AI Use in SOX: What Will External Audit Rely On? And How Can SOX Teams Get Ahead of the Game?

Most SOX teams are still getting started with AI, struggling to move from individual experimentation to scalable use. 

Leaders often cite lack of AI expertise and limited understanding of AI capabilities as barriers to adoption. They also have big questions about External Auditor reliance, data privacy and security, and impacts to internal controls and ITGCs.  

Wouldn’t it be great if someone handed you several proven, practitioner-developed, ready-to-deploy AI prompts and agents specifically designed for SOX? Along with expert guidance on all of the above? 

Here you go: Volume II of the Internal Audit Collective’s AI Playbook is out today, offering guidance and SOX-specific use cases to help you make meaningful progress on deploying AI in SOX. Download your copy today, and read on for an excerpt. 

                                                                         *   *   *

The same question is coming up on both sides of the SOX function. Management is embedding AI inside internal controls. Internal Audit is starting to use AI agents to execute testing. 

In both cases, the unsettled piece is the same: What is External Audit actually going to rely on?

The standards governing the question have not moved. PCAOB requirements around reliance on the work of others, ITGC expectations, and evidence requirements were not written with AI agents in mind. That does not mean, however, that the standards do not apply. 

It means that how they apply is being figured out in real time, engagement by engagement.

Management’s Use of AI in Internal Controls

When the business deploys AI inside a SOX-relevant control, the SOX team has to decide how to evaluate it. A poll during a May 2026 Internal Audit Collective webinar asked exactly that: How are SOX teams currently handling AI inside business controls? The results were not encouraging.

The 5% is the number to sit with. In an environment where business teams are deploying AI inside revenue, procure-to-pay, financial close, and access management workflows, 95% of SOX programs do not have a defined framework for how those controls should be evaluated.

The reasons are understandable. No one wants to slow down the business or get out ahead of what External Audit is willing to accept. The instinct is to wait until the picture is clearer.

That instinct is wrong. Waiting means External Audit sets the framework that management and Internal Audit will inherit. That framework will be optimized for External Audit's review processes — not for how your business actually operates. 

The better path is for Internal Audit and management to define what acceptable AI use inside controls looks like, build the governance and evidence around it, and bring that framework to External Audit as the starting point for the discussion. 

COSO's February 2026 Achieving Effective Internal Control Over Generative AI guidance gives that proposal a credible anchor. It applies the COSO Internal Control framework directly to AI-specific risks, which means the conversation with External Audit does not have to start from a blank page. Rather, it can start from a framework they already recognize.

Asking about AI during walkthroughs is not a framework. It’s a stark reminder that when AI surfaces in walkthroughs, auditors are scrambling to see if it passes the sniff test. 

Internal Audit's Use of AI in Testing

A second question is starting to land on Internal Audit teams. If Internal Audit uses an AI agent to execute initial testing, will External Audit rely on that work? The standards governing reliance on Internal Audit's work have not changed. What is unclear is how those standards apply when an AI agent is doing the execution. An informal May 2026 Internal Audit Collective poll of Internal Audit leaders helps surface External Auditors’ current posture. 

Two findings stand out: First, no External Auditor in the sample is willing to rely on pure AI output. The human in the loop is universal wherever reliance occurs. Second, the largest single response is uncertainty (48%). That means the rules of engagement are being negotiated in real time and inconsistently across audit firms and engagement teams. 

                                                                                  *   *   *

For the complete poll results and practitioner perspectives on the bold response needed from SOX teams, download your copy of the full eBook, The AI Playbook for SOX Compliance Volume II: Guidance & Use Cases for AI-Driven SOX Transformation.

‍