IA on AI – Can we use AI for ICFR and SOX - The Audit Podcast

Episode Overview

Episode Title: IA on AI – Can we use AI for ICFR and SOX
Host: Trent Russell
Date: March 5, 2026

This episode examines the current state and real-world use of artificial intelligence in the testing of Internal Controls over Financial Reporting (ICFR) and Sarbanes-Oxley (SOX) controls. Trent Russell shares insights from leading audit thinker Norman Marks, reviews the practical realities of using AI in audit—including technological capabilities and constraints—and contemplates the broader implications for internal audit teams and the profession.

Key Discussion Points and Insights

1. Norman Marks: The Thought Leader Shaping the Conversation

Norman Marks is cited as “the premier thought leader on all things audit and risk” ([00:23]).
Trent encourages listeners to follow Norman’s blog for weekly thought leadership on audit, risk, and technology.

2. Core Question: Can We Use AI for ICFR and SOX?

The episode is anchored around a recent Norman Marks blog post asking if AI can be used for ICFR and SOX control testing.
Marks's short answer:

"Yes, of course. Or rather of course yes." ([01:10])
Russell was uncertain where Marks would fall, but anticipated Marks' classic analogy to clarify the limits of analytics and AI.

3. Analogy: Controls vs. Outcomes

The Flawed Inference: Russell relays Norman’s analogy that just because no one has broken into your house, it doesn’t prove you locked your doors and set the alarm every time.

“The fact that your home has not been burglarized isn't proof that you locked the doors and windows and turned on the alarm system every time you left the home... Just because somebody didn't break in doesn't mean that you turned on the alarm. You had all the windows and doors locked, which is what you would want.” ([03:12])
Many auditors only infer control effectiveness; true testing verifies process adherence, not just outcomes.

4. How AI Can Enhance Control Testing

AI, especially “agentic AI,” can go beyond traditional analytics:
- In reconciliation controls, AI can pull large volumes of documentation—including PDFs—convert to text, scan for managerial signatures, dates, exceptions, and remediation tracks ([05:12]).
- “You can use AI, specifically agentic AI, to test SOX controls.” ([05:42])
- Full-population testing (i.e., 100% of data) is possible for critical controls:
  
  “If it's a control that ties very closely to the strategy, consider testing 100%, even using AI to pull down all that documentation or simple automation.” ([06:02])

5. Practical Limitations and Digital Transformation

Marks notes a limitation: Control evidence isn’t always digital and may not be accessible to an AI agent ([07:01]).
- Russell counters:
  
  “I don't know anybody who's going back to paper. Like everybody's trying to go digital and they have been for years... Even if that’s the case, scan the piece of paper in… and then you could still continue to use AI on that front.” ([07:20])
The move toward full digitization reduces this barrier over time.

6. AI for SOX: A Current Reality

AI-driven SOX control testing is already happening—but primarily via vendors rather than in-house tools:

“The use of AI for SOX control testing is very real. It's here right now. Truthfully, I don't know any internal audit teams that have developed that in house. But there are a decent amount of vendors that are doing this at a very high, high, high reliable level.” ([08:10])
Feedback from CAEs on vendor pilots has been positive.
The likely future: Senior auditors or managers will focus on reviewing AI-produced evidence rather than manual testing.

7. Implications for Internal Audit Teams

Russell urges listeners to consider:

“When the day comes that, hey, we don't need to do the testing, we just need to review it… What's that going to do to internal audit? If you want to think broader, you can think about the profession.” ([09:00])
The skills composition and daily work for auditors may dramatically shift.

8. Promoting Norman Marks’ Work and Ongoing Education

Russell wraps by emphasizing Norman Marks’ influence:

“Just reading his blog has changed my perception over the years about really what we should be doing.” ([10:04])
Suggests subscribing to Marks’ blog and checking the show notes for links.

Notable Quotes & Memorable Moments

On the limits of AI and evidence:
“The evidence of the control being performed... is often not available to an AI agent to examine. It may be on a piece of paper that seems less and less." (citing Norman Marks via Russell, [07:01])
On the real state of AI in audit:
“The use of AI for SOX control testing is very real. It’s here right now.” ([08:10])
On the coming shift in auditor roles:
“We don't need to do the testing, we just need to review it in all likelihood. So think senior or manager level of expertise in audit is all that's going to be required. What's that going to do to internal audit... to the profession?” ([09:00])
On Norman Marks’ influence:
“If there were to be a top thought leader, it would be Norman. Just reading his blog has changed my perception over the years about really what we should be doing.” ([10:04])

Important Timestamps

00:23 – Introduction to Norman Marks as a leading voice in audit and risk
01:10 – Marks’ clear statement: “Yes, of course” AI can be used for ICFR/SOX
03:12 – Analogy: controls (locking doors) versus outcomes (no burglaries)
05:12–06:02 – Describing how AI can pull, read, and annotate documentation for controls testing
07:01 – Limitation: Evidence not always digital, but this is waning
08:10 – State of the market: Vendors handling SOX AI testing at a high level
09:00 – Discussion of the audit profession’s future as AI reduces manual testing
10:04 – Endorsement of Norman Marks as a foundational thought leader

Takeaways

AI is already transforming SOX and ICFR control testing—auditors need to understand both capabilities and limitations.
Digital documentation is critical for leveraging AI successfully in control testing.
The shift toward AI will alter the work of auditors, emphasizing judgment and review over manual testing.
Thought leaders like Norman Marks provide essential frameworks for navigating this evolving landscape—auditors are encouraged to engage with his work.

Transcript

A (0:00)

Welcome to the IA on AI podcast, part of the Audit Podcast network where we bring you Weekly updates on AI from the internal auditor's perspective from NormanMarks WordPress.com so this is Norman Marks website, his blog. I highly recommend it. Probably the thought leader in internal audit risk management and usually puts out a post or blog article every week, but usually there's at least two if you're looking at my screen. Obviously the one I want to talk about is can we use AI for ICFR and socks? He's also been talking AI to a decent amount the past couple of weeks. Is AI coming for your job? Agentic AI is changing procurement risk. Let's learn from it. Which risks should we audit? The auditor as an evangelist for AI. So as in my opinion, the premier thought leader on all things audit and risk. To start to hear Norman's thoughts on AI or something I'm paying close attention to. Not to ruin the article too much, but can we use AI for ICFR and socks? The opening line from Norman is the short answer is yes, of course. Or rather of course yes. And I wasn't real sure where Norman was going to go with this because I know in my experience when I was in external audit and initially we started testing controls using analytics and it was pretty okay for about the first year. And then the partner on practically all my engagements who was like the quality guru, knew the methodology inside and out, said hey, that's really cool, but you're inferring the control is operating effectively. You're not testing that it's operating effectively. And it wasn't until maybe a couple years after that where I got to know Norman and his work and he uses this analogy all the time and it's really good one. So similarly, like imagine we do terminated user testing using analytics and we see 50 people, or rather we see that nobody that's been terminated still has access to whatever name of system, the GL something, whatever it is that's inferring that the control worked. So let's say the control is when someone's terminated, the manager sends opens a ticket, sends it to hr, they cut off the pay, then it goes to the infosec team, they cut off access. Or there's a automated control that kicks off when manage management submits a ticket and they cut off Windows AD access or something like that. Just because they no longer have the access doesn't mean that that process, that control was followed. Which was super frustration when I found out about that when I was in external audit. So anyway, Norman always does this analogy similarly, so he says, consider this. The fact that your home has not been burglary burglarized isn't proof that you locked the doors and windows and turned on the alarm system every time you left the home, I. E. Those would be the controls. Just because somebody didn't break in doesn't mean that you turned on the alarm. You had all the windows and doors locked, which is what you would want. So that's why I was curious what Norman was going to come out with. I fully expected that analogy and nailed it. But I wasn't sure what his stance was going to be on using AI to test controls as well as using AI to execute. I would assume execution been okay. But the difference here is that you aren't just using the data if you use AI properly. So if you have some big reconciliation control, you can still pull in these days the PDFs and it will scan everything, convert to text if need be. It will, you can, depending on the vendor you work with, it'll highlight, hey, here's where the manager signed off on this reconciliation. Here's the date that they signed off on it. Here you can see where the something didn't reconcile. So you can see the back and forth on getting that remediated, all that kind of good stuff. So you can use AI, specifically agentic AI to test SOTS controls. Now you can still do it if you want to take a sample. My opinion, if it's a control that ties very closely to the strategy, consider tight testing, 100% even using AI to pull down all that documentation or simple automation either just to pull down all the documentation. Norman does go on to say that the problem with this could be the evidence of the control being performed, he said is often not available to an AI agent to examine. It may be on a piece of paper that seems less and less. I don't know anybody who's going back to paper. Like everybody's trying to get go digital and they have been for years. And so I think that's going to be more of an exception than the norm and being able to go, hey, we don't have access to the evidence because it's on a piece of paper. Well, even if that's the case, scan the piece of paper in or all the pieces of paper and then you could still continue to use AI on that front. So two reasons I wanted to point this out. One is the use of AI for stocks. Control testing is very real. It's here right now. Truthfully, I don't know any internal audit teams that have developed that in house. But there are a decent amount of vendors that are doing this at a very high, high, high reliable level. I've Talked to multiple CAEs who have worked and done some level of a proof of concept with multiple vendors in this space and they've all given their feedback and it is very real. I've seen most of the vendors also. So, so all that to say that is very real. We do need to consider when the day comes that, hey, we don't need to do the testing, we just need to review it in all likelihood. So think senior or manager level of expertise in audit is all that's going to be required. What's that going to do to internal audit? Your internal audit team? If you want to think broader, you can think about the profession. So that's one thing I want to share. The other one is just for people that don't know who Norman is. I always like to introduce him to as many people as I can through this podcast. He's been on the Audit podcast two or three times. If you're familiar with Richard Chambers, former president and CEO of the IA, puts out this top 12 ish. I think it's always been 12, maybe give or take one or two. But thought leaders in internal audit and Norman, like every year Norman was on it. And I think Richard usually opens with something like if there were to be a top thought leader, it would be Norman. Just reading his blog says changed my perception over the years about really what we should be doing. And so I try to point as many people to it as possible. So go to his site. We'll put a link to this specific blog post in the show notes and then sign up for his email list also so you can get these on a weekly basis. Thank you for listening and be sure to follow the link to greenskiesanalytics.com in the show notes and schedule time to see how green skies can make the hype of AI a reality in your internal audit department.

Episode Overview

Episode Title: IA on AI – Can we use AI for ICFR and SOX
Host: Trent Russell
Date: March 5, 2026

Key Discussion Points and Insights

1. Norman Marks: The Thought Leader Shaping the Conversation

Norman Marks is cited as “the premier thought leader on all things audit and risk” ([00:23]).
Trent encourages listeners to follow Norman’s blog for weekly thought leadership on audit, risk, and technology.

2. Core Question: Can We Use AI for ICFR and SOX?

The episode is anchored around a recent Norman Marks blog post asking if AI can be used for ICFR and SOX control testing.
Marks's short answer:

"Yes, of course. Or rather of course yes." ([01:10])
Russell was uncertain where Marks would fall, but anticipated Marks' classic analogy to clarify the limits of analytics and AI.

3. Analogy: Controls vs. Outcomes

The Flawed Inference: Russell relays Norman’s analogy that just because no one has broken into your house, it doesn’t prove you locked your doors and set the alarm every time.

“The fact that your home has not been burglarized isn't proof that you locked the doors and windows and turned on the alarm system every time you left the home... Just because somebody didn't break in doesn't mean that you turned on the alarm. You had all the windows and doors locked, which is what you would want.” ([03:12])
Many auditors only infer control effectiveness; true testing verifies process adherence, not just outcomes.

4. How AI Can Enhance Control Testing

AI, especially “agentic AI,” can go beyond traditional analytics:
- In reconciliation controls, AI can pull large volumes of documentation—including PDFs—convert to text, scan for managerial signatures, dates, exceptions, and remediation tracks ([05:12]).
- “You can use AI, specifically agentic AI, to test SOX controls.” ([05:42])
- Full-population testing (i.e., 100% of data) is possible for critical controls:
  
  “If it's a control that ties very closely to the strategy, consider testing 100%, even using AI to pull down all that documentation or simple automation.” ([06:02])

5. Practical Limitations and Digital Transformation

Marks notes a limitation: Control evidence isn’t always digital and may not be accessible to an AI agent ([07:01]).
- Russell counters:
  
  “I don't know anybody who's going back to paper. Like everybody's trying to go digital and they have been for years... Even if that’s the case, scan the piece of paper in… and then you could still continue to use AI on that front.” ([07:20])
The move toward full digitization reduces this barrier over time.

6. AI for SOX: A Current Reality

AI-driven SOX control testing is already happening—but primarily via vendors rather than in-house tools:

“The use of AI for SOX control testing is very real. It's here right now. Truthfully, I don't know any internal audit teams that have developed that in house. But there are a decent amount of vendors that are doing this at a very high, high, high reliable level.” ([08:10])
Feedback from CAEs on vendor pilots has been positive.
The likely future: Senior auditors or managers will focus on reviewing AI-produced evidence rather than manual testing.

7. Implications for Internal Audit Teams

Russell urges listeners to consider:

“When the day comes that, hey, we don't need to do the testing, we just need to review it… What's that going to do to internal audit? If you want to think broader, you can think about the profession.” ([09:00])
The skills composition and daily work for auditors may dramatically shift.

8. Promoting Norman Marks’ Work and Ongoing Education

Russell wraps by emphasizing Norman Marks’ influence:

“Just reading his blog has changed my perception over the years about really what we should be doing.” ([10:04])
Suggests subscribing to Marks’ blog and checking the show notes for links.

Notable Quotes & Memorable Moments

On the limits of AI and evidence:
“The evidence of the control being performed... is often not available to an AI agent to examine. It may be on a piece of paper that seems less and less." (citing Norman Marks via Russell, [07:01])
On the real state of AI in audit:
“The use of AI for SOX control testing is very real. It’s here right now.” ([08:10])
On the coming shift in auditor roles:
“We don't need to do the testing, we just need to review it in all likelihood. So think senior or manager level of expertise in audit is all that's going to be required. What's that going to do to internal audit... to the profession?” ([09:00])
On Norman Marks’ influence:
“If there were to be a top thought leader, it would be Norman. Just reading his blog has changed my perception over the years about really what we should be doing.” ([10:04])

Important Timestamps

00:23 – Introduction to Norman Marks as a leading voice in audit and risk
01:10 – Marks’ clear statement: “Yes, of course” AI can be used for ICFR/SOX
03:12 – Analogy: controls (locking doors) versus outcomes (no burglaries)
05:12–06:02 – Describing how AI can pull, read, and annotate documentation for controls testing
07:01 – Limitation: Evidence not always digital, but this is waning
08:10 – State of the market: Vendors handling SOX AI testing at a high level
09:00 – Discussion of the audit profession’s future as AI reduces manual testing
10:04 – Endorsement of Norman Marks as a foundational thought leader

Takeaways

AI is already transforming SOX and ICFR control testing—auditors need to understand both capabilities and limitations.
Digital documentation is critical for leveraging AI successfully in control testing.
The shift toward AI will alter the work of auditors, emphasizing judgment and review over manual testing.
Thought leaders like Norman Marks provide essential frameworks for navigating this evolving landscape—auditors are encouraged to engage with his work.

wavePod

IA on AI – Can we use AI for ICFR and SOX

Summary

Episode Overview

Key Discussion Points and Insights

1. Norman Marks: The Thought Leader Shaping the Conversation

2. Core Question: Can We Use AI for ICFR and SOX?

3. Analogy: Controls vs. Outcomes

4. How AI Can Enhance Control Testing

5. Practical Limitations and Digital Transformation

6. AI for SOX: A Current Reality

7. Implications for Internal Audit Teams

8. Promoting Norman Marks’ Work and Ongoing Education

Notable Quotes & Memorable Moments

Important Timestamps

Takeaways

Transcript

Summary

Episode Overview

Key Discussion Points and Insights

1. Norman Marks: The Thought Leader Shaping the Conversation

2. Core Question: Can We Use AI for ICFR and SOX?

3. Analogy: Controls vs. Outcomes

4. How AI Can Enhance Control Testing

5. Practical Limitations and Digital Transformation

6. AI for SOX: A Current Reality

7. Implications for Internal Audit Teams

8. Promoting Norman Marks’ Work and Ongoing Education

Notable Quotes & Memorable Moments

Important Timestamps

Takeaways