1. The Profession Question
Cristiano:
Let’s address the elephant in the room: if SOX becomes truly AI-driven, are we looking at a structural reduction of Internal Audit roles over the next few years — or a fundamental redesign of the profession?
To be specific, what percentage of today’s IA/SOX activities do you realistically see automated within the next 24–36 months?
Kieran:
The most likely scenario is broadly a contraction followed by an expansion. This will be driven by the lag time it requires to shift resources away from manual testing processes and toward other activities.
The first order impacts of AI on IA activities are clear – the amount of time it takes to do low complexity, well-defined, repetitive tasks has gone way down. Whilst there are still rough edges on today’s product offerings, the jury is in on how transformative AI agents are for activities like drafting test workpapers, documenting control walkthroughs, and pulling and formatting audit evidence from source systems. To put it plainly, this is going to reduce demand for human hours required for these activities.
The second order impacts are the more interesting. As that demand goes down, is there latent demand for other activities that will soak up the new capacity? Our bet is a resounding yes. After speaking to hundreds of internal audit leaders, the message from them is unambiguous – their teams are limited by these activities, not justified by them. Whilst some describe their non-SOX wish lists, many of them have a laundry list of SOX items they want to make far more rigorous. Scoping, risk mapping, ITGC coverage, and entity-level control assessments all suffer from teams being bogged down by manual activities. Then there is the guidance from the PCAOB and others. With new capacity, the standards are likely to increase to soak up some of that new capacity.
In terms of putting a percentage on it – I think 50-70% of testing hours are automatable within 12 months. But that’s the easy part. The harder question is what happens to the other stages of the lifecycle, and there I think the timeline is meaningfully longer.
The reason is that current AI models are fundamentally restricted to a very small slice of reality at any one time. Until that changes, having humans who can synthesize very broad contexts about a company’s control environment will be required to act as the coordinator for the AI agents performing their narrow tasks. Our bet is that this constraint holds for the foreseeable future, which is exactly why the human coordinator role becomes more valuable, not less.
To end with an analogy from the software engineering world, which is at the absolute forefront of innovation in applying AI to workflows, the most impacted role has been the junior engineer. Senior engineers have become 10x more productive in a very meaningful way. That has in the short term certainly impacted some roles, but we are already seeing that capacity being soaked up by companies looking to build more specific features that would not have been previously economically viable.
2. AI Capabilities vs. Human Judgment
Cristiano:
If we break down a typical SOX lifecycle — risk assessment, walkthroughs, control design evaluation, testing, remediation, and reporting — where does AI genuinely outperform humans today?
Where do you believe AI will still struggle five years from now?
Can AI meaningfully assess elements such as management bias, control intent, or tone at the top — or are those still inherently human judgments?
Kieran:
AI will broadly outperform humans today at well-defined, closed world tasks. A well-defined task is one where the outcome criteria are unambiguous. I like to think of it this way: imagine giving the task to 100 people. If 99+ of them give you back the same answer, it’s likely a well-defined task. Closed world tasks are those where the total set of relevant data is known and finite. For example, recalling canonical facts about Harry Potter requires only the full text of all books. Conversely, recalling all facts about Daniel Radcliffe requires both an unknown and functionally infinite set of information – all things written about him anywhere on earth.
Testing is the stage that most squarely fits into this definition today and that is why we started there. The inputs are known, the pass/fail criteria are defined, and the evidence lives in a finite set of systems. The other stages (risk assessment, walkthroughs, reporting) all have components that fit the definition, but each of them also contains open-ended, judgment-heavy work that doesn’t. The further upstream you go in the SOX lifecycle, the more ambiguity you hit, and the less cleanly AI can own the task end to end.
On the current trajectory, this assessment is unlikely to change much in the next five years. Agents will own most of test execution, but humans will be required to bridge the gap between the context the agents have and the reality on the ground.
For management bias, tone at the top, control intent, this is one area where the plausibility of AI answers can be dangerous. The task itself is not well defined, but an LLM can give you an answer that looks a lot like a meaningful assessment. The problem is that assessing whether that output is actually grounded in reality is just as laborious as performing the assessment yourself. So you haven’t saved any time, you’ve just introduced a new failure mode where teams might accept a confident-sounding answer that nobody actually validated.
3. Career Positioning in an AI-Enabled Environment
Cristiano:
If you were advising three different professionals:
• A college student entering IA/SOX
• A junior auditor with 2–3 years of experience
• A seasoned Head of Internal Audit/SOX
What specific skills should each develop over the next five years to remain highly relevant in an AI-enabled SOX environment?
Kieran:
As should be clear from my previous answer, there are very few work tasks that fit the criteria of being well defined and closed world. Therefore, the primary skill in working with AI models is the ability to construct tasks in such a way that they are as well-defined and closed world as possible.
There are really two paths for anyone looking to accelerate with AI in this fashion.
One is to become the expert. In an audit context, this means becoming the person who knows a specific domain, say revenue recognition controls or ITGC for a particular ERP, so deeply that you can spot where an AI agent’s output is wrong before anyone else can. The kind of knowledge that’s too specialized, too fragmented, or too fast-moving to be reliably captured in training data.
Another is to become the manager. Keeping a strong, generalist skill set that means you are able to act as the coordinator for a fleet of task-specific AI agents.
For the college student they really have the choice between the two. If they are extremely passionate about particular technical aspects of the role, they can double down on those and become the SME. If they want to take the manager route, they should resist the urge to specialize early and instead build fluency across controls, systems, accounting, and data. Enough to quality-check any AI output and know which questions to ask next. Concretely, that means rotating across as many audit areas as possible in their first few years rather than settling into one workstream.
The junior auditor should be doing the same thing but from the opposite direction. They already have domain depth, so now they need to develop the skill of breaking their own workflows into delegable components. Every time they do something repetitive, they should be asking “how would I hand this to an AI agent and verify the result?”
The Head of IA/SOX needs to think one level up. Their value in five years isn’t in the testing or even in the methodology. It’s in interpretation, stakeholder communication, and connecting control findings to enterprise risk. The more AI handles execution, the more the senior role becomes about judgment, influence, and strategy. None of which are well-defined or bounded.
As for Python, data science, and AI governance: none of those are bad to learn, but they’re not the differentiator. The differentiator is the ability to look at a messy, ambiguous audit problem and systematically carve it into pieces that AI can handle and pieces that require human judgment.
