Use case

Internal audit and SOX controls testing.

From the field, AI native workflow redesign of sox controls testing process within Internal Audit Finance function.

Get the playbook
Convolving expertise

A senior Convolving delivery team partnered with the internal audit function for one sprint. Operators from our expert network – with forty combined years inside Big Four audit and SOX programmes – reviewed the redesign at each checkpoint. Forward-deployed engineers built inside the team's GRC, ERP, and evidence-repository stack. One flat fee, artifact out, no retainer creep.

Situation

Today SOX controls testing runs on quarterly samples drawn by hand. A team of three to five works the cycle for six to eight weeks.

Sample sizes follow AICPA tables, not transaction risk. Evidence collection is a request-and-attach exercise across owners. Findings land late in the quarter, leaving thin remediation windows. Deloitte's Zora benchmark and AuditBoard deployments report roughly thirty percent audit-time reduction once continuous monitoring lands; the legacy stack does not get there.

Cycle time 6–8 wks Per testing wave, per quarter
Coverage Sampled AICPA-table sample sizes
Evidence chase 40–50% Of auditor hours, not on judgement
Findings lag Late Q Surface after the period closes

Click any node to see the activities and tools behind it. Open the canvas in fullscreen for the horizontal view.

Complication

Largest obstacles and inefficiencies.

Six to eight weeks per testing wave is the practical floor.

Cycle compression on the legacy stack is rounding error; the bottleneck is sample-by-sample evidence chase.

Sampling misses what is not sampled.

AICPA-table sample sizes give statistical confidence, not transaction-level coverage. Material exceptions outside the sample show up in the next external audit.

Half the auditor hours are evidence chase.

Forty to fifty percent of cycle time goes to requests, reminders, and reformatting attachments.

Resolution

The AI-native cycle.

Same five steps. Click any node to see what the redesign does in that step.

Cycle time 1–2 wks ▼ 75% vs today
Coverage 100% All GL transactions, every period
Evidence chase <10% ▼ ~35 points vs today
Findings lag Continuous Surfaces in week, not quarter
Key changes

What the redesign actually shifts.

Coverage

  • Testing moves from sampled to one hundred percent of GL transactions.
  • Material exceptions surface in the period, not the next external audit.
  • Sample sizes weight to risk, not to AICPA tables.

Cycle compression

  • Six to eight weeks toward one to two per testing wave.
  • Evidence ingest runs on a schedule rather than email chase.
  • Findings surface continuously, not late in the quarter.

Audit and explainability

  • Every flagged transaction cites the rule and the driver.
  • Model versions log on every test conclusion.
  • SR 11-7 and EU AI Act documentation generates from the audit trail.

Auditor capacity

  • Evidence chase falls from forty to fifty percent of cycle time toward under ten.
  • Auditors review exceptions, not random samples.
  • Freed time goes to higher-judgement work and IT general controls.

Deploy this in your team.

The redesign above ships as a step-by-step playbook. Risk-based scoping framework, continuous monitoring rule library, evidence ingest spec, model documentation pack, and the rollout cadence we use on engagements.

Get the playbook Or book a coffee