How Can You Use AI in a SOX Compliance Program?

Key Takeaways

• AI for SOX Compliance: AI can significantly enhance the efficiency of SOX compliance programs, particularly in areas like risk assessment, multi-location analysis, and identifying material errors in significant accounts.
• AI in Detective Controls: AI can improve the quality and cost of detective controls by identifying trends and anomalies in real-time, such as unusual payment patterns or potential cybersecurity threats.
• Automating Process and Control Documentation: AI can assist in developing or updating process and control documentation by generating flowcharts and ensuring the documentation meets required standards.
• Testing Internal Controls: AI can assist in testing automated and IT-dependent controls, providing evidence of their operation by accessing digital records, and helping ensure the controls function as intended.
• Maintaining Focus on Financial Statements: While AI can enhance compliance processes, it’s crucial to remain focused on controls that prevent or detect material errors in financial statements, rather than being sidetracked by business process risks.

Deep Dive

In his latest article, Norman Marks investigates the evolving role of artificial intelligence (AI) in Sarbanes-Oxley (SOX) compliance, offering valuable insights into how AI can revolutionize internal controls and risk management practices. In this article, he explores the potential of AI to enhance the efficiency and effectiveness of SOX programs, from risk assessment to process documentation, and emphasizes the importance of maintaining a focus on financial statement integrity while navigating the opportunities and challenges AI presents.

Exploring the Impact of AI on SOX Compliance and Internal Control Efficiency

Last week, I attended a local joint IIA and ISACA chapter meeting where a representative from one of the major CPA firms discussed the use of AI for SOX compliance. He made some good points, but there were also areas where I believe he was not only off-target but also failing to comply with the PCAOB’s auditing standard.

I did a quick search for articles on AI and the SOX program. While there are plenty of ads for webinars (usually by one of the CPA firms), there are few practitioner articles. I did find one from Saurav Goel in December of last year.

Let me share where I am on this question, noting that advances are being made all the time, so this may be outdated very soon.

The question needs to be answered separately (which not everyone does, sadly) for:

1. AI usage by management in the design and operation of the system of internal control over financial reporting (ICFR), and
2. AI used in management’s assessment of ICFR (with testing usually performed by internal audit or an internal controls group).

I should note that several of the use cases I will mention could be handled by business analytics. In fact, I wrote software to give me analytics when auditing ITGC for PwC way back when. They revealed a rise in emergency program changes, most of which were not approved in the normal way, at the same time as the frequency of software failures was also increasing.

Interestingly, business analytics vendors are now advertising that they have “augmented” their solutions with AI.

I can see AI having a huge impact, particularly in the following areas:

Enabling a More Efficient Risk Assessment
Following the guidance in the PCAOB’s Auditing Standard 2201, or in the SEC’s Interpretive Guidance, you take a top-down and risk-based approach to defining the scope of the SOX program. It starts with the financial statements filed with the SEC and then identifies the significant accounts—accounts that could contain an error or omission that would be material to the financial statements. Regulatory guidance tells us that with few exceptions, an account with a balance that is less than materiality is rarely a significant account. (Exceptions include where there are large fluctuations, or where activity might be omitted from the account.)

When I was leading the SOX program, I would use business analytics software and Excel to identify the significant accounts—those with a balance of at least materiality. However, this could change from quarter to quarter as the business evolved, so I would have to redo the analysis and see what accounts were now in or out of scope as significant accounts. I would want to automate that analysis with today’s technology.

Multi-Location Analysis
I would also use the latest technology to automate the next step in the top-down and risk-based approach: multi-location analysis. This is where you identify the locations and/or business units where there could be a material error or omission in one or more of the significant accounts.

Again, I used business analytics and Excel. One year, I found a significant change in Q2 that led to taking one geography out of scope and putting another in. AI could automate this analysis as well.

However, the person presenting at the chapter meeting went much further—too much further! He suggested that AI could be used not only to document business processes (which I will return to) but also to identify risks and controls within the business processes.

As I pointed out to him, this goes too far into the weeds. We don’t need to provide assurance that business processes function as they should. We need to provide assurance that there are adequate controls (which may or may not be in those business processes—think entity-level detective controls) that would prevent or detect, on a timely basis, material errors in the filed financial statements.

Looking for controls over business processes and risks to them will put far too many controls in scope! Instead, we should follow the top-down and risk-based approach (i.e., risk to the financial statements rather than the business process) and identify the best controls that would detect or prevent material errors in significant accounts in significant locations or business units.

Using AI in a Detective Control
AI could be used to identify activities and transactions that need to be reviewed and acted upon (probably by a human, but in time, perhaps by AI).

This could be the use that provides the greatest benefit, improving both the quality and cost of controls. For example, AI could be used to spot trends in the time it takes customers to pay invoices, indicating a potential need to increase the bad debt reserves. At Business Objects, I used analytics to identify unusual credit notes in the first month of a quarter due to our experience with revenue fraud. (The material error could be in a quarterly filing, not just an annual filing.) AI could also identify unusual activities within the network that indicate the possible presence of a hacker—if cyber is considered a SOX risk, which it usually is not!

These are IT-dependent controls (also known as semi-automated or hybrid controls). It is unclear whether the human use of the information provided by AI could eventually be replaced by AI itself. That may be something in our future, but I believe people are already exploring this possibility.

Detective controls using AI or Robotic Process Automation (RPA) can function almost in real-time, making them almost preventive in nature. As a result, I can imagine organizations replacing manual or other preventive controls with these real-time detective controls. (By the way, these are not “monitoring controls.” Monitoring controls provide assurance of the operation of other controls. The best examples are supervision, the use of a controls checklist, the internal audit function, and the SOX compliance program itself.)

Using AI to Develop or Update Process and Control Documentation
The presenter at the IIA/ISACA chapter meeting explained that you can take interview notes, narratives, and more and feed them to ChatGPT or other AI. The AI will then produce a flowchart of your business process.

If this can be done in a way that meets the standards for process and control documentation (such as mandating the description of who does what, when, how, how often, with what evidence, information, communication, etc.), I can see this being valuable. While flowcharts and other documentation are not strictly mandatory (although the CPA firms sometimes try to insist on it), they are useful in making sure you have the right controls in scope and know how to test them.

Testing Internal Controls within Business Processes
The CPA firm speaker and many in the audience talked about the ability to test 100% of the population instead of a limited sample of transactions. That sounds good, but most of them are making a fundamental mistake!

They are testing data and looking for exceptions or errors in the data. They should be testing controls—evidence that they are being performed, are adequately designed to address the risk of a material error, and are operating effectively.

The argument is that if there are errors in the data, that means the controls cannot be performing. But our objective is not to prove that a control is not performing; it is to obtain reasonable assurance that it is. If the AI (or analytics) finds no errors, that is not evidence that the control even exists.

As I ask in my SOX class, does the fact that your house has not been burglarized in the last two years prove that you locked the doors and closed the windows every time you went out?

Testing Automated and IT-Dependent Controls
This is where AI could make a valuable difference. Usually, the evidence of these controls is digital, so it can be accessed by AI. AI can also confirm that these automated and IT-dependent controls are functioning correctly.

For example, many years ago, I tested the logic of some software by reading the code. I could use AI to do that for me now. AI could be used to:

1. Re-perform a report used in a control.
2. Confirm that configuration settings (such as in a three-way match) are not only correct but are not being changed.
3. Identify inappropriate access rights.

Testing ITGC
The evidence for many key controls within IT business processes is captured in digital records, making it accessible by AI. Examples of the use of AI to test ITGC might include:

1. Confirming that only authorized software is moved into production.
2. Verifying that changes to significant applications are tested and the results approved before they “go live.”
3. Identifying the use of root access (or similar) and testing that it was authorized.

Reporting and More
While not as critical, AI can be used to develop reports for management.

A key consideration has to be staying alert to how management is deploying AI to change business processes and, thereby, the key controls relied upon for SOX. ICFR is likely to become more and more automated, hopefully without management losing the ability to apply judgment and common sense—staying focused on the risk of a material misstatement.

The ability to use AI to test controls will continue to develop. BUT, we must remain focused on the controls relied upon to prevent or detect a material error or omission in the filed financial statements. SOX is NOT about risks to business processes. It’s about risks to the financial statements, so let’s not let the CPA firms carry us away!

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.