Sarbanes-Oxley Section 302 and 404 (United States, public-company reporting) places obligations on organizations to demonstrate that operational controls were in place, that AI and automated decisions were governed, and that an audit trail exists for regulatory inquiry. Most existing audit-log architectures meet the letter of the requirement but produce evidence that is tied to the operator's current systems. If those systems change or fail, the evidence weakens.
H33-74 produces audit evidence that survives the system that produced it.
The receipt is cryptographically verifiable independent of the operator. The PQ signatures survive the quantum transition. The chain anchors survive any single chain's deprecation. The audit horizon is institutional, not application-bound.
What SOX requires
SOX 302 requires CEO and CFO certification of internal control over financial reporting (ICFR). SOX 404 requires annual management assessment and auditor attestation of ICFR effectiveness. Both rely on documented evidence that controls were designed properly, operated effectively, and were not overridden. Most ICFR programs lean heavily on application-level audit logs, change tickets, approval workflows, and reconciliations as evidence.
Why H33-74 fits
SOX audit evidence has to remain verifiable through external auditor review cycles and SEC inspection horizons. That horizon now extends beyond the lifetime of the systems and tooling many organizations used five years ago. H33-74 makes each control's operational evidence a self-verifying cryptographic object: an auditor takes the receipt, verifies the three PQ signatures, verifies the chain anchor, and knows the decision occurred under the stated policy at the stated time without depending on the operator's continued system architecture.
Control mapping
Segregation of duties
Each transfer authorization receipt records the requesting party, the approving party, and the policy reference. Cryptographically signed, chain-anchored, auditor-verifiable.
Authorization controls
Each authorization decision emits an H33-74 receipt at the moment the policy engine approves. The receipt includes the policy version, the AI recommendation (if any), the human signer, and the decision result.
System access controls
Privileged access grants and changes emit receipts. Provenance of who granted what access, when, and under what policy is verifiable independent of the IAM system's continued availability.
Period-end reconciliations
Each reconciliation produces a receipt containing the reconciled balances, the source systems queried, the variance threshold applied, and the reviewer's signature.
Management override detection
Override events produce distinct receipts that an auditor can query independently. Detection logic and override approval chains both produce verifiable evidence.
What this changes for the audit team
- Each control's evidence is a cryptographic object the auditor verifies directly, not a log entry the auditor trusts because the operator says so.
- The audit horizon extends beyond the operator's current systems, vendors, or chain choices.
- Regulator inquiry years after a decision can be answered with the original PQ-signed receipt rather than reconstructed from operator memory.
- Independent third-party verification works without the operator's infrastructure being available.
How H33-74 is integrated
- For each control that produces a decision or outcome, the system emits an H33-74 receipt at the moment the decision is made.
- Receipts are signed with three independent post-quantum signature families and contain the structured computation result.
- Receipts are anchored on one or more chains as the audit policy requires (delayed or immediate, single-chain or multi-chain).
- The audit team is given the receipt store and the open-source verifier. They verify independently.
The SOX audit trail becomes chain-portable evidence. Each control's record outlives the system that produced it, the vendor that hosts it, and the chains it was anchored to.
Related