Compliance
SOX controls for AI in financial reporting
AI involved in earnings, forecasting, or estimation is in scope for Section 404. Prism produces the change-management and operating-effectiveness evidence external auditors expect.
- ICFR-compatible documentation for AI controls
- Change-management evidence for prompt and model updates
- Operating-effectiveness testing each quarter
- Auditor-ready exports per fiscal period
About this framework
The Sarbanes-Oxley Act of 2002 (SOX), particularly Section 404, requires public companies to evaluate and report on the effectiveness of internal controls over financial reporting (ICFR). PCAOB Auditing Standard 2201 governs how external auditors assess these controls. AI used in revenue recognition, expense estimation, or other financial-reporting processes inherits the same control rigor as any other ICFR system.
Who needs to comply
Industries this applies to
Public companies
All US issuers; AI used in financial-reporting processes is in scope for Section 404.
Banks
Public BHCs running AI in CECL, ALLL, or capital reporting.
Asset Management
Public asset managers using AI in NAV, fee, or expense estimation.
Audit expectations
What auditors look for in AI used for financial reporting
- Documented control objectives and responsible owners
- Change-management discipline on prompts, models, and tool definitions
- Operating-effectiveness testing within the period
- Evidence retention through external audit cycle
Mapping
How Prism produces the artifacts
| Obligation | Capability | Evidence |
|---|---|---|
| Change management | Prism Experiments + Traces | Variant history retained; before/after metrics for any prompt or model change |
| Operating effectiveness | Prism Evaluations | Quarterly quality-score reports per system, ready for SOX walkthrough |
| Audit trail retention | Prism Audit Export | Immutable exports per fiscal period, signed and timestamped |
Obligation
Change management
Capability
Prism Experiments + Traces
Evidence
Variant history retained; before/after metrics for any prompt or model change
Obligation
Operating effectiveness
Capability
Prism Evaluations
Evidence
Quarterly quality-score reports per system, ready for SOX walkthrough
Obligation
Audit trail retention
Capability
Prism Audit Export
Evidence
Immutable exports per fiscal period, signed and timestamped
Read the source
Go straight to the regulator
Not familiar with this framework? These are the authoritative sources, opened in a new tab.
Built for: Public-company finance, accounting, and internal-audit teams using AI in reporting
Related
LLM A/B Testing
Pick the variant that wins on quality, latency, and cost: not just the one that feels right in a notebook.
LLM Evaluations
Define quality rubrics, score every interaction, and catch regressions before users do, with automated evaluators that run on every trace or on a schedule you control.
LLM Observability
Structured traces give you the full story of what your AI said, why it said it, how long it took, and what it cost.
Model Risk Management for AI — SR 11-7 Revised Guidance
The interagency Revised Guidance on Model Risk Management supersedes SR 11-7 and SR 21-8. The three-pillar discipline carries forward, scaled to each bank's model risk profile. Prism produces the evidence at every tier.
NIST AI Risk Management Framework: Prism Compliance Mapping
Each NIST AI RMF function has subcategories that demand evidence. Prism produces it: from MEASURE-2.7 trace logs to MANAGE-2.1 adversarial test results.
AI compliance and risk management for banks
From underwriting copilots to fraud-screening agents, banks need the same model risk discipline they have for traditional models. Prism is built around it.
AI compliance for asset managers
From research copilots to trading-signal models, asset managers face SEC, FINRA, and SR 11-7 expectations on AI. Prism produces the evidence per system.
Start tracing in 5 minutes
One SDK. Five minutes. Full audit trails, PII redaction, and guardrail enforcement, from day one.