() confirms no post hoc alteration. | ops/db.py review_gates, engine/aletheia/ledger.py |
| Record integrity | Financial records and supporting evidence must not be alterable without detection | Complete | SHA-256 hash chain. Modifying any witness entry breaks all subsequent chain_hash values. Independent verification via verify_chain(). | engine/aletheia/ledger.py |
| Change authorization | Every change to a financial record or control must be authorized and traceable to an individual | Complete | 49 operational witness points record actor, timestamp, workstation, and content hash on every write. Findings require a distinct confirmer via confirm_finding(). | ops/db.py _witness, confirm_finding |
| Segregation of duties | The preparer and the approver of a financial transaction must be different individuals | Strong | Review gates require a reviewer identity distinct from the proposer. RBAC roles differentiate operator, reviewer, and admin. Electronic signatures capture two-factor identity on approval. | ops/db.py review_gates, ops/rbac.py |
| Retention | SOX-relevant records must be retained for seven years | Strong | Configurable retention per deployment. Backup script keeps rolling snapshots. Ledger is append-only; the chain itself is the retention mechanism. | provenance/config.py, backup scripts |
| Audit trail for financial records | Complete, time-stamped, tamper-evident log of access and changes | Complete | Aletheia hash chain plus 49 witness points plus per-inference log. Every event is time-stamped, actor-identified, and workstation-identified. | engine/aletheia/ledger.py, ops/db.py |
| Evidence of control monitoring | Management must monitor that controls continue to operate effectively | Strong | Dashboard surfaces chain status and gate activity. ops optimize flags stale files, knowledge concentration, and blocked initiatives. ops compliance status runs a quick health check. | provenance/dashboard.py, ops/optimize.py |
What Signal Provenance does not do
The platform is the technical evidence layer. The items below require organizational or physical implementation by the client. Listing them explicitly is how we keep the claim honest.
- Design of financial controls themselves (the CFO/controller owns the control framework).
- External auditor attestation (Signal Provenance provides the evidence; the auditor forms the opinion).
- Financial workflow approvals (accounts payable, journal entries, period close).
- Financial statement preparation and reporting outputs.
What you get
Each deployment ships these artifacts. All are generated from the live ledger and current deployment state.
SOX 404 evidence export (PDF + JSON)
ops compliance audit <deployment-id> --framework sox_404 Review-gate operating-effectiveness report
ops compliance gates <deployment-id> Every gate, reviewer, decision, timestamp across the reporting period.
Segregation-of-duties check
ops rbac sod-check <deployment-id> Flags cases where the same user proposed and approved a finding.
Retention snapshot manifest
ops backup list Chain integrity proof
ops ledger verify <deployment-id> Prove it for your next audit.
Signal Provenance is deployed white-glove. We configure it on your hardware, point it at your folders, and generate your first SOX Section 404 coverage export together. Your auditor verifies the hash chain independently.
Schedule your deployment
Canonical URL: /provenance/frameworks/sox-404/ \u00b7 Cited in every compliance export for SOX Section 404.