Last week, I attended a local joint IIA and ISACA chapter meeting and heard a representative of one of the major CPA firms talk about using AI for SOX.
He made some good points, but there were also areas where I believe he was not only off-target but also failing to comply with the PCAOB’s auditing standard.
I did a quick search for articles on AI and the SOX program. While there are plenty of ads for webinars (usually by one of the CPA firms), there are few practitioner articles. I did find this from Saurav Goel in December of last year
Let me share where I am on this question, given that advances are being made all the time so this may be out-of-date very soon.
The question needs to be answered separately (which not everyone does, sadly) for:
- AI usage by management in the design and operation of the system of internal control over financial reporting (ICFR), and
- AI used in management’s assessment of ICFR (with testing usually performed by internal audit or an internal controls group).
I should say that several of the use cases I will mention could be handled by business analytics. In fact, I wrote software to give me analytics when auditing ITGC for PwC way back when. They revealed a rise in emergency program changes, most of which were not approved in the normal way, at the same time as the frequency…
