Opinion
< K-SoX in the age of AI : Leading Changes from Formality to Practicality >
Yeohyun Yoon, Partner, Samil PwC
1. Formalized K-SoX, and the Turning-Point Through AI
Despite its essential purpose, K-SoX is rapidly becoming formalized in the market, with many companies viewing it merely as a ‘response for External Auditors’. In many cases, the focus is more on the external elements such as documentation and formal approvals, rather than the fundamental purpose of effectiveness verification.
The full-scale introduction of AI is expected to bring significant changes to K-SoX. Through this, companies will be able to move beyond formality and implement practical risk management while improving efficiency.
2. How can AI Innovate Current K-SoX Practices?
The changes AI will bring are immense, and most K-SoX components can be enhanced through AI.
-
Automation and Consistency in Evaluations - By introducing AI into control test procedures (sample extraction, evidence check, documentation), processes from test planning and sampling to evidence review and reporting can be automated, leading to improvements in consistency and quality.
-
Advanced Risk Assessment, Design and Analysis - Control design and process analysis were mostly dependent on interviews and limited samples. AI technology using data analysis makes detailed control design and evaluation possible.
-
Continuous Monitoring and Proactive Response - There is a limit to finding control failures or violations through regular evaluation alone. AI can analyze numerous events and transactions occurring within the system in real-time, and detect abnormal patterns or exceptional cases early on.
3. AI, New Risks Generated by New Infrastructure
It is certain that AI will be in all aspects of a company’s strategies, operations, and management.
By combining this infrastructure with the company’s domain expertise and user experience, the company’s operation and workflow are expected to change dramatically and bring new opportunities alongside new risks.
Deep consideration is needed to successfully apply AI Innovation, especially in below areas :
-
AI Strategy and Roadmap - K-SoX is the company’s domain for Financial Reporting and Compliance. It should be aligned with the company-wide AI strategy and roadmap.
-
Capabilities - New capabilities are needed to lead and execute AI innovation, and users must clearly understand the characteristics and limitations of AI.
-
Operating Model - The operating model for maximizing productivity and efficiency in an AI environment differs from past models and introduces new risks. Impact analysis for AI Introduction must be proceeded to mitigate new risks.
-
Data - Data governance, architecture and quality significantly determine AI performance. Various data related to internal controls and document quality may emerge as new risk factors.
-
Application and Extension - The major premise of risk management is similar. In an AI environment, know-how accumulated within internal accounting can be expanded to a broader scope.
In addition to infrastructure-related risks, new risks can arise while operating K-SoX and the company needs to reasonably predict and respond to these challenges. AI Model’s explainability, human review of AI outputs, data quality and security are the main areas.
4. Less work & More insights
There are many concerns about jobs disappearing due to AI. Rather than replacing people, AI serves as an assistant that enables individuals to focus on their ‘fundamental roles’ across various areas, including K-SoX.
If we achieve efficiency through AI, we can more comprehensively and accurately identify risks that may harm our business strategies, proactively respond to unconventional situations like M&A, and focus on designing a culture and structure that internalizes controls within an organization. The changes we are expecting doesn’t represent ‘job losses’, but rather a ‘shift in work priorities’.
5. Conclusion
AI is driving fundamental innovation in various business domains, and risk management, compliance are no exceptions. Companies should not approach it as a simple tool, but should redesign their structures to incorporate AI-based risk management strategies, responsibility table, and human-based decision-making processes.
