Responsible AI governance for the finance function, mapped to SOX, ICFR, FRC and PCAOB standards

ACCOUNTANCY AND FINANCE

Responsible AI Governance for the Finance Function

CFOs, finance teams and audit firms are putting AI into reporting, controls and audit faster than they can govern it. We engineer the governance that keeps AI inside the rules that bite, from SOX and ICFR to FRC and PCAOB audit standards, so the numbers and the sign-off stand up.

For CFOs, finance directors, financial controllers and audit partners. AEO and AI marketing handled downstream, engineered to the same compliance standard rather than gamed.

THE EXPOSURE

Why AI in the Numbers Is a Personal-Liability Risk

When AI touches financial reporting, controls or audit, the accountability does not move to the tool. The director who approves the accounts, the CFO who certifies them, and the auditor who signs keep the liability. That is what makes ungoverned AI in finance a board-level problem.

$5M / 20 yrs

Maximum SOX Section 906 criminal penalty on the CFO

The CEO and CFO personally certify the periodic report. A knowing false Section 906 certification draws fines up to 1 million dollars and 10 years; a willful one up to 5 million dollars and 20 years. That liability attaches to the signature, and no AI tool or vendor absorbs it.

Sarbanes-Oxley Act, Sections 302 and 906 (18 U.S.C. 1350)

15 Dec 2025

PCAOB technology-assisted analysis rules bite

Amended standards AS 1105 (Audit Evidence) and AS 2301 apply to audits of fiscal years beginning on or after this date. Auditors stay responsible for judging data reliability and the results when technology or AI does the analysis.

PCAOB, amendments on technology-assisted analysis (pcaobus.org)

Human accountable

FRC position on AI in audit

The FRC guidance on generative and agentic AI in audit, the first from any audit regulator globally, is explicit: regulatory accountability does not move, and ultimate responsibility always rests with the human auditor. The tool assists; the person answers for it.

FRC guidance on the use of AI in audit, June 2025 (frc.org.uk)

Per use case

EU AI Act classification for financial AI

General reporting automation is usually not high-risk, but the Article 6(3) exemption is narrow and credit scoring of natural persons is high-risk under Annex III point 5(b). Classification is per AI use, not per department, so each one needs a documented call.

EU AI Act, Article 6 and Annex III (artificialintelligenceact.eu)

THE POSITION

Govern AI Well and the Finance Function Moves Faster

Regulation is not the enemy of AI in finance. Govern it properly and you deploy with confidence while rivals are still arguing about who owns the risk when a figure is wrong.

Governed AI clears the close faster

A finance team with documented AI logic and a named owner can trust the output and move. The bottleneck is rarely the model. It is the absence of an agreed way to assure the numbers before the CFO signs.

The certifying officer can stand behind it

When every AI use in reporting sits inside ICFR with tested output and review evidence, the SOX certification is defensible. Sign-off stops being an act of faith in a tool nobody documented.

Finance expertise is your trust asset

Your controllers and auditors understand the numbers and the rules better than any vendor. Turned into governed AI and into clear, accurate published guidance, that expertise is what regulators and AI search engines both reward.

AEO without dark patterns protects the practice

The wider AEO industry is being penalised for manipulative tactics. Done to a Responsible AI standard, AI visibility is engineered cleanly, so a claim that survives professional scrutiny is also the one AI engines cite.

OUR APPROACH

Systems. Strategy. Execution.

The same three-level framework, recast for the AI governance, control and audit realities of the finance function and accounting practices.

1

SYSTEMS

AI Governance Operating Model

We architect the governance your CFO, audit committee and controller can stand behind. Every AI use in reporting, controls and audit mapped to its obligations, with clear ownership and a review point before the numbers go out.

  • -AI inventory across reporting, controls, close and audit
  • -EU AI Act Article 6 and Annex III classification per use case
  • -Mapping to Companies Act duties, SOX and ICFR, FRC and PCAOB standards
  • -Audit committee and board reporting on AI risk in the numbers
2

STRATEGY

AI Risk and Compliance Roadmap

We build a prioritised AI risk register and remediation roadmap for the finance function, sequenced to the deadlines that bite: the SOX certification cycle, the PCAOB effective date and the EU AI Act high-risk obligations.

  • -AI risk register scored by likelihood and reporting exposure
  • -Control gap analysis where AI sits inside ICFR
  • -Remediation roadmap tied to the SOX sign-off calendar
  • -Human-oversight design for any AI in the audit trail
3

EXECUTION

Reviews, Artefacts and Compliant AEO

When execution is needed, we engineer the evidence. Control and bias reviews, vendor assessments, governance artefacts, and where AI content sits in your firm's marketing, answer engine optimisation built to compliance standard.

  • -AI control, bias and explainability reviews for reporting models
  • -Vendor and third-party AI assessments for finance tooling
  • -Governance artefacts: documented logic, logging, review evidence
  • -AEO and content engineering without dark patterns, promotion-clean

WHERE WE CREATE VALUE

Typical Finance and Audit Engagements

Illustrative scenarios reflecting the types of finance functions and audit firms we work with. Specific scope depends on your AI estate, reporting footprint and risk appetite.

FINANCIAL REPORTING

CFO Putting AI into the Close

AI drafts commentary, reconciles ledgers and flags variances in the reporting close. The output feeds statements the CFO personally certifies under SOX, yet there is no documented logic, no tested output and no evidence of review.

Systems-level engagement: bring the AI use into ICFR, document the logic, build the tested-output and review evidence, and name the owner, so the certifying officer can stand behind the numbers.

AUDIT PRACTICE

Audit Firm Adopting AI in Engagements

An audit firm deploys generative and agentic AI to speed testing and evidence review. The FRC and PCAOB keep the human auditor accountable, but the firm has no framework for confidence in the tool's output or for the audit trail.

Governance framework for AI in audit: human-oversight controls, documentation of how confidence in AI output is obtained, and an audit trail that meets FRC guidance and the PCAOB technology-assisted analysis standards.

INTERNAL CONTROLS

Controller Facing AI Control Deficiencies

AI now sits across several reporting processes, added tool by tool. No single inventory, so the controller cannot say which AI touches the numbers, whether it drifts, or whether a regulator would call it a control deficiency.

Strategy-level engagement: an AI inventory across the finance function, a control gap analysis against ICFR, and a remediation roadmap that closes the deficiencies before the next certification.

MARKETING COMPLIANCE

Accountancy Firm Engineering AI Visibility Safely

The practice uses AI to generate marketing content and wants visibility in AI search. Professional and advertising standards still apply, and the wider AEO industry is being penalised for dark patterns.

Governance-led AEO: guardrails for AI-generated content, claim substantiation, and answer engine optimisation engineered to compliance standard rather than gamed.

WHY US

We Understand Where the Liability Sits

Sotiris has 27 years across regulated markets where a wrong number costs more than a ranking, and is the author of Ethical AI, AI Moats and TRANSFORM. VerityAI is a Responsible AI advisory, not a software platform. We govern the AI in your numbers and your AI visibility from the same principle: build it so it holds up when someone has to sign.

Governance the audit committee can defend

We architect AI governance mapped to the Companies Act, SOX and ICFR, and the FRC and PCAOB audit standards, with ownership and evidence a regulator can follow. Not a policy PDF. A working control set.

Responsible AI applied to AI search

AI engines reward authoritative, well-structured, expert-attributed content. We engineer that visibility without the dark patterns the AEO industry is being penalised for, so it stays accurate and defensible.

Board language, not jargon

We speak to CFOs, controllers and audit partners. Reporting connects AI to personal liability, control deficiencies and sign-off risk, not vanity metrics.

FROM THE PUBLIC RECORD

What Ungoverned AI in the Numbers Actually Costs

Named cases here are drawn from the public record, with sources. Composites are built from several engagements and flagged as such. No client is identified.

PUBLIC RECORD

When automated accounting figures put people in prison

The Post Office Horizon system, built by Fujitsu for stocktaking and accounting, wrongly reported branch shortfalls from its 1999 rollout. The Post Office insisted the figures were reliable and prosecuted on them. The statutory inquiry found around 1,000 subpostmasters were wrongfully prosecuted on flawed system data; Volume 1 of the final report was published in July 2025.

Takeaway: an automated system that produces the numbers is not neutral. Without independent checks, error handling and the honesty to question the output, a machine-generated figure becomes a false fact people are held to.

PUBLIC RECORD

Controls that were disclosed but never fixed

On 29 January 2019 the SEC charged four public companies, Grupo Simec, CytoDyn, Lifeway Foods and Digital Turbine, for failing to maintain internal control over financial reporting across seven to ten consecutive annual periods. Each had disclosed the material weaknesses year after year but not remediated them, and paid civil penalties from 35,000 to 200,000 dollars.

Takeaway: disclosing a control weakness is not the same as governing it. When AI sits inside ICFR, naming the gap does not close it; a tested control with an owner does. The SEC line was blunt: companies cannot hide behind disclosures.

COMPOSITE

The reconciliation nobody could explain

Composite, built from several engagements and shaped by an NDA lesson. A finance team adds an AI tool to reconcile a ledger and clear variances at the close. It works, so it spreads to other accounts with no inventory and no documented logic. A quarter later a figure moves and no one can explain how the model reached it, right as the certification is due.

Takeaway: the first control is not a policy. It is an inventory with a named owner and documented logic for every AI use in the numbers, so a figure can always be explained before the CFO signs, not after a regulator asks.

Composite lesson, no client identified

START HERE

Wherever You Are in the Decision

Three routes in, depending on where you've got to. Learn the rules, weigh the exposure, or move to a decision.

LEARN THE RULES

Getting oriented

New to how AI regulation lands on the finance function? Start with what statutory and regulatory reporting looks like when AI sits in the pipeline, and where SOX controls change once AI is in the numbers.

COMPARE YOUR OPTIONS

Weighing the exposure

Already scoping the problem? Look at where personal liability sits when AI touches the numbers, and what regulators expect in the audit trail before you commit to a tool.

READY TO ACT

Moving to a decision

Ready to govern it properly? Start with the risk register template, then book a conversation about the AI in your finance function and where governance reduces the most risk.

BY JURISDICTION

UK, US and EU: The Rules Are Not the Same

The same AI use in the numbers sits under different rulebooks depending on where it operates. We advise UK-first, and serve US and EU clients in English.

UK

Lead market. We advise UK-first.

  • -Companies Act 2006: directors' duties to keep adequate accounting records and approve true and fair accounts
  • -FRC: guidance on generative and agentic AI in audit, with the human auditor always accountable
  • -ICO and UK GDPR: lawful basis, fairness and automated-decision rights over personal data in finance

US

Served in English.

  • -SOX and the SEC: CEO and CFO personal certification of financial statements under Sections 302 and 906
  • -ICFR: internal control over financial reporting, which any AI in the reporting chain sits inside
  • -PCAOB: technology-assisted analysis standards AS 1105 and AS 2301, effective fiscal years from 15 December 2025

EU

Served in English.

  • -EU AI Act: reporting automation usually outside high-risk, but credit scoring is high-risk under Annex III point 5(b)
  • -Article 6(3): a narrow exemption for procedural, preparatory or work-improving AI that does not materially influence outcomes
  • -GDPR: lawful basis, fairness and rights around automated decisions on personal financial data

FAQ

AI in the Finance Function: Questions Boards Ask

Straight answers on the rules that bite first, from who can sign the accounts to how SOX controls and the EU AI Act treat AI in reporting.

Can AI sign off financial statements?

No. A person signs, and that person keeps the liability. Under the Companies Act 2006, directors approve the accounts and a director signs the balance sheet on the board's behalf. Under the Sarbanes-Oxley Act, the chief executive and chief financial officer each personally certify the periodic report: a civil certification under Section 302, and a separate criminal certification under Section 906 that the report fairly presents the financial condition. AI can draft, reconcile, flag and calculate, but it cannot hold the legal responsibility that attaches to a signature. Govern the AI so the human who signs can stand behind what it produced.

Is AI in financial reporting high-risk under the EU AI Act?

Usually not by itself, but do not assume the exemption applies. The EU AI Act classes AI as high-risk only where it falls inside an Annex III use case. General accounting, bookkeeping and financial-reporting automation is not named there, so on its own it typically sits outside the high-risk tier. Two cautions. First, Article 6(3) only exempts a system that performs a narrow procedural task, improves completed human work, or does preparatory work, and only where it does not materially influence the outcome or profile people. Second, some financial AI does hit Annex III: creditworthiness assessment and credit scoring of natural persons is high-risk under point 5(b). Classification is per use case, not per department. We map each AI use in your finance function against Article 6 and Annex III so the call is documented, not assumed.

Who is liable when AI gets the numbers wrong?

The people who own the accounts, not the tool and not the vendor. Directors carry statutory duties under the Companies Act 2006 to keep adequate accounting records and approve accounts that give a true and fair view. Under SOX the CEO and CFO personally certify the filings, and a knowing false Section 906 certification carries fines up to 5 million dollars and up to 20 years in prison. A vendor contract does not transfer that accountability. This is why an AI error in reporting is a governance failure first and a technical failure second: the control that should have caught it, the review that should have questioned it, and the named owner who should have signed it off.

Does AI change SOX controls?

It changes what you have to control, not who is accountable. When AI sits inside a reporting process, it becomes part of your internal control over financial reporting, so it needs the same discipline as any other control: documented logic, tested outputs, evidence of review, change management and clear ownership. An AI model that drifts or produces an unexplained figure is a control deficiency waiting to be found. The certifying officers still sign under SOX Sections 302 and 906. We fold AI use cases into your ICFR framework so the control set covers them and the sign-off holds.

What does the FRC say about AI in audit?

The FRC has issued guidance for audit firms on using generative and agentic AI in engagements, the first from any audit regulator globally. Its core position: the technology can support audit quality, but regulatory accountability does not move. Firms and Responsible Individuals stay accountable for how AI tools are used and for the quality of the audit, and in line with auditing standards ultimate responsibility always rests with the human auditor. In the US the PCAOB has amended its standards on technology-assisted analysis (AS 1105 and AS 2301), effective for audits of fiscal years beginning on or after 15 December 2025, keeping the auditor responsible for judging data reliability and results. We help audit and finance teams put the human-oversight and evidence controls both regulators expect around any AI in the audit trail.

What does Responsible AI governance look like for a finance function or audit firm?

We work at three levels. Systems: an AI governance operating model your CFO, audit committee and controller can defend, mapping every AI use in reporting, controls and audit to the Companies Act, SOX and ICFR, FRC and PCAOB audit standards, the EU AI Act and GDPR. Strategy: an AI inventory across the finance function, a risk register scored by exposure, and a remediation roadmap tied to the SOX certification cycle and the PCAOB effective date. Execution: governance artefacts, control and bias reviews, vendor assessments, and where AI content sits in your marketing, answer engine optimisation engineered to compliance standard rather than gamed.

START HERE

Let's Discuss Responsible AI for Your Finance Function

A conversation about the AI in your reporting, controls and audit, and where governance will reduce the most risk before someone has to sign. No pitch decks. No proposals on the first call.

Request a Consultation