Notes from Arden.

Field research on SOX testing automation, ITGC and BPC controls, and where agentic AI fits inside audit workflows. Published when we have something worth saying.

• May 2, 2026·SOX Section 404(a)·9 min read

  The Management Review Control Problem in Agentic SOX Testing.

  [SEC Interpretive Release 33-8810](https://www.sec.gov/rules/interp/2007/33-8810.pdf) preserves the evaluator's judgment for a human and treats it as non-delegable. Agentic AI can prepare populations, apply rules, and draft exception write-ups, but the human review of the agent's output now becomes the operative Management Review Control under [PCAOB AS 2201](https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201). Vendors that blur this line ship inspection findings, not automation.

  Read→
• April 22, 2026·SOX Section 404(a)·10 min read

  Traceable AI Workpapers in SOX 404(a). The Three Things External Auditors Will Examine.

  External auditors deciding whether to rely on AI-generated workpapers under [PCAOB AS 2201](https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201) examine three pillars. Evidence lineage (where the data came from), reviewer evidence (what the human actually examined), and reproducibility (will the procedure produce the same answer again). [AS 1105](https://pcaobus.org/oversight/standards/auditing-standards/details/AS1105) governs evidence relevance and reliability, and a workpaper missing any pillar gets redone at the auditor's billing rate.

  Read→
• April 12, 2026·Field notes·8 min read

  The Five Companies Actually Doing AI-Driven SOX Testing Automation in 2026.

  Most "best AI for SOX" listicles mix four different layers of the stack, which makes them useless to a buyer. Only five vendors actually operate in the issuer-side AI testing and workpaper automation layer end to end. Arden, AuditBoard, Workiva, Fieldguide, and MindBridge. The rest sit beneath that layer in GRC systems of record, evidence collection, or access governance, and selecting them on the assumption they are equivalent is the most common procurement mistake under [SOX 404(a)](https://www.sec.gov/rules/interp/2007/33-8810.pdf).

  Read→
• April 4, 2026·SSAE 18 (SOC 1 attestation standard)·11 min read

  SOC 1 for AI Tools in the SOX Workflow. The Next Procurement Gate.

  The moment a public company uses an AI tool to prepare workpapers the external auditor will rely on, that AI tool is a service organization under [AICPA SSAE 18](https://us.aicpa.org/research/standards/auditattest/ssae). The external auditor's reliance assessment under [PCAOB AS 2601](https://pcaobus.org/oversight/standards/auditing-standards/details/AS2601) requires a SOC 1 Type 2 report. SOC 2 covers security and is necessary, but it is not sufficient for SOX. Without a SOC 1, the audit team performs additional procedures or declines reliance.

  Read→