How to Audit AI Decisions for SOX and SOC 2 Compliance

Finance and compliance teams needing audit trails for AI-assisted approvals that satisfy SOX controls and SOC 2 audit requirements.

The answer

SOX Section 302/404 requires that material financial decision processes have documented controls and evidence of consistent application. When AI assists financial approvals — purchase orders, expense reports, vendor payments, revenue recognition decisions — those AI decisions must be auditable with the same rigor as human approvals. This requires: (1) a record of what decision was made and when; (2) the rules that governed it at that time; (3) the actor who authorized it; and (4) proof that the same rules produce the same outcome (reproducibility). Corules provides all four. Every evaluation produces an immutable audit record with policy_set_version, actor_id (from signed claims), normalized input hash, and outcome. Historical decisions are replayable — the same policy version + input always produces the same result.

How it works

Corules's policy runtime sits in the enforcement path between your AI agent and the action it wants to take. The agent sends a structured context payload to /v1/validate. Corules evaluates the context against a compiled CEL policy set and returns a structured decision — ALLOW, BLOCK, or ESCALATE — with a reason and audit ID.

Every decision is recorded in an immutable audit ledger. You can replay any past decision by providing the policy_set_version and the normalized input hash — the result will be identical.

Policy example

Policies are written in CEL (Common Expression Language). They are compiled once at publish time and evaluated in microseconds at request time.

// Audit record format satisfying SOX evidence requirements:
{
  "audit_id": "aud_01J...",
  "use_case": "purchase_order_approval",
  "policy_set_version": "pset_v4.1.0",     // what rules applied
  "actor_id": "svc_agent_procurement_01",   // who (signed claims)
  "input_hash": "sha256:7f3a...",           // what was evaluated
  "outcome": "ALLOW",                        // what was decided
  "evaluated_at": "2026-02-23T14:22:11Z"   // when
}

Frequently Asked Questions

Does the audit log satisfy SOX internal control documentation requirements?

The Corules audit ledger provides the technical evidence layer: every AI decision with policy version, actor, input, and outcome. Your SOX compliance team will need to map this to your specific control framework and risk assessment.

How long is audit data retained?

Retention is tenant-configurable. The ledger is append-only — records cannot be deleted or modified. Retention periods can be set to satisfy your regulatory obligations (7 years for SOX, for example).

Can we produce audit evidence on demand for a SOC 2 examination?

Yes. The audit API supports time-ranged queries by use case, actor, outcome, and policy version. Evidence exports are available in JSON and CSV format — formatted for auditor review.

See it working in your environment

Start free — no credit card, no sales call. Evaluate up to 1,000 decisions per month.

Get started free