FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorycompliancegovernanceSOX

Sarbanes-Oxley and AI: When AI Output Becomes Part of the Financial Reporting Process

By Basel IsmailJune 1, 2026

Sarbanes-Oxley and AI: When AI Output Becomes Part of the Financial Reporting Process

SOX compliance teams have spent twenty years building controls around spreadsheets, ERP systems, and the humans who operate them. The control frameworks are mature. The audit trails are well understood. And now companies are dropping AI tools into the middle of the financial close process, sometimes without fully thinking through what that means for their Section 302 certifications and Section 404 internal control assessments.

This is worth paying attention to, because the PCAOB and SEC have not issued specific guidance on AI in financial reporting. That silence does not mean you are in the clear. It means the existing rules apply as written, and auditors are already starting to ask pointed questions about how AI-generated outputs feed into financial statements.

Where AI Is Showing Up in the Close Process

The use cases are expanding quickly. Companies are using AI and machine learning models for revenue recognition estimates, lease classification, allowance for doubtful accounts calculations, intercompany reconciliation matching, and journal entry anomaly detection. Some of these are advisory (flagging items for human review), and some are increasingly determinative (producing numbers that flow directly into the general ledger with minimal human intervention).

The distinction matters for SOX purposes. An AI tool that suggests a reserve estimate which a controller then independently evaluates is a different control risk than an AI tool that auto-posts adjusting entries based on pattern recognition. Both need controls. But the nature, extent, and documentation requirements differ significantly.

Section 302: The CEO and CFO Are Still on the Hook

Section 302 of SOX requires the CEO and CFO to personally certify that financial statements are materially accurate and that they have evaluated the effectiveness of disclosure controls and procedures within 90 days of the report. This certification carries criminal penalties under 18 U.S.C. Section 1350, with fines up to $5 million and imprisonment up to 20 years for willful violations.

When an AI model contributes to a material estimate or classification in the financials, the certifying officers need to understand, at least at a reasonable level, how that output was generated and what controls govern its accuracy. "The AI did it" is not a defense to a Section 302 certification. If anything, deploying AI without adequate understanding of its behavior could be characterized as a failure to evaluate disclosure controls, which is precisely what Section 302 requires.

Practically, this means someone in the organization needs to be able to explain to the CEO and CFO how the AI model works, what data it ingests, how its outputs are validated, and what could go wrong. That explanation needs to be documented. If your certifying officers cannot articulate the role AI plays in producing the numbers they are signing off on, you have a gap.

Section 404: AI as an Information-Producing Control (or an Information-Producing Risk)

Section 404 requires management to assess the effectiveness of internal controls over financial reporting (ICFR), and for accelerated filers, the external auditor must attest to that assessment. The COSO 2013 framework, which underpins most ICFR assessments, includes principles around information quality and monitoring that become directly relevant when AI enters the picture.

Under COSO Principle 13, organizations must obtain or generate and use relevant, quality information to support the functioning of internal control. When an AI model produces an output that feeds into the financial statements, that model becomes an "information-producing activity" subject to the same rigor as any other IPE source. Auditors following AS 2201 (the PCAOB's standard on ICFR audits) will want to understand the completeness and accuracy of the data the AI model uses, and the reliability of the model's processing logic.

Here is where it gets tricky. Traditional IT general controls (ITGCs) are built around deterministic systems. You validate that the ERP calculates depreciation correctly by testing the formula. AI models, particularly those using machine learning, are probabilistic. Their outputs can shift as training data changes, as models are retrained, or as input distributions drift. The standard ITGC framework does not neatly accommodate this.

What Auditors Are Starting to Expect

Model inventory and risk classification. Which AI models touch financial reporting, and what is the materiality of their outputs? This is analogous to the application inventory exercise companies already do for SOX-relevant systems.
Change management controls. When a model is retrained or updated, is there a documented approval process? Version control? Testing against known outcomes before deployment? AS 2201 paragraphs 34 through 38 address the auditor's evaluation of the control environment, and undocumented model changes will raise flags.
Input data validation. Controls over the completeness and accuracy of data feeding into the AI model, just as you would validate data feeds into any SOX-relevant application.
Output monitoring and reconciliation. Are AI outputs compared against independent benchmarks, historical trends, or manual calculations on a periodic basis? This is your detective control layer.
Explainability documentation. Can you articulate why the model produced a given output? For material estimates, auditors may want to understand the key drivers of the model's conclusion, not just the conclusion itself.
Access controls and segregation of duties. Who can modify the model, its parameters, or its training data? These need the same logical access controls as any SOX-relevant system.

The Material Weakness Question

Consider a scenario: a company uses an ML model to estimate its allowance for credit losses under ASC 326 (CECL). The model is retrained quarterly using updated macroeconomic data. During Q3, a data pipeline error feeds stale unemployment figures into the model, and the resulting reserve is understated by $14 million. The error is caught during the Q4 close.

Is this a material weakness, a significant deficiency, or a control deficiency? It depends on the magnitude relative to the financial statements, obviously, but it also depends on whether the company had controls designed to catch this type of failure. If there was no input validation control on the data pipeline, and no reasonableness check on the model's output, an auditor could reasonably conclude that the control environment had a design deficiency. If the $14 million is material, you are looking at a potential material weakness disclosure.

The SEC's 2023 and 2024 comment letters have increasingly focused on how companies use estimates and assumptions in their financial reporting. While AI-specific comment letters are still rare, the trajectory is clear. Companies that cannot demonstrate robust controls over AI-driven estimates will face scrutiny.

Practical Steps for the Next Audit Cycle

If your organization is using AI in any part of the financial reporting process, a few things are worth doing now rather than waiting for your auditor to ask.

Conduct an inventory of all AI and ML tools that touch, directly or indirectly, any account balance or disclosure in the financial statements.
Map each tool to the relevant financial statement assertion (completeness, accuracy, valuation, etc.) and assess the control risk.
Document the model governance framework, including who owns each model, how changes are approved, and how performance is monitored.
Build or update your risk and control matrix (RCM) to include AI-specific controls, and make sure your SOX testing plan covers them.
Brief your certifying officers. They need to understand what AI is doing in the close process at a level sufficient to support their Section 302 certifications.

How FirmAdapt Addresses This

FirmAdapt's architecture was designed for exactly this kind of regulatory overlap. The platform maintains full audit trails of AI model inputs, processing logic, and outputs, structured to align with COSO principles and PCAOB inspection expectations. Every AI-generated output within FirmAdapt is versioned, explainable, and tied to the underlying data sources, giving SOX compliance teams the documentation they need without bolting on a separate governance layer after the fact.

For organizations integrating AI into their financial close process, FirmAdapt provides the model governance, access controls, and output validation framework that auditors are beginning to require. The controls are built into the platform rather than retrofitted, which means your SOX 404 assessment can treat FirmAdapt as a controlled environment from day one rather than a new risk to mitigate.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free