IA on AI – Can we use AI for ICFR and SOX - The Audit Podcast

Episode Overview

Episode Title: IA on AI – Can we use AI for ICFR and SOX
Host: Trent Russell
Date: March 5, 2026

This episode examines the current state and real-world use of artificial intelligence in the testing of Internal Controls over Financial Reporting (ICFR) and Sarbanes-Oxley (SOX) controls. Trent Russell shares insights from leading audit thinker Norman Marks, reviews the practical realities of using AI in audit—including technological capabilities and constraints—and contemplates the broader implications for internal audit teams and the profession.

Key Discussion Points and Insights

1. Norman Marks: The Thought Leader Shaping the Conversation

Norman Marks is cited as “the premier thought leader on all things audit and risk” ([00:23]).
Trent encourages listeners to follow Norman’s blog for weekly thought leadership on audit, risk, and technology.

2. Core Question: Can We Use AI for ICFR and SOX?

The episode is anchored around a recent Norman Marks blog post asking if AI can be used for ICFR and SOX control testing.
Marks's short answer:

"Yes, of course. Or rather of course yes." ([01:10])
Russell was uncertain where Marks would fall, but anticipated Marks' classic analogy to clarify the limits of analytics and AI.

3. Analogy: Controls vs. Outcomes

The Flawed Inference: Russell relays Norman’s analogy that just because no one has broken into your house, it doesn’t prove you locked your doors and set the alarm every time.

“The fact that your home has not been burglarized isn't proof that you locked the doors and windows and turned on the alarm system every time you left the home... Just because somebody didn't break in doesn't mean that you turned on the alarm. You had all the windows and doors locked, which is what you would want.” ([03:12])
Many auditors only infer control effectiveness; true testing verifies process adherence, not just outcomes.

4. How AI Can Enhance Control Testing

AI, especially “agentic AI,” can go beyond traditional analytics:
- In reconciliation controls, AI can pull large volumes of documentation—including PDFs—convert to text, scan for managerial signatures, dates, exceptions, and remediation tracks ([05:12]).
- “You can use AI, specifically agentic AI, to test SOX controls.” ([05:42])
- Full-population testing (i.e., 100% of data) is possible for critical controls:
  
  “If it's a control that ties very closely to the strategy, consider testing 100%, even using AI to pull down all that documentation or simple automation.” ([06:02])

5. Practical Limitations and Digital Transformation

Marks notes a limitation: Control evidence isn’t always digital and may not be accessible to an AI agent ([07:01]).
- Russell counters:
  
  “I don't know anybody who's going back to paper. Like everybody's trying to go digital and they have been for years... Even if that’s the case, scan the piece of paper in… and then you could still continue to use AI on that front.” ([07:20])
The move toward full digitization reduces this barrier over time.

6. AI for SOX: A Current Reality

AI-driven SOX control testing is already happening—but primarily via vendors rather than in-house tools:

“The use of AI for SOX control testing is very real. It's here right now. Truthfully, I don't know any internal audit teams that have developed that in house. But there are a decent amount of vendors that are doing this at a very high, high, high reliable level.” ([08:10])
Feedback from CAEs on vendor pilots has been positive.
The likely future: Senior auditors or managers will focus on reviewing AI-produced evidence rather than manual testing.

7. Implications for Internal Audit Teams

Russell urges listeners to consider:

“When the day comes that, hey, we don't need to do the testing, we just need to review it… What's that going to do to internal audit? If you want to think broader, you can think about the profession.” ([09:00])
The skills composition and daily work for auditors may dramatically shift.

8. Promoting Norman Marks’ Work and Ongoing Education

Russell wraps by emphasizing Norman Marks’ influence:

“Just reading his blog has changed my perception over the years about really what we should be doing.” ([10:04])
Suggests subscribing to Marks’ blog and checking the show notes for links.

Notable Quotes & Memorable Moments

On the limits of AI and evidence:
“The evidence of the control being performed... is often not available to an AI agent to examine. It may be on a piece of paper that seems less and less." (citing Norman Marks via Russell, [07:01])
On the real state of AI in audit:
“The use of AI for SOX control testing is very real. It’s here right now.” ([08:10])
On the coming shift in auditor roles:
“We don't need to do the testing, we just need to review it in all likelihood. So think senior or manager level of expertise in audit is all that's going to be required. What's that going to do to internal audit... to the profession?” ([09:00])
On Norman Marks’ influence:
“If there were to be a top thought leader, it would be Norman. Just reading his blog has changed my perception over the years about really what we should be doing.” ([10:04])

Important Timestamps

00:23 – Introduction to Norman Marks as a leading voice in audit and risk
01:10 – Marks’ clear statement: “Yes, of course” AI can be used for ICFR/SOX
03:12 – Analogy: controls (locking doors) versus outcomes (no burglaries)
05:12–06:02 – Describing how AI can pull, read, and annotate documentation for controls testing
07:01 – Limitation: Evidence not always digital, but this is waning
08:10 – State of the market: Vendors handling SOX AI testing at a high level
09:00 – Discussion of the audit profession’s future as AI reduces manual testing
10:04 – Endorsement of Norman Marks as a foundational thought leader

Takeaways

AI is already transforming SOX and ICFR control testing—auditors need to understand both capabilities and limitations.
Digital documentation is critical for leveraging AI successfully in control testing.
The shift toward AI will alter the work of auditors, emphasizing judgment and review over manual testing.
Thought leaders like Norman Marks provide essential frameworks for navigating this evolving landscape—auditors are encouraged to engage with his work.

Episode Overview

Episode Title: IA on AI – Can we use AI for ICFR and SOX
Host: Trent Russell
Date: March 5, 2026

Key Discussion Points and Insights

1. Norman Marks: The Thought Leader Shaping the Conversation

Norman Marks is cited as “the premier thought leader on all things audit and risk” ([00:23]).
Trent encourages listeners to follow Norman’s blog for weekly thought leadership on audit, risk, and technology.

2. Core Question: Can We Use AI for ICFR and SOX?

The episode is anchored around a recent Norman Marks blog post asking if AI can be used for ICFR and SOX control testing.
Marks's short answer:

"Yes, of course. Or rather of course yes." ([01:10])
Russell was uncertain where Marks would fall, but anticipated Marks' classic analogy to clarify the limits of analytics and AI.

3. Analogy: Controls vs. Outcomes

The Flawed Inference: Russell relays Norman’s analogy that just because no one has broken into your house, it doesn’t prove you locked your doors and set the alarm every time.

“The fact that your home has not been burglarized isn't proof that you locked the doors and windows and turned on the alarm system every time you left the home... Just because somebody didn't break in doesn't mean that you turned on the alarm. You had all the windows and doors locked, which is what you would want.” ([03:12])
Many auditors only infer control effectiveness; true testing verifies process adherence, not just outcomes.

4. How AI Can Enhance Control Testing

AI, especially “agentic AI,” can go beyond traditional analytics:
- In reconciliation controls, AI can pull large volumes of documentation—including PDFs—convert to text, scan for managerial signatures, dates, exceptions, and remediation tracks ([05:12]).
- “You can use AI, specifically agentic AI, to test SOX controls.” ([05:42])
- Full-population testing (i.e., 100% of data) is possible for critical controls:
  
  “If it's a control that ties very closely to the strategy, consider testing 100%, even using AI to pull down all that documentation or simple automation.” ([06:02])

5. Practical Limitations and Digital Transformation

Marks notes a limitation: Control evidence isn’t always digital and may not be accessible to an AI agent ([07:01]).
- Russell counters:
  
  “I don't know anybody who's going back to paper. Like everybody's trying to go digital and they have been for years... Even if that’s the case, scan the piece of paper in… and then you could still continue to use AI on that front.” ([07:20])
The move toward full digitization reduces this barrier over time.

6. AI for SOX: A Current Reality

AI-driven SOX control testing is already happening—but primarily via vendors rather than in-house tools:

“The use of AI for SOX control testing is very real. It's here right now. Truthfully, I don't know any internal audit teams that have developed that in house. But there are a decent amount of vendors that are doing this at a very high, high, high reliable level.” ([08:10])
Feedback from CAEs on vendor pilots has been positive.
The likely future: Senior auditors or managers will focus on reviewing AI-produced evidence rather than manual testing.

7. Implications for Internal Audit Teams

Russell urges listeners to consider:

“When the day comes that, hey, we don't need to do the testing, we just need to review it… What's that going to do to internal audit? If you want to think broader, you can think about the profession.” ([09:00])
The skills composition and daily work for auditors may dramatically shift.

8. Promoting Norman Marks’ Work and Ongoing Education

Russell wraps by emphasizing Norman Marks’ influence:

“Just reading his blog has changed my perception over the years about really what we should be doing.” ([10:04])
Suggests subscribing to Marks’ blog and checking the show notes for links.

Notable Quotes & Memorable Moments

On the limits of AI and evidence:
“The evidence of the control being performed... is often not available to an AI agent to examine. It may be on a piece of paper that seems less and less." (citing Norman Marks via Russell, [07:01])
On the real state of AI in audit:
“The use of AI for SOX control testing is very real. It’s here right now.” ([08:10])
On the coming shift in auditor roles:
“We don't need to do the testing, we just need to review it in all likelihood. So think senior or manager level of expertise in audit is all that's going to be required. What's that going to do to internal audit... to the profession?” ([09:00])
On Norman Marks’ influence:
“If there were to be a top thought leader, it would be Norman. Just reading his blog has changed my perception over the years about really what we should be doing.” ([10:04])

Important Timestamps

00:23 – Introduction to Norman Marks as a leading voice in audit and risk
01:10 – Marks’ clear statement: “Yes, of course” AI can be used for ICFR/SOX
03:12 – Analogy: controls (locking doors) versus outcomes (no burglaries)
05:12–06:02 – Describing how AI can pull, read, and annotate documentation for controls testing
07:01 – Limitation: Evidence not always digital, but this is waning
08:10 – State of the market: Vendors handling SOX AI testing at a high level
09:00 – Discussion of the audit profession’s future as AI reduces manual testing
10:04 – Endorsement of Norman Marks as a foundational thought leader

Takeaways

AI is already transforming SOX and ICFR control testing—auditors need to understand both capabilities and limitations.
Digital documentation is critical for leveraging AI successfully in control testing.
The shift toward AI will alter the work of auditors, emphasizing judgment and review over manual testing.
Thought leaders like Norman Marks provide essential frameworks for navigating this evolving landscape—auditors are encouraged to engage with his work.

wavePod

IA on AI – Can we use AI for ICFR and SOX

Get Free Podcast Summaries in Your Inbox

Pick Your Shows

Subscribe Free

Get Instant Summaries

Summary

Episode Overview

Key Discussion Points and Insights

1. Norman Marks: The Thought Leader Shaping the Conversation

2. Core Question: Can We Use AI for ICFR and SOX?

3. Analogy: Controls vs. Outcomes

4. How AI Can Enhance Control Testing

5. Practical Limitations and Digital Transformation

6. AI for SOX: A Current Reality

7. Implications for Internal Audit Teams

8. Promoting Norman Marks’ Work and Ongoing Education

Notable Quotes & Memorable Moments

Important Timestamps

Takeaways

Summary

Episode Overview

Key Discussion Points and Insights

1. Norman Marks: The Thought Leader Shaping the Conversation

2. Core Question: Can We Use AI for ICFR and SOX?

3. Analogy: Controls vs. Outcomes

4. How AI Can Enhance Control Testing

5. Practical Limitations and Digital Transformation

6. AI for SOX: A Current Reality

7. Implications for Internal Audit Teams

8. Promoting Norman Marks’ Work and Ongoing Education

Notable Quotes & Memorable Moments

Important Timestamps

Takeaways