SOX Extended — §302/§906 Officer Attestation Coverage
This extended SOX mapping covers the officer-attestation provisions of §302 and §906 — the quarterly/annual certifications by CEO/CFO that disclosure controls are designed, evaluated, and effective. Ledgix pairs signed quarterly attestation records with the operational ledger they reference, giving officers a cryptographically bound evidence package to support each filing.
Status: Full — every control resolves to an artifact Ledgix produces today following the Phase 2 (incidents) and Phase 8 (attestations) modules shipping.
Scope
§302 requires officers to certify disclosure controls and procedures (design, evaluation, disclosure of deficiencies, disclosure of changes). §906 requires the CEO and CFO to certify that the periodic report fairly presents the financial condition. Both apply to public companies filing periodic reports with the SEC. Pair with the SOX-for-AI mapping for the underlying ITGC coverage.
Controls covered
| Field | Type | Required | Description |
|---|---|---|---|
| SOX-302(a)(4)(A) | policy_snapshots / events_jsonl | Disclosure Controls and Procedures — Design | Versioned disclosable AI policies; every financial-action decision bound to a policy version. |
| SOX-302(a)(4)(B) | attestations / events_jsonl / checkpoint_chain | Disclosure Controls — Evaluation | Signed quarterly §302 attestation records with period summary, metrics, and exceptions. |
| SOX-302(a)(5) | incidents / events_jsonl | Disclosure of Deficiencies to Audit Committee | Signed incident records capture severity-classified deficiencies with root-cause and corrective action. |
| SOX-302(a)(6) | policy_snapshots | Disclosure of Changes in Internal Controls | Policy-version transitions constitute materially identifiable internal-control changes. |
| SOX-906(a) | attestations / signatures / key_history / framework_mapping | CEO/CFO Certification of Periodic Reports | Signed §906 certification records bound to the packet SHA-256 of the underlying evidence bundle. |
Evidence types referenced
- policy_snapshots — versioned disclosable AI policies as design artifacts.
- events_jsonl — operational data supporting management-level effectiveness evaluation.
- attestations — signed §302 quarterly and §906 CEO/CFO attestation records.
- checkpoint_chain — continuous integrity evidence for the evaluation period.
- incidents — signed deficiency records with severity, root-cause, and corrective action.
- signatures — Ed25519 signature over manifest as the integrity basis for officer attestation.
- key_history — signing-key custody history supporting attestation chain-of-custody.
- framework_mapping — control-to-evidence mapping referenced in the certification package.
Known gaps (if any)
None — every control resolves to an artifact Ledgix produces today. §302 and §906 attestation records are authored by officers in the admin console's attestation workflow; Ledgix binds each attestation to the evidence bundle's SHA-256 at signing time.
Audit pack workflow
Export an evidence ZIP for this framework from the admin console's Evidence Exports panel by selecting SOX Extended — §302/§906 Officer Attestation Coverage and a time window. Each control's evidence_locators[] in the included framework_mapping.json points to the corresponding file in the ZIP.
References
- Framework mapping JSON:
vault/internal/compliance/frameworks/sox_extended.json - Canonical source: Sarbanes-Oxley Act §§ 302, 906 — sec.gov