SOX Compliance Auditing Tool - API

A comprehensive FastAPI-based backend system for SOX (Sarbanes-Oxley) compliance auditing with AI-powered analysis capabilities.

🚀 Features

• User Authentication & Authorization: Secure JWT-based authentication system
• Audit Management: Complete audit lifecycle management
• Control Testing: Detailed control creation and testing workflows
• AI-Powered Analysis: Intelligent control analysis and risk assessment
• Evidence Management: File upload and evidence tracking
• Report Generation: Automated audit report creation and download
• Dashboard Metrics: Real-time compliance metrics and insights
• CORS Support: Cross-origin resource sharing for frontend integration

📋 Prerequisites

• Python 3.8+
• PostgreSQL or SQLite database
• OpenAI API key (for AI services)

🛠️ Installation

1. Clone the repository

   git clone <repository-url>
   cd sox-compliance-tool

2. Create virtual environment

   python -m venv venv
   source venv/bin/activate  # On Windows: venv\Scripts\activate

3. Install dependencies

   pip install -r requirements.txt

4. Environment Configuration Create a .env file in the root directory:

   DATABASE_URL=postgresql://username:password@localhost/sox_db
   SECRET_KEY=your-secret-key-here
   OPENAI_API_KEY=your-openai-api-key
   JWT_ALGORITHM=HS256
   ACCESS_TOKEN_EXPIRE_MINUTES=30

5. Database Setup

   # The application will automatically create tables on startup
   python main.py

🚦 Running the Application

Development Mode

python main.py

Production Mode

uvicorn main:app --host 0.0.0.0 --port 8000 --workers 4

The API will be available at http://localhost:8000

📚 API Documentation

Once the server is running, access the interactive API documentation:

• Swagger UI: http://localhost:8000/docs
• ReDoc: http://localhost:8000/redoc

🔗 API Endpoints

Authentication

• POST /api/auth/register - User registration
• POST /api/auth/login - User login

Audit Management

• POST /api/audits - Create new audit
• GET /api/audits - List user's audits
• GET /api/audits/{audit_id} - Get specific audit details

Control Management

• POST /api/audits/{audit_id}/controls - Create control for audit
• GET /api/audits/{audit_id}/controls - List controls for audit
• POST /api/controls/{control_id}/tests - Create test for control
• POST /api/controls/{control_id}/evidence - Upload evidence files

AI Services

• POST /api/ai/analyze-control - AI-powered control analysis
• POST /api/ai/risk-assessment - Intelligent risk assessment

Reporting

• GET /api/reports/{audit_id}/generate - Generate audit report
• GET /api/reports/{audit_id}/download - Download generated report

Dashboard

• GET /api/dashboard/metrics - Get compliance metrics

🏗️ Project Structure

sox-compliance-tool/
├── main.py                 # FastAPI application entry point
├── database.py            # Database configuration and connection
├── models.py             # SQLAlchemy database models
├── schemas.py            # Pydantic request/response schemas
├── services/             # Business logic services
│   ├── auth_service.py   # Authentication service
│   ├── audit_service.py  # Audit management service
│   ├── ai_service.py     # AI analysis service
│   └── report_service.py # Report generation service
├── requirements.txt      # Python dependencies
└── .env                 # Environment variables

🔐 Authentication

The API uses JWT (JSON Web Tokens) for authentication. Include the token in the Authorization header:

Authorization: Bearer <your-jwt-token>

📝 Request/Response Examples

User Registration

POST /api/auth/register
{
  "email": "user@example.com",
  "password": "securepassword",
  "full_name": "John Doe",
  "role": "auditor"
}

Create Audit

POST /api/audits
{
  "name": "Q1 2024 SOX Audit",
  "description": "Quarterly SOX compliance audit",
  "audit_type": "quarterly",
  "start_date": "2024-01-01",
  "end_date": "2024-03-31"
}

AI Control Analysis

POST /api/ai/analyze-control
{
  "control_id": 123,
  "control_description": "Monthly bank reconciliation process",
  "analysis_type": "effectiveness"
}

🧪 Testing

Run the test suite:

pytest tests/

🔧 Configuration

Environment Variables

Variable	Description	Default
DATABASE_URL	Database connection string	Required
SECRET_KEY	JWT signing secret	Required
OPENAI_API_KEY	OpenAI API key for AI services	Required
JWT_ALGORITHM	JWT algorithm	HS256
ACCESS_TOKEN_EXPIRE_MINUTES	Token expiration time	30

CORS Configuration

The application is configured to accept requests from:

• http://localhost:3000 (React development server)
• http://localhost:5173 (Vite development server)

Modify the allow_origins list in main.py for different frontend URLs.

📊 Database Models

Key Entities

• User: System users with role-based access
• Audit: Audit projects with metadata
• Control: Individual controls within audits
• Test: Testing procedures for controls
• Evidence: File attachments and documentation

🤖 AI Integration

The system integrates with OpenAI's API for:

• Control effectiveness analysis
• Risk assessment and scoring
• Automated recommendations
• Compliance gap identification

📈 Monitoring & Logging

The application includes built-in logging for:

• Authentication events
• Audit trail activities
• Error tracking
• Performance monitoring

🚀 Deployment

Docker Deployment