The Gap Nobody's Talking About: AI, SOX, and the Controls That Haven't Caught Up

Written By Patrick Brogan

A few months ago, I sat down with a CFO at a mid-size public company. Sharp operator. Tight close process. Her finance team had been rolling out AI tools over the past year — automated journal entry suggestions, an LLM helping draft disclosure footnotes, a forecasting model feeding directly into management's quarterly planning review. Real efficiency gains. Real enthusiasm.

 

I asked one question: had her SOX program been updated to reflect any of it?

Long pause.

"We know we need to get there. It's just — we haven't."

 That moment keeps coming back to me, because it's not an outlier. It's the default setting at most public companies right now.

The Problem Isn't the AI. It's the Gap.

The adoption side of this story is real. AI is making finance functions faster, leaner, and more capable than they were two years ago. I'm not here to slow that down. But SOX compliance operates on a different clock than technology adoption — and right now, the two clocks aren't synchronized.

SOX controls were designed around a specific assumption: humans make financially significant decisions, and those decisions can be documented, reviewed, and tested. When an AI system suggests an accrual, drafts a disclosure, or flags an exception for management review, that assumption gets complicated fast. The question auditors will ask — who decided this, based on what, and when — becomes genuinely hard to answer. And in ICFR terms, if you can't answer it, you don't have a control.

There's also a more specific problem your auditors are already asking about. Any AI-generated output that touches a financial reporting process is Information Produced by the Entity — IPE. Auditors will want to know how you've validated its completeness and accuracy. Most companies haven't built those procedures yet. Some didn't know they needed to.

What Actually Needs to Change

The good news: this is a solvable problem. Companies getting ahead of it are addressing it in four practical areas.

1.  Own the IPE Question Before Your Auditors Do

If AI outputs are feeding your close process, your management reviews, or your disclosure drafting — document how you've validated them. What's the model's purpose? What are its known limitations? How do you confirm the output is complete and accurate enough to rely on? These are the questions an auditor walks in with. Having the answers ready is the difference between a clean walkthrough and a control gap finding.

2.  Define Who's Actually Responsible

SOX is fundamentally an accountability framework. Every control has an owner. When AI is involved, the chain of ownership gets murky — and "the system flagged it" is not a control. For every AI touchpoint in a financially significant process, define the human review requirement: who performs it, what they're expected to evaluate, and what counts as sufficient evidence that they did.

Clicking "approve" on an AI-generated analysis without documented substantive evaluation isn't a control. It's a process step. Your auditors will tell you the same.

3.  Update Your ITGCs — For Real

Your IT general controls program covers access, change management, and operations. But it was probably designed for a world of traditional software — where changes are versioned, tested, and approved before deployment. AI doesn't always work that way.

Vendor-managed model updates can change how a tool behaves without triggering your change management process. Prompt engineering adjustments don't always get treated as system changes. API key access to AI platforms often falls completely outside user access review programs. Each of those is a gap. Close them before your next testing cycle, not during it.

4.  Get the Policy in Writing

If your company doesn't have an AI use policy that explicitly covers finance, accounting, and financial reporting — separate from a general IT acceptable use policy — that's the foundational gap everything else sits on top of. Who owns AI risk in the finance function? Which tools are approved for the close process? What's the human-in-the-loop requirement before an AI output enters the financial reporting stream?

These shouldn't be judgment calls made at 10pm the night before close. Get them in writing, get them approved by Finance and Internal Audit jointly, and treat the document as a living policy that gets reviewed every time your AI tools do.

A Quick Gut-Check

Before your next audit cycle, run through these with your Controller or Head of Internal Audit:

•        Are AI-generated outputs in financial reporting treated as IPE, with documented validation of completeness and accuracy?

•        Do your ITGCs cover AI model change management — including vendor-driven updates you didn't initiate?

•        Are human-in-the-loop requirements defined and documented for AI touchpoints in the close process?

•        Does your AI use policy explicitly cover finance and accounting functions, separate from your general IT policy?

Any "not yet" is a gap worth closing now. The findings that sting most aren't the complicated ones — they're the ones that were sitting in plain sight.

If you'd like to talk through where your program stands — or get a practical read on where the gaps might be — reach out at info@soxhelp.com or call 440.915.1180. We work with public companies at every stage of SOX maturity.

What are you seeing on your end? I'd genuinely like to know.

Patrick Brogan