Skip to content

SOX Compliance Tutorial

In this hands-on tutorial, you will build a complete SOX compliance verification workflow from scratch -- creating a policy document, generating rulesets, refining rules, building a test dataset, and running evaluations. By the end, you will have a working ruleset that can evaluate whether financial reports comply with Sarbanes-Oxley (SOX) requirements.

Prerequisites

This tutorial assumes you have access to a running Jaxon platform instance. If you have not used the platform before, start with the Getting Started guide for an overview of the workflow.

Step 1: Set Up Your Project

Create a dedicated project so your tutorial work stays separate from other data.

  1. Click the Project dropdown in the top header bar.
  2. Select New Project.
  3. Name it SOX Compliance Tutorial and click Create Project.

Step 2: Create Your Policy Document

You need a policy document to extract ruleset rules from. Navigate to Documents in the sidebar.

  1. Click New Document.
  2. Name it SOX Internal Controls Policy.

  3. Paste the following policy text into the content editor:

    Section 1 — Executive Certification
The Chief Executive Officer and Chief Financial Officer must certify
the accuracy and completeness of all quarterly and annual financial
reports filed with the SEC. Financial statements must be prepared in
accordance with Generally Accepted Accounting Principles (GAAP) and
must not contain any material misstatements or omissions.

Section 2 — Internal Controls
The organization must establish and maintain adequate internal controls
over financial reporting. These controls must include segregation of
duties, where no single individual has authority over all phases of a
financial transaction. Access to financial systems must be restricted
based on job function and reviewed quarterly.

Section 3 — Record Retention
All financial records, including audit working papers, must be retained
for a minimum of seven years. Intentional destruction, alteration, or
falsification of financial records is prohibited. The organization must
maintain a complete audit trail for all material financial transactions.

Section 4 — Whistleblower Protections
The organization must establish confidential channels for employees to
report suspected fraud, accounting irregularities, or violations of
internal controls. Retaliation against individuals who report concerns
in good faith is strictly prohibited.

  4. Click Save Document.

Step 3: Create Rulesets

Now turn that policy into verifiable rules using the creation wizard.

  1. Navigate to Rulesets in the sidebar.
  2. Click + New Rulesets From Policy.

Step 1 (Select Documents): Check your SOX Internal Controls Policy document. Select a Utility Model and Run Model from the dropdowns, then click Next.

Step 2 (Set Themes): Click Auto-Extract Themes from Documents. The platform will identify themes like "Executive Certification", "Internal Controls", "Record Retention", and "Whistleblower". Click Create Rulesets & Continue.

Step 3 (Extract Rules): Leave the extraction method as Basic (suitable for this document's length). Click Start Rule Extraction and wait for completion.

Step 4 (Populate DSAIL): Click Start DSAIL Generation and wait for completion.

Step 5 (Review & Done): Review the created rulesets. You should see one ruleset per theme, each containing rules extracted from the corresponding policy section. Click Done.

Step 4: Refine Rules in the Studio

Open one of your rulesets (e.g., the Executive Certification one) to enter the Ruleset Studio.

Review each rule's components:

  • Natural language description -- Does it accurately state the policy requirement?
  • DSAIL code -- Are the assertions using [pessimistic] completion policy? (Recommended for compliance.)
  • Claims -- Are the extraction questions specific enough to get clear yes/no answers?

Test a rule using the right-hand test panel:

  1. Paste this compliant text into the Test Input area:

    The CEO and CFO have both signed certifications affirming the accuracy
and completeness of the Q3 2025 financial report. All statements were
prepared in accordance with GAAP standards.

  2. Click Run Test.

  3. You should see assertions evaluate to TRUE.

Now test with non-compliant text:

  1. Replace the test input with:

    The quarterly financial summary was prepared by the accounting team.
No executive review or certification was performed.

  2. Click Run Test.

  3. You should see assertions evaluate to FALSE (the CEO/CFO did not certify).

If results are unexpected, adjust the extraction questions in the Claims section or refine the DSAIL code. Click Save when satisfied, then Publish to create a new version.

Step 5: Build a Test Dataset

Create a dataset to test your ruleset against multiple documents.

  1. Navigate to Datasets in the sidebar.
  2. Click New Dataset.
  3. Name it SOX Test Documents.
  4. Open the dataset and click Add Documents to include documents from your project library. You can also create new documents manually or import them from a CSV file.
  5. To expand the dataset beyond your added documents, use Generate Records from the dataset's menu to create synthetic test documents. The dataset must contain at least one document before you can generate records. Select your LLM model, choose 10 records, and click Generate.

Step 6: Run a Batch Test

  1. Navigate to Runs in the sidebar.
  2. Click New Run.
  3. Select Batch mode.
  4. Select your SOX ruleset and the SOX Test Documents dataset.
  5. Check both Evaluate and Variance Test.
  6. Set variance iterations to 5.
  7. Click Start Run.

Reviewing Evaluation Results

On the Evaluation tab, expand each document to see per-rule results. For each rule:

  • TRUE -- The document satisfies this requirement
  • FALSE -- A specific violation was found
  • UNKNOWN -- The document doesn't contain enough information to determine compliance (with pessimistic policy, this counts as a failure)

Reviewing Variance Results

On the Variance tab, check how consistent your ruleset's results are:

  • Green (0%) -- Every iteration produced the same answer. The rule is reliable for this document.
  • Yellow (< 50%) -- Some variation. The question or document content may be ambiguous.
  • Red (>= 75%) -- Very high variation. The extraction question needs refinement.

Expand individual claims to see per-document, per-iteration answer detail. Answers that differ from the mode are highlighted in orange.

Next Steps

You have a working SOX compliance verification setup. From here:

  • Add more documents to your dataset for broader coverage
  • Refine rules that show high variance or unexpected results
  • Create rulesets for other policy areas using additional policy documents
  • Export results as CSV or JSON for reporting

For platform concepts in depth, see:

  • Documents -- The two roles documents play (policy sources and test inputs)
  • Rulesets -- Rulesets, rules, and the creation wizard
  • Datasets -- Organizing test data
  • Runs -- Batch testing and variance analysis
  • DSAIL Language -- The formal logic behind every rule