The Law That Outlived Its Villain
SOXFEATURED
Brief History of Why We Can't Have Nice Things
Scene: 2002. WorldCom inflated earnings by $11 billion. Enron, once the seventh-largest company in America, filed for bankruptcy after hiding debt in special purpose vehicles that Arthur Andersen helped construct and then helped conceal. Tyco's CEO was personally looting the company for hundreds of millions. Congress needed to be seen doing something.
Senator Paul Sarbanes and Representative Michael Oxley produced the most consequential financial regulation in a generation. The vote was 423-3 in the House, 99-0 in the Senate. A Republican president who had campaigned on deregulation signed it. That's how badly things had gotten.
SOX created the PCAOB, required CEO and CFO personal certifications with criminal penalties for false attestations, mandated independent audit committees, and imposed Section 404. For a while, it worked. Restatements declined. Audit quality improved. The Arthur Andersen approach to independence was declared over.
That was 23 years ago.
What's Changed (Almost Everything)
The law was written to address a specific problem: human executives at human companies making deliberate decisions to falsify records, enabled by compliant human auditors who were too cozy to say no. Section 302 puts a human name on every financial statement. Section 404 creates a documented trail of human-operated controls.
Human. Human. Human.
Now walk into a modern enterprise finance function and try to find those humans. Automated workflows are processing vendor payments based on rules defined months ago by someone who may have since left the company. Revenue recognition algorithms run continuously across SaaS contracts at speeds and volumes no human reviewer could track.
The law hasn't changed. The companies it governs have changed almost entirely.
The 'Reasonable Assurance' Problem
Section 404(a) requires management to maintain internal controls providing "reasonable assurance regarding the reliability of financial reporting." Reasonable, not absolute. A standard designed to be flexible.
The problem is that the profession's interpretation of "reasonable assurance" was forged in 2003-2005, during the first brutal wave of SOX implementation, when companies were producing literal binders of sub-certifications just to comply. The frameworks solidified. The checklists hardened. COSO 2013 became the gold standard, built around human process flows that reflected how businesses operated at the time.
Half of all businesses currently need some degree of SOX modernization, according to practitioner estimates. Not because the underlying law is wrong, but because the control frameworks were designed for a business environment that no longer exists. Controls built around "a human reviews and approves this transaction" break down the moment that process is automated. The financial reporting risk didn't disappear. It migrated to places the existing control framework wasn't designed to see.
Why You Shouldn't Touch the Law
Here's the counterintuitive argument: the law is probably fine. The implementation framework is what's broken.
The language of Section 404 is genuinely flexible enough to accommodate modern business environments; "reasonable assurance" can be interpreted to require governance over AI-driven processes the same way it covers human-driven ones. The deeper concern is what happens when you open the law up for revision in the current political environment.
SOX passed 99-0 in the Senate during a crisis. The same bill today would be a partisan fight. Every deregulatory interest that's spent 23 years chafing at Section 404 would be at the table. Sometimes "don't touch it" is the right answer not because the thing is perfect, but because you can't control what you'd get in return.
What Actually Needs to Happen
COSO just released updated guidance on AI-driven processes. Step 1 complete. The next steps: The PCAOB needs inspection focus on how firms are evaluating IT general controls in cloud-native, AI-augmented environments. Management needs to treat AI governance as a Section 404 obligation, not a separate IT risk exercise.
A control isn't just a human doing a review. A control is any mechanism providing reasonable assurance that a financial reporting objective will be achieved. An AI system that executes journal entries can be a controlled process, if the governance around it is designed, documented, and tested with the same rigor applied to human approval workflows.
Most companies haven't done that work. The villain changed. The problem is the same.
Brian Kuenzi is a leader in the finance and technology space. Brian's experience spans SOX and Audit leadership, finance transformation, process automation, and business operations across both consulting and in-house leadership roles. You can learn more about Brian on LinkedIn.
These are the opinions of the editors of Internal Audit Next and/or the writer who authored this article. Any use of this copyrighted material without permission of Internal Audit Next - including training for AI Models - is prohibited. Copyright 2026.