Compliance · SOX

SOX compliance and AI security — prompt injection in financial document processing

Public companies are deploying vision AI to process invoices, expense receipts, contracts, and bank statements faster than their SOX audit programmes are updating to reflect the new attack surface. AI image processing is not a peripheral IT function — when it extracts amounts, vendor names, GL codes, or payment terms that flow into ERP systems or financial reporting pipelines, it is an IT component of Internal Controls over Financial Reporting (ICFR) under Sections 302 and 404 of the Sarbanes-Oxley Act. A multimodal prompt injection attack embedded in a supplier invoice image is not merely a cybersecurity incident — it is an input validation failure in a financial reporting system, implicating both the CEO and CFO certifications required under Section 302 and the ICFR effectiveness assessment required under Section 404. Glyphward is the inference-time scan that constitutes the ICFR input validation control for AI financial document workflows, producing a per-scan audit trail that external auditors can test as control evidence.

TL;DR

Call POST /v1/scan with your financial document image before passing it to your vision LLM. Set the threshold at 70 (or 65 for transactions over $100K). If the score is at or above the threshold, reject the image and route it to manual review — fail closed, never fail open. Log the returned scan_id, image SHA-256, score, decision, and workflow step (ap_invoice, expense_receipt, contract_page, bank_statement) to your SOX audit trail as evidence of the input validation control. This satisfies the COSO control activity requirement for AI-processed financial inputs, gives your external auditor testable ICFR evidence, and closes the change management gap created when AI image processing was added to your financial reporting workflow. Request early access to start building the scan into your pipeline.

SOX controls implicated by AI financial document processing

The Sarbanes-Oxley Act was written in 2002, fifteen years before large language models could read an invoice image. The statute's control framework, however, is technology-neutral by design. Sections 302 and 404 apply to any IT system that contributes to the accuracy of financial statements — and that definition now includes AI models that extract amounts, categories, and terms from financial documents.

Section 302 — CEO and CFO certifications

Under Section 302, principal executive and financial officers must personally certify with each quarterly and annual filing that: (a) the financial statements do not contain material misstatements, and (b) they have evaluated the effectiveness of disclosure controls and internal controls over financial reporting and reported their conclusions. The certification is not delegable and carries personal liability under 18 U.S.C. § 1350 for knowing falsification.

The SOX Section 302 risk from AI financial document processing is direct. If an accounts payable AI model processes a supplier invoice image that has been adversarially crafted to instruct the model to extract an inflated invoice amount, the wrong vendor identifier, or a falsified GL code — and that manipulated data flows into the ERP and is incorporated into a financial statement — then the financial statement contains a misstatement that the CEO and CFO certified did not exist. The causal chain from adversarial pixel to signed certification runs through the AI model's failure to detect the embedded instruction. That failure is an input validation gap in an ICFR system.

Section 404 — ICFR effectiveness assessment

Section 404 requires management to annually assess the effectiveness of ICFR and attach that assessment to the annual report. For companies with a market cap above the non-accelerated filer threshold, the external auditor issues an independent attestation on management's ICFR assessment. The PCAOB's Auditing Standard No. 2201 governs that attestation and requires the external auditor to test the IT components of ICFR — the systems and applications that support financial reporting processes.

An AI model that processes financial document images is an IT component of ICFR if its outputs flow into the financial reporting pipeline. External auditors testing that IT component will examine the same categories of control they examine for any other financial reporting application: access controls (who can submit images for processing), input validation controls (what prevents malformed or adversarial inputs from corrupting the extracted data), and the audit trail (what evidence exists that the control operated effectively during the period). A multimodal prompt injection scanner positioned at the inference boundary — before the image reaches the vision model — is the input validation control for this class of IT component. Its absence is a Section 404 gap.

IT General Controls (ITGCs) for AI image processing

SOX auditors test IT General Controls that support financial reporting applications. The ITGC domains relevant to AI financial image processing are: access controls over who can submit images and who can configure the AI pipeline; change management controls over how AI models or processing logic are modified; and input validation controls over the data flowing into the system. Of these, input validation for the image channel is the domain most frequently absent in early AI deployments. Teams that document thorough access controls and change management procedures for their AI pipeline frequently have no documented control that prevents an adversarial image from producing a corrupt extraction — because the risk was not contemplated when the AI feature was designed.

The Glyphward scan constitutes the input validation ITGC. Every image submitted to the financial processing workflow passes through the scan before reaching the LLM. The scan ID and result are logged to the audit trail. The control is testable: an auditor can submit a known adversarial test image, confirm that the API returns a score above the threshold and a block decision, and verify that the scan ID appears in the audit trail log. That is the operating-effectiveness evidence format that an external auditor can document in their ITGC workpapers.

COSO Framework — control activities for AI financial inputs

The 2013 COSO Internal Control — Integrated Framework is the reference framework for ICFR design under Section 404. COSO Principle 10 requires that an organization "selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels." For financial reporting, the primary objective is accurate financial statements. The risk introduced by AI image processing is that adversarial inputs produce inaccurate extracted data. The COSO-required control activity that mitigates this risk is input validation at the point where external image content enters the AI processing pipeline.

A vision AI model that accepts unvalidated image inputs — images that have not been scanned for adversarial content before being passed to the model — is operating without the COSO-mandated control activity for that risk. This is not a matter of interpretation: COSO Principle 10 applies to every significant risk to financial reporting accuracy, and a manipulable AI extraction step is a significant risk to accuracy if its outputs feed financial statements. Deploying the Glyphward scan as the input validation control activity satisfies the COSO requirement and provides the documentation that management's ICFR assessment needs to identify the control, describe it, and conclude that it is designed effectively.

Change management — AI deployment as an ICFR change event

SOX auditors treat the deployment of a new application or significant change to an existing application that supports financial reporting as a change management event requiring documented review. The deployment of an AI model to process financial document images — whether as a new AP automation system, an upgrade to expense management software, or the addition of document extraction to a contract management platform — is an ICFR change event. Change management review for that deployment should document: the risks introduced by the new component, the controls designed to mitigate those risks, and the testing performed before go-live. Multimodal prompt injection is a risk that must appear in that change management documentation. If the deployment went live without documenting the multimodal PI risk and identifying a detection control, the change management review has a gap. Adding Glyphward to the processing pipeline and documenting the scan as the input validation control closes the risk documentation gap retroactively and prevents future deployments from repeating it.

AI attack surfaces in financial reporting workflows

Multimodal prompt injection in financial contexts follows a consistent pattern: an adversarial instruction is embedded in an image — in pixel regions that are imperceptible to human reviewers but legible to a vision model — and the model executes the instruction when it processes the image. The instruction is typically designed to modify the extracted output in a way that is plausible enough to pass downstream review. The following workflows are the primary AI attack surfaces in financial reporting.

Accounts payable invoice processing

AP automation platforms that accept scanned supplier invoices or mobile photo captures from AP teams are the highest-volume target. A manipulated invoice image can carry an instruction telling the LLM to extract a higher invoice amount (an amount close enough to the actual amount to pass three-way match within tolerance), substitute a different vendor identifier (routing the payment to a controlled account), or assign a different GL code (moving the expense to a category with weaker review controls). The manipulated data is then submitted to the ERP — SAP, Oracle Financials, NetSuite — via API, where it is posted as a legitimate transaction with the correct document references. The adversarial modification is in the AI extraction layer, not in the ERP transaction, making it invisible to most ERP audit queries.

Expense management receipt processing

Employee expense platforms that photograph receipts with a mobile app and use vision AI to classify and extract the amount are a high-frequency, lower-unit-value target. A manipulated receipt image can instruct the LLM to extract a higher amount (staying within the employee's approval threshold to avoid manager review), change the merchant category (reclassifying a personal purchase as a business expense), or suppress the duplicate-detection signal by returning a different transaction timestamp. Because expense processing is high volume and individual transaction amounts are small, this attack surface is often underweighted in risk assessments — but aggregate manipulation across many employees or many submissions by one employee can produce a material misstatement in operating expense reporting.

Contract extraction for financial terms

Legal and finance AI that extracts payment terms, liability caps, renewal dates, and minimum commitments from scanned or photographed contract pages is an attack surface with direct financial statement impact. An adversarial contract page can instruct the LLM to extract a different payment due date (deferring a payable beyond the reporting period), a different liability cap (understating contingent liability disclosures), or a different renewal term (affecting the lease accounting classification under ASC 842). Contract extraction errors feed into accounts payable schedules, contingent liability footnotes, and lease obligation disclosures — all material components of financial statements.

Bank statement reconciliation

AI that processes scanned bank statement PDFs or images to extract transaction amounts and ending balances for cash reconciliation is an attack surface close to the financial statement bottom line. An adversarial statement page can instruct the LLM to extract an inflated ending balance or to omit specific transactions from the extracted transaction list. Because the bank statement is typically treated as a reliable external document, manipulated extractions in this workflow may receive less skeptical review than AP invoices from unknown vendors. The result of a successful attack is a cash balance misstatement or an unreconciled difference that is incorrectly attributed to timing rather than an extraction error.

Board document and financial report indexing

AI that indexes board meeting slides, management presentations, or draft annual report PDFs for search or summarization is a softer target with disclosure-layer implications. An adversarial diagram or chart embedded in a board document can inject false figures into AI-generated meeting summaries or financial commentary. If those summaries are used as inputs to disclosure drafting workflows — which is increasingly common in AI-assisted financial reporting tools — the false figures can propagate into MD&A language or earnings release drafts. This attack surface is harder to exploit for direct financial statement manipulation but is relevant to the disclosure controls component of Section 302 certifications.

Implementation: scan_financial_image() pattern

import hashlib
import time
import uuid
from dataclasses import dataclass
from typing import Literal
import httpx

GLYPHWARD_API_KEY = "gw-..."          # store in secrets manager, not source
GLYPHWARD_SCAN_URL = "https://api.glyphward.com/v1/scan"

# Threshold for financial document workflows.
# Use 70 for standard commercial AI processing.
# Lower to 65 for transactions above $100K — trades more false positives
# for higher detection sensitivity. Document your chosen value in ICFR controls.
SOX_FINANCIAL_THRESHOLD = 70

WorkflowStep = Literal[
    "ap_invoice",
    "expense_receipt",
    "contract_page",
    "bank_statement",
]

@dataclass
class FinancialScanRecord:
    scan_id: str
    image_sha256: str
    score: int
    decision: Literal["allow", "block"]
    timestamp: float
    workflow_step: WorkflowStep


def scan_financial_image(
    image_bytes: bytes,
    workflow_step: WorkflowStep,
    threshold: int = SOX_FINANCIAL_THRESHOLD,
) -> FinancialScanRecord:
    """
    Scan a financial document image for multimodal prompt injection
    before passing it to any vision LLM.

    Returns a FinancialScanRecord. If decision is "block", do NOT pass
    the image to the model — route to manual review instead.

    This function is the ICFR input validation control for AI-processed
    financial document images. The returned record must be persisted to
    the SOX audit trail via log_to_sox_audit_trail().
    """
    image_sha256 = hashlib.sha256(image_bytes).hexdigest()

    response = httpx.post(
        GLYPHWARD_SCAN_URL,
        headers={
            "Authorization": f"Bearer {GLYPHWARD_API_KEY}",
            "Content-Type": "application/octet-stream",
        },
        content=image_bytes,
        timeout=10.0,
    )
    response.raise_for_status()
    payload = response.json()

    score = payload["score"]          # 0–100; higher = higher injection risk
    scan_id = payload["scan_id"]      # stable UUID for audit trail reference

    decision: Literal["allow", "block"] = (
        "block" if score >= threshold else "allow"
    )

    record = FinancialScanRecord(
        scan_id=scan_id,
        image_sha256=image_sha256,
        score=score,
        decision=decision,
        timestamp=time.time(),
        workflow_step=workflow_step,
    )

    # SOX ICFR evidence — input validation control for AI-processed financial image.
    log_to_sox_audit_trail(record)

    return record


def log_to_sox_audit_trail(record: FinancialScanRecord) -> None:
    """
    Persist the scan record to your SOX audit trail store.
    Replace this stub with your SIEM, append-only log, or audit database.
    The record must be immutable after write — do not allow update or delete.
    """
    import json, logging
    audit_logger = logging.getLogger("sox.icfr.ai_input_validation")
    audit_logger.info(json.dumps({
        "event": "financial_image_scan",
        "scan_id": record.scan_id,
        "image_sha256": record.image_sha256,
        "score": record.score,
        "decision": record.decision,
        "timestamp": record.timestamp,
        "workflow_step": record.workflow_step,
    }))


# --- Usage in AP invoice processing pipeline ---

def process_ap_invoice(image_bytes: bytes) -> dict:
    """
    Example: AP invoice image processing with SOX-compliant scan gate.
    The vision LLM is never called if the image is blocked.
    Fail closed — a block routes to manual review, never bypasses the control.
    """
    scan = scan_financial_image(image_bytes, workflow_step="ap_invoice")

    if scan.decision == "block":
        # Do not pass the image to the LLM.
        # Route to AP team for manual review with the scan_id as reference.
        raise ValueError(
            f"Invoice image blocked by ICFR input validation control "
            f"(scan_id={scan.scan_id}, score={scan.score}). "
            f"Route to manual AP review."
        )

    # Only reached if scan.decision == "allow".
    # Pass image to your vision LLM here.
    extracted = call_vision_llm_for_invoice(image_bytes)
    extracted["icfr_scan_id"] = scan.scan_id   # attach evidence to ERP transaction
    return extracted


def call_vision_llm_for_invoice(image_bytes: bytes) -> dict:
    # Your existing vision LLM call — GPT-4o, Claude 3, Gemini Vision, etc.
    raise NotImplementedError

The scan_financial_image() function is the operative control. It must be called synchronously, before the image reaches the vision model, and the result must be evaluated before proceeding. Fail-closed design is not optional for ICFR controls: if the scan API is unavailable, reject the image and route to manual review rather than falling back to unscanned processing. A fallback that bypasses the control on error negates its SOX value — the control is not operating effectively if it can be circumvented by a transient service interruption. The icfr_scan_id attached to the ERP transaction record creates a forward reference from the financial data to its scan evidence, enabling auditors to sample transactions and trace each one back to its scan log entry.

Get early access

Coverage matrix

Attack vector	AP invoice image	Expense receipt photo	Contract page scan	Bank statement image
Invisible pixel-layer instruction (white text on white background)	Detected	Detected	Detected	Detected
Steganographic payload in JPEG/PNG metadata or DCT coefficients	Detected	Detected	Detected	Detected
Low-contrast text overlay (amount manipulation instruction)	Detected	Detected	Detected	Detected
QR code or barcode encoding adversarial instruction	Detected	Detected	Detected	Detected
Adversarial perturbation (imperceptible pixel noise)	Detected	Detected	Detected	Detected
Instruction embedded in document footer or margin area	Detected	Detected	Detected	Detected
Multi-page PDF — adversarial instruction on non-primary page	Detected (per-page scan)	N/A	Detected (per-page scan)	Detected (per-page scan)
Clean image with no adversarial content	Pass (low score)	Pass (low score)	Pass (low score)	Pass (low score)
Audit trail generated per scan	Yes — scan_id + SHA-256	Yes — scan_id + SHA-256	Yes — scan_id + SHA-256	Yes — scan_id + SHA-256
Testable by external auditor with known adversarial image	Yes	Yes	Yes	Yes

Related questions

Does our external auditor need to test the Glyphward scan control?

Yes — if your AI image processing pipeline is within your ICFR scope (meaning its outputs flow into financial statements or disclosures), the external auditor's IT component testing under PCAOB AS 2201 will include the input validation control for that pipeline. The Glyphward scan is that control. To support auditor testing, prepare a small set of known adversarial test images — one per workflow type (AP invoice, expense receipt, contract page, bank statement) — that reliably produce a score at or above your threshold and a block decision. Submit those test images during the period under audit and retain the scan IDs. When the auditor requests evidence of the input validation control's operating effectiveness, provide the test submissions alongside samples of production scan logs showing allow and block decisions, with scan IDs that can be traced back to the audit trail. This is the same format of evidence used to demonstrate operating effectiveness for any other ITGC.

Is multimodal prompt injection specifically listed in SOX audit guidance?

Not yet. SOX, PCAOB standards, and COSO guidance have not been updated to specifically address AI-specific risks such as multimodal prompt injection. PCAOB staff have issued general observations on emerging technology risks, but no standard or staff guidance specifically names adversarial image inputs as an ICFR risk category as of mid-2026. However, the underlying COSO principle applies directly and without ambiguity: accurate inputs are a prerequisite to accurate financial outputs, and any IT component that can produce inaccurate outputs due to manipulable inputs requires a control activity that mitigates that risk. The risk does not need to be named in guidance to be within scope — it needs to be identified in your ICFR risk assessment, which is where it belongs. Document the multimodal prompt injection risk in your ICFR risk assessment narrative, identify the Glyphward scan as the mitigating control activity, and describe the threshold and audit trail. That documentation is sufficient for management's Section 404 assessment and gives the external auditor a clear control to test.

Can adversarial invoice images actually affect our financial statements?

Yes. AI-extracted AP invoice data typically flows into ERP systems — SAP S/4HANA, Oracle Cloud Financials, NetSuite — via API integration. The vision LLM reads the invoice image and returns structured data: vendor ID, invoice number, line items, amounts, GL code assignments. That structured output is posted to the ERP as a voucher or journal entry, often with straight-through processing for invoices that match configured three-way match tolerances. If the LLM extracts a manipulated amount from an adversarial image, the manipulated amount is posted to the ERP as a legitimate transaction with correct document references — because from the ERP's perspective, it received a valid API call with valid document identifiers. Downstream review controls — AP supervisor review, GL account reconciliation, variance analysis — catch obvious errors. Adversarial images are specifically designed to produce plausible-looking outputs: the amount change is small enough to stay within three-way match tolerance, the vendor identifier is valid, the GL code is plausible for the vendor category. The manipulation is designed to survive the review controls that catch honest errors. That is the meaningful difference between an adversarial input and a processing error, and it is why the control must operate at the input validation layer, before the manipulated data enters the ERP.

What is the right threshold for SOX financial imaging workflows?

Use a threshold of 70 for standard commercial AI financial document workflows — AP automation, expense management, contract extraction, and bank statement reconciliation in typical enterprise environments. A score of 70 corresponds to a detection sensitivity level that catches the adversarial payloads most likely to be encountered in practice while keeping the false-positive rate low enough that your AP team is not overwhelmed with manual review queues from legitimate supplier invoices. If your AP or expense process handles transactions above $100,000 per document, lower the threshold to 65. The threshold trades false-positive rate for detection sensitivity: a lower threshold catches more adversarial content but also flags more clean images as suspicious. For high-value transactions, the cost of a missed detection (a material misstatement) outweighs the cost of a false positive (one additional manual review). Document your chosen threshold and the rationale in your ICFR controls documentation — the threshold is a design parameter of the control that the external auditor will review and that management's assessment must describe. If you change the threshold during a SOX year, treat it as a change management event and document the change and the reason.