GenAI Meets SOX
Audit-Proofing Your Finance Workflows
In recent months, tools like ChatGPT and Claude have made their way into the financial close. They’re drafting journal entries, summarizing trends, even writing slide commentary for the board. At first, they felt like harmless assistants: fast, articulate, and surprisingly helpful. But as their footprint expanded, something else crept in there: missing controls.
AI didn’t break compliance. It just slipped past it.
Now regulators and auditors are paying closer attention. And they’re asking the right question: Can your finance team prove how this output was created, reviewed, and approved?
If not, it's time to rethink your workflows.
The Control Framework Hasn’t Caught Up
Finance teams are adopting GenAI fast. A June 2024 Gartner survey shows 58 percent of finance functions now use AI, up 21 points from the previous year.
But very few have updated their SOX narratives, ICFR matrices, or policy frameworks to reflect this change. Most controls still assume that core financial processes are manual or structured. Not generated by a probabilistic model.
When that assumption breaks, so does traceability.
Take something simple. A controller uses ChatGPT to generate a journal entry. The prompt disappears. The logic behind the numbers isn’t stored. The output is accepted and posted. A month later, your auditor asks where that number came from. No one remembers.
This isn’t an edge case. It’s becoming standard practice.
Where GenAI Is Quietly Touching SOX
AI is being used to support more processes than most teams realize. Here are four of the highest-risk areas:
1. Journal Entries
AI models like Claude and ChatGPT can draft accruals or month-end adjustments. But without logging inputs or documenting logic, these entries are effectively unauditable.
2. Reconciliations
Some finance teams are using AI to detect anomalies or propose adjustments. These suggestions may be useful, but if they aren't validated by a human and captured properly, the control environment is weakened.
3. Management Commentary
Drafting MD&A sections, board updates, or earnings call prep with AI is becoming common. If this language is based on incorrect assumptions or unverified trends, it may introduce material misstatements.
4. Forecast Narratives
When ChatGPT explains why margins shrank, it may hallucinate reasons that sound plausible but aren’t supported by the data. If those explanations make it into reports, you’ve got a problem.
What the Regulators Are Saying
The technology may be new. The rules aren’t.
Regulators aren’t introducing new rules for AI. They’re reinforcing long-standing standards and making it clear those standards apply whether your output comes from Excel or a language model.
PCAOB (July 2024): Issued a spotlight on generative AI, reminding firms that audit evidence must be supported by traceable documentation and reviewed by qualified professionals.
PCAOB (January 2025): Included GenAI use in its 2025 audit inspection priorities, with a specific focus on how firms document and validate technology-assisted workflows.
FINRA (June 2024): Released guidance requiring robust supervision and recordkeeping for any AI-based systems used by finance teams.
FINRA (2025 Oversight Report): Reiterated that AI oversight must include use-case definition, vendor risk assessments, and clear supervisory controls. Expectations are not hypothetical.
SEC (March 2024): Charged investment advisers for misleading statements about their use of AI. The message was clear: don’t exaggerate, and don’t hide behind the technology.
SEC (2025): Expanded enforcement via its Cybersecurity & Emerging Technologies unit. Regulators and private litigants are now treating exaggerated AI claims as a material compliance issue.
None of these statements prohibit the use of generative AI. But the message is consistent across the board: your control obligations don’t disappear when a model enters the workflow. In fact, the expectations only get higher.
The Five Steps to Audit-Proof GenAI in Finance
If you’re using AI in any process that touches your financial statements, here’s how to protect your team and satisfy your auditors.
1. Build an AI Use Register
List every AI tool in use. Track the department, use case, type of data involved, and who’s responsible for oversight. Without a clear inventory, you can’t govern usage properly.
📁 Pro Download: AI Use Register Template (CSV)
2. Update Your SOX Control Narratives
If GenAI plays a role in a SOX-relevant process, your risk controls need to reflect that. Include a description of the AI system, define the human validation step, and identify what evidence is retained.
📁 Pro Download: SOX Control Mapping Worksheet (PDF)
3. Introduce Prompt Logging and Review
This is your new audit trail. For any AI-assisted output, log the prompt, the result, and who reviewed and approved it. Store these logs just like any other working paper.
📁 Pro Download: Prompt Logging & Review Checklist (PDF)
4. Train Your Team
Don’t assume everyone knows how to use these tools safely. Provide clear guidelines on what is acceptable, what must be reviewed, and how to spot AI-generated errors.
5. Include Internal Audit from the Start
Bring your auditors into the process early. Let them review your AI inventory, your revised controls, and your review protocols. They’ll be your best defense when the external audit comes around.
What to Do Next
Generative AI isn’t the threat. Uncontrolled use is.
Most teams aren’t trying to cut corners. But when outputs are accepted without review, when prompts are undocumented, and when logic can’t be reproduced, the result is the same: a process that can’t pass audit.
Fixing it doesn’t mean slowing down. It means adding the same structure and oversight that you’d apply to any other new system.
Want the tools to make this easy?
Upgrade to the Pro tier to download:
AI Use Register Template (CSV)
SOX Control Mapping Worksheet (PDF)
Prompt Logging & Review Checklist (PDF)
Forward-thinking finance teams are already using these frameworks. You can too.