Leveraging Generative AI for modernized SOX compliance

By Lindsay Rosenfeld, Audit & Assurance Partner, Deloitte & Touche LLP, and Brandon Chandler, Audit & Assurance Partner, Deloitte & Touche LLP

Talking points

• Generative Artificial Intelligence (GenAI) has the potential to transform Sarbanes-Oxley (SOX) compliance for both established and newly public companies.
• With rigorous oversight from internal control and reporting professionals, the technology can accelerate and improve a host of manual processes across the SOX program life cycle.
• These capabilities can complement professionals, helping them work smarter, more efficiently, and more strategically. 

For more than 20 years, the Sarbanes-Oxley Act of 2002 (SOX) has been important in enhancing financial reporting for public companies. SOX protects investors by enforcing controls over financial reporting, holding senior executives accountable for the accuracy of financial statements, and ensuring auditor independence.

That’s not to say there haven’t been obstacles on the road to ongoing SOX compliance. Challenges for public companies have ranged from lack of professionals with the appropriate skills and experience and ineffective monitoring to letting SOX programs go stale by not keeping pace with change, to name just a few. 

A potential game changer for SOX compliance

Finance automation has helped companies make incremental improvements in recent years. Now technology in the form of Generative Artificial Intelligence (GenAI) can have an even greater impact on SOX compliance. New GenAI tools have the potential to be a game changer. How? By automating, accelerating, and generally improving many aspects of the SOX life cycle, including risk assessment, designing and controls testing, monitoring, remediation, and reporting. Let’s take a closer look at how GenAI may affect SOX compliance for both established and newly public companies.

Example impacts for established public companies

For established public companies, GenAI can enhance the processes that drive SOX program maintenance and evolution, including:

Accelerating research: GenAI tools can be excellent tools for conducting research. They can perform research tasks needed to identify and adapt to regulatory updates in a fraction of the time it takes a human—reducing the time spent on data gathering and analysis. The result: Increased research efficiency with professional oversight.

Automated actions and process creation: The technology can also accelerate tasks necessary for keeping SOX programs up to date. GenAI tools may enhance both efficiency and accuracy of documenting and updating processes.

Advanced analysis and control assessment: GenAI can analyze high volumes of processes and can compare existing controls and processes against audit or accounting guidance and leading practices. These analysis and verification tasks, which typically take days, can now be completed by GenAI in minutes.

Quicker access to value-added SOX insights: Using GenAI, internal control and reporting professionals can perform real-time data analysis, enabling them to efficiently share critical insights that can enhance decision-making. Faster access to more broad SOX insights can also streamline the sharing of valuable updates, which are essential for adapting to change and continuously improving compliance.

Potential benefits for newly public companies

For newly public companies, it can be challenging to balance the activities needed to create an effective SOX compliance program with many requirements that come with going public. GenAI can make a major difference by automating some of these processes:

Drafting processes from transcripts: During SOX program startup, GenAI can create initial drafts of processes directly from meeting transcripts, which can then be reviewed for completeness and accuracy, saving time and resources. This ability helps companies create accurate and up-to-date process documentation from the outset in a more efficient manner.

Risk and control mapping: GenAI can streamline the risk and control mapping that newly public companies should complete to identify and document their controls and establish a robust compliance framework. This can allow emerging companies to efficiently align with SOX requirements and identify potential gaps for remediation faster.

Q&A functionality: GenAI’s large language model (LLM) technology enables interactive Q&A functionality, which can provide answers to compliance-related queries, aiding in quick decision-making.

What it could mean for the future of SOX compliance

The power of GenAI to automate and accelerate manual tasks has the potential to improve SOX program effectiveness, expand SOX capabilities, and reduce the resources and costs historically associated with SOX compliance. In the near future, these benefits may free up employees to work smarter and focus on more strategic and complex tasks—including carefully overseeing GenAI activities to verify quality and mitigate risk—and fundamentally reshape SOX compliance for both established public companies and newer entrants.

While GenAI may improve SOX compliance by streamlining processes and improving accuracy, it is important to recognize that its implementation is not without risk and requires professional oversight.

What role can Deloitte play?

Deloitte has a long history of delivering SOX compliance services and has experience implementing AI in accounting and controls. We have extensive experience with internal audit services and a broad range of additional finance automation services tailored to meet unique client needs. For more information, visit our SOX and internal control over financial reporting services page, and feel free to reach out to us with any questions.

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Copyright © 2024 Deloitte Development LLC. All rights reserved.