Streamlining SOX 404: A Guide to Automating Internal Controls with AI and Power Automate

Introduction

Across my career, from my time at Big Four firms like Deloitte and Ernst & Young to my current role managing IT controls, I’ve spent countless hours in the trenches of Sarbanes-Oxley (SOX) compliance. I’ve seen firsthand how the annual SOX 404 cycle can become a monumental effort—a whirlwind of evidence requests, manual testing, and late-night reviews, all culminating in a high-stakes attestation. For over two decades, this manual, often repetitive process has been the accepted cost of compliance.

But the ground beneath us is shifting. The same technological forces transforming business operations are now poised to revolutionize the world of GRC. The emergence of accessible AI and low-code automation platforms like Microsoft Power Automate offer a powerful solution to the most persistent SOX challenges. It’s time to move beyond the screenshot and embrace a future of continuous, automated assurance.

This article is a practical guide for my fellow business, IT, and audit leaders. It’s a look at how we can leverage these new tools to not only make SOX compliance more efficient but to make our control environments fundamentally stronger and more resilient.

The Enduring Challenge of Manual SOX Testing

At its core, SOX-404 requires management to establish and maintain adequate internal controls over financial reporting (ICFR). As auditors, our job is to attest to their effectiveness. Historically, this has translated into a significant manual undertaking with several well-known pain points:

• Repetitive & Tedious Work: My experience leading the execution of User Access Reviews (UARs), or testing a sample of 25 application changes has shown how much time is consumed by repetitive tasks. Manually verifying system settings, pulling evidence, and chasing down approvals is not only inefficient but also a drain on highly skilled personnel.
• Point-in-Time Evidence: The classic approach of grabbing a screenshot of a system configuration provides evidence for only a single moment. It doesn’t prove the control was operating effectively for the entire period, a limitation I’ve noted in both my internal and external audit roles.
• High Risk of Human Error: Manual processes are inherently susceptible to mistakes. A typo in a reconciliation or an overlooked detail in a log review can lead to control failures and deficiencies that could have been prevented.
• Significant Cost: The reliance on manual effort comes with a hefty price tag. With organizations reportedly spending over $1 million annually on SOX compliance, the labor costs for both internal teams and external auditors represent a major financial burden (source: IBM – “What is SOX (Sarbanes-Oxley Act) Compliance?” (2025)).

The Solution: Intelligent Automation for Compliance

When we talk about control automation today, we’re moving beyond simple scripts. We are talking about using sophisticated tools to perform control activities, document their execution in real-time, and automatically flag exceptions for human intervention. This new paradigm is powered by two key technologies:

1. Low-Code Automation: Platforms like Microsoft Power Automate, Nintex and Zapier (to name a few) are ideal for automating the rules-based, repetitive tasks that consume so much of our time. Think of generating reports, performing data reconciliations, or managing user access workflows.

We have the capability to fundamentally transform this traditionally manual and time-intensive process into a streamlined, exception-focused workflow through several integrated automation components.

The system we can implement would operate through intelligent automation that:

• Automatically generates User Access Review (UAR) tickets based on predefined triggers such as quarterly schedules, organizational changes, or system updates
• Seamlessly integrates data through API connections to extract current user access information from all in-scope applications, eliminating manual data gathering requirements
• Performs intelligent reconciliation between active application users and current employee rosters to identify discrepancies and potential security risks
• Delivers exception-based reporting that presents UAR reviewers with prioritized findings, enabling them to focus on genuine security concerns rather than routine validations

This approach has the potential to fundamentally shift our user access reviews from broad, comprehensive manual processes to targeted, risk-based examinations of exceptions and anomalies. The anticipated result is not only improved operational efficiency but enhanced security oversight, as reviewers will be able to dedicate their expertise to investigating legitimate concerns rather than processing routine confirmations.

2. Artificial Intelligence (AI) & Machine Learning (ML): For more complex challenges, AI is the answer. These technologies excel at tasks requiring pattern recognition and judgment, like sifting through millions of transactions to detect anomalies or identifying potential Segregation of Duties (SoD) conflicts in a complex ERP system like SAP—a system I’ve worked with extensively throughout my career.

Practical Applications: Putting Automation to Work

Theory is one thing; practical application is where the value is realized. Based on my experience, here are four key SOX controls/processes that are prime candidates for automation.

• User access management (provisioning, deprovisioning, UAR):
  • How it Works: Imagine a new hire is entered into the HR system. A Power Automate flow is instantly triggered, creating a ticket for a manager to approve specific system access. The manager’s approval action, captured digitally, becomes the audit evidence. When an employee is terminated, the same process runs in reverse, automatically generating tasks to ensure access is revoked in a timely manner. For ongoing compliance, the system can automatically trigger quarterly user access reviews, importing current access data via API connections to reconcile active application users against current staff rosters, highlighting exceptions for focused reviewer attention.
  • Benefit: This creates an unbroken, digitally documented audit trail while ensuring no critical access changes are overlooked. The automation eliminates manual errors and reduces security risks from delayed provisioning or deprovisioning. Additionally, by focusing user access reviews on genuine exceptions rather than routine confirmations, organizations can significantly improve both the efficiency and effectiveness of their access governance while maintaining continuous compliance oversight.
• Automated Evidence Gathering:
  • How it Works: Schedule a Power Automate flow to run quarterly that connects to the system’s API or configuration database to extract current password policy settings. The flow documents these settings in a standardized format and saves the compliance evidence to a dedicated audit documentation tool with proper naming conventions and timestamps.
  • Benefit: This directly solves the “point-in-time” problem. Auditors receive consistent, untouched evidence without any manual intervention required from the control owner.
• Segregation of Duties (SoD) Analysis:
  • How it Works: This is where AI shines. While Power Automate can manage the workflow for reviewing flagged conflicts, an AI model can continuously analyze user roles and permissions across your ERP to identify “toxic combinations” a human might miss. When a potential conflict is found, it can trigger an automated review and mitigation workflow.
  • Benefit: This shifts the organization from a periodic, manual SoD review to a proactive, continuous monitoring model, significantly strengthening a critical control area.
• Automated Reconciliations:
  • How it Works: Using Microsoft Power Automate + Power BI a flow can be designed to pull a bank statement from one source and general ledger data from another. It then matches transactions based on predefined rules (e.g., date, amount, reference number) and generates a clean report of any and all exceptions that require a human to investigate.
  • Benefit: This drastically reduces the mind-numbing manual work of ticking and tying, allowing your finance and accounting teams to focus their expertise on resolving the actual discrepancies.

The Auditor’s Evolving Role: From Sampler to Systems Analyst

As we automate controls, the role of the auditor must also evolve. Having sat on both sides of the table, I can see this transformation clearly. Instead of testing hundreds of manual transactions, the audit focus shifts to a more technical and holistic assessment:

1. Testing the Automation Itself: The primary audit procedure becomes evaluating the design and logic of the Power Automate flow or AI model. Is it configured correctly? Does the logic address the risk?
2. Reviewing Change Management: Rigorous change management becomes even more critical. Auditors will need to see evidence that any changes to the automation itself were properly controlled, tested, and approved.
3. Verifying IT General Controls (ITGCs): The underlying platforms, like Microsoft’s Power Platform or Azure, become a key area of focus. Auditors will need assurance that these systems are secure, well-managed, and reliable.

Building a More Resilient and Efficient Future

Embracing automation and AI is not just about making SOX compliance cheaper or faster. It’s about making it better. These technologies allow us to build a compliance framework that is stronger, more reliable, and operates continuously. We can transform SOX from a burdensome exercise we endure each year into a strategic process that actively improves our business.

While powerful tools like Microsoft Power Automate can execute individual tasks, the true power comes from integrating these activities. A holistic Governance, Risk, and Compliance (GRC) platform like InScrivere provides the essential management and monitoring layer. It gives leadership and auditors a single pane of glass to see how these automated controls are operating, manage exceptions, and gain full visibility into the health of the entire SOX program. The future of internal controls is here, and I am excited to be a part of building it.

About the Author: Brian Ellis (CISA), IT Controls Manager, B. Riley Financial

As a dedicated and seasoned IT Controls and SOX Compliance expert, I specialize in building and strengthening the critical bridge between IT infrastructure and business integrity. With a career forged in the rigorous environments of Big Four and top-tier consulting firms, and now leading in-house compliance, I possess a comprehensive view of the entire audit and controls lifecycle.

For more insights on internal controls and compliance automation, visit my LinkedIn [https://www.linkedin.com/in/brian-ellis-cisa-01868512/] or contact [bellis@brileyfin.com].

Author’s Note: This article was created through a collaborative process combining the author’s professional expertise in internal controls and SOX compliance with AI assistance from Claude (Anthropic) and Google Gemini. These AI tools were used to help research current industry trends, organize complex information, and enhance the clarity of technical concepts, while all strategic insights and practical recommendations are grounded in real-world professional experience.