Philterd

Talk to the Team

Tell us about your stack and the privacy problems you're trying to solve. We typically respond within one business day.

Prefer email? support@philterd.ai

Prefer to skip the form? Pick a time on our calendar →
or send a message

Please do not enter PII or PHI in this form. If you need to share an example, use a sanitized one.

← All policies

Finance · Philterd

SOX Financial Records Redaction

Redact personal and account identifiers from financial records and audit workpapers under Sarbanes-Oxley while preserving the financial figures auditors need.

View policy → Download JSON → View source on GitHub
v1.0.0 Updated 2026-06-08 Philter >=3.0.0 By Philterd
SOXSarbanes-Oxleyfinancial reportingauditinternal controlsSEC15 USC 7201

The policy

The full sox-financial-records.json file. The same content you’d get by downloading. Copy any part of it, or use the buttons in the hero to grab the whole file.

{
  "config": {
    "splitting": {
      "enabled": false,
      "threshold": 4000
    }
  },
  "ignored": [],
  "identifiers": {
    "person": {
      "phEyeFilterStrategies": [
        {
          "strategy": "REDACT",
          "redactionFormat": "[INDIVIDUAL]",
          "condition": "confidence > 65"
        }
      ]
    },
    "ssn": {
      "ssnFilterStrategies": [
        {
          "strategy": "REDACT",
          "redactionFormat": "[REDACTED-SSN]"
        }
      ]
    },
    "emailAddress": {
      "emailAddressFilterStrategies": [
        {
          "strategy": "REDACT",
          "redactionFormat": "[REDACTED-EMAIL]"
        }
      ]
    },
    "phoneNumber": {
      "phoneNumberFilterStrategies": [
        {
          "strategy": "REDACT",
          "redactionFormat": "[REDACTED-PHONE]"
        }
      ]
    },
    "creditCard": {
      "onlyValidCreditCardNumbers": true,
      "creditCardFilterStrategies": [
        {
          "strategy": "MASK",
          "maskCharacter": "*",
          "maskLength": "SAME",
          "leaveCharacters": 4
        }
      ]
    },
    "ibanCode": {
      "ibanCodeFilterStrategies": [
        {
          "strategy": "MASK",
          "maskCharacter": "*",
          "maskLength": "SAME",
          "leaveCharacters": 4
        }
      ]
    },
    "bankRoutingNumber": {
      "bankRoutingNumberFilterStrategies": [
        {
          "strategy": "REDACT",
          "redactionFormat": "[REDACTED-RTN]"
        }
      ]
    },
    "date": {
      "onlyValidDates": true,
      "dateFilterStrategies": [
        {
          "strategy": "TRUNCATE_TO_YEAR",
          "condition": "context == \"birth\""
        }
      ]
    },
    "identifiers": [
      {
        "classification": "account-number",
        "pattern": "\\b(?:account|acct)[\\s:#]*(?:number|#)?[\\s:#]*\\d{6,}\\b",
        "caseSensitive": false,
        "identifierFilterStrategies": [
          {
            "strategy": "MASK",
            "maskCharacter": "*",
            "maskLength": "SAME",
            "leaveCharacters": 4
          }
        ]
      },
      {
        "classification": "gl-account",
        "pattern": "\\b(?:GL|G/L|general ledger)[\\s:#]*(?:account|acct|#)?[\\s:#]*\\d{4,}\\b",
        "caseSensitive": false,
        "identifierFilterStrategies": [
          {
            "strategy": "REDACT",
            "redactionFormat": "[REDACTED-GL]"
          }
        ]
      },
      {
        "classification": "ein",
        "pattern": "\\b(?:EIN|employer identification|tax id|TIN)[\\s:#]*\\d{2}-?\\d{7}\\b",
        "caseSensitive": false,
        "identifierFilterStrategies": [
          {
            "strategy": "REDACT",
            "redactionFormat": "[REDACTED-EIN]"
          }
        ]
      },
      {
        "classification": "invoice-number",
        "pattern": "\\b(?:invoice|inv)[\\s:#]*(?:number|no|#)?[\\s:#]*[A-Z0-9-]{4,}\\b",
        "caseSensitive": false,
        "identifierFilterStrategies": [
          {
            "strategy": "REDACT",
            "redactionFormat": "[REDACTED-INVOICE]"
          }
        ]
      }
    ]
  }
}

Example

Input

Approver Jane Doe (SSN 444-55-6666) signed off invoice INV-2024-3375 against GL account 41000 for $128,400.00 paid to vendor account 9988776655 on 2024-11-03.

Output

Approver [INDIVIDUAL] (SSN [REDACTED-SSN]) signed off [REDACTED-INVOICE] against [REDACTED-GL] for $128,400.00 paid to vendor account ******6655 on 2024-11-03.

Entities this policy acts on

INDIVIDUALSSNEMAILPHONECREDIT_CARDIBANRTNDATEACCOUNTGL_ACCOUNTEININVOICE

What this policy does

Strips personal and account identifiers from financial records, journal entries, and audit workpapers governed by the Sarbanes-Oxley Act of 2002 (SOX) — while deliberately preserving the financial figures, transaction dates, and account structure that auditors and reviewers need to do their job.

SOX is not a data-privacy statute. Its concern is the accuracy and integrity of financial reporting and the internal controls over it (Sections 302 and 404). The redaction need it creates is practical: financial records, audit evidence, and control documentation routinely contain employee PII and sensitive account identifiers that don’t need to circulate when those documents are shared with external auditors, stored in evidence repositories, or used in control testing.

This policy targets the identifiers:

  • Individual names (preparers, approvers, employees, vendors) — redacted to [INDIVIDUAL] (confidence-gated)
  • SSNs — fully redacted
  • Email and phone — redacted
  • Credit card and IBAN numbers — masked to last 4 visible
  • Bank routing numbers — redacted
  • Bank / vendor account numbers — masked to last 4 visible
  • General-ledger (GL) account references — redacted
  • Employer Identification Numbers (EIN/TIN) — redacted
  • Invoice numbers — redacted
  • Birthdates — truncated to year only when context indicates a birth date

It intentionally does not redact currency amounts or transaction dates — removing those would defeat the purpose of a financial record and break audit traceability.

When to use this

  • Sharing audit workpapers or evidence with external auditors or PCAOB inspectors where employee PII isn’t relevant to the control being tested
  • Control testing and SOX walkthroughs performed by teams who shouldn’t see full personal identifiers
  • Populating an audit-evidence repository retained for the SOX audit cycle
  • Producing sample journal entries or reconciliations for review, training, or process documentation
  • Vendor / accounts-payable record sharing where account and tax identifiers should be masked

When to customize

  • Preserve amounts (default) vs redact them. This policy keeps currency figures because they are the audit subject. If you are sharing records where linkability of a person to an amount is the concern, add a currency rule — but understand that removes the financial substance.
  • Name handling. Default redacts individual names. For control documentation where the approver of record must remain visible (segregation-of-duties evidence), build an “internal” variant that preserves names, or raise the confidence threshold.
  • GL / account / invoice formats. The default patterns are generic and keyword-anchored. Replace them with your ERP’s actual conventions (SAP, Oracle, NetSuite, etc.) — GL account structures in particular vary widely by chart of accounts.
  • Retention conflicts. SOX requires retention of audit records (see below). Do not apply destructive redaction to your records of original entry — redact copies prepared for sharing or analysis, and keep the unredacted originals under your retention controls.
  • Overlap with GLBA/PCI. If the same documents contain customer NPPI or cardholder data, stack the GLBA or PCI DSS policies on top.

Compliance notes

  • 15 USC Chapter 98 — the Sarbanes-Oxley Act of 2002
  • Section 302 — corporate responsibility for financial reports (CEO/CFO certification)
  • Section 404 — management assessment of internal controls over financial reporting (ICFR)
  • Section 802 / 17 CFR 210.2-06retention of audit and review workpapers for seven years. This is the most important caveat for redaction: SOX mandates retention of audit records. Redact copies for distribution; never destroy or over-redact the records you are required to keep.
  • PCAOB Auditing Standards govern what audit evidence must be retained and how.
  • This policy supports controls around financial data; it is not a financial-reporting control itself and is not legal or audit advice. Coordinate any redaction of audit records with your SOX program office and external auditors.

References

Use this policy

Download and load into your running Philter instance:

# Download the policy
curl -O https://raw.githubusercontent.com/philterd/pii-redaction-policies/main/policies/philterd/finance/sox-financial-records.json

# Upload to your Philter instance
curl -X POST http://localhost:8080/api/policies \
     -H "Content-Type: application/json" \
     --data @sox-financial-records.json

# Redact text using the policy
curl http://localhost:8080/api/filter?p=sox-financial-records \
     --data "your text here" \
     -H "Content-Type: text/plain"

No Philter instance yet? Deploy one in 5 minutes → · Want to tune this policy against your data? Talk to the team.

← All policies