A finance team deploys an AI agent to approve invoices in accounts payable. Within a quarter, straight-through processing rises and average cycle time falls. The controller reports the win to the audit committee.

Then the external auditors arrive for the annual SOX walkthrough. The lead asks for documentation of the control over AI-driven invoice approvals. The team pulls reports from the AP platform. The auditor studies them and asks a follow-up: how do you prove these records were not changed after the agent acted?

Most teams pause at that question. The efficiency metrics are real. The control evidence is not.

What the auditor is looking for

The PCAOB amended AS 2201 and AS 2101 take effect for fiscal years beginning on or after December 15, 2026. Large firm methodology updates in 2026 train engagement teams to test AI-touched controls with the same rigor as traditional application controls, not as informal IT general controls. COSO published guidance in February 2026 on generative AI and internal control over financial reporting.

Against that backdrop, the auditor wants four answers in prose, not as a checklist slide. First, what data did the agent see at decision time. Second, what did it decide and why. Third, who reviewed the agent's work and on what basis. Fourth, can the organization prove the record has not been altered since it was written.

That fourth answer is where many implementations fail. A read-only flag on a database row is not tamper evidence. Tamper evidence means the infrastructure rejects update and delete operations after insert, and a cryptographic hash binds the record so any change is detectable without trusting the application's goodwill.

The gap in standard AP tools

Most AP automation platforms log transactions. The logs exist in tables the vendor or the customer can modify. A privileged database user can change a row. A backup restore can rewrite history. The auditor cannot independently verify that the log the team exports today matches what existed on the approval date.

COSO's view of an effective audit trail for automated controls requires that the trail be non-editable, capture inputs and outputs, and support reconstruction of what the system acted on. Platforms built for throughput often treat logging as operational telemetry, not as control evidence. That design choice was tolerable when auditors rarely asked about autonomous approval. The question is now routine.

Data custody adds a second gap. Tools that ingest invoice PDFs or line-level detail into a vendor cloud create a third-party custody obligation. For SOX purposes, the organization must explain where financial data lived, who could access it, and how retention and deletion were governed. Finance teams frequently discover that obligation only when the auditor's IT specialist requests the subprocessors list.

What the audit record needs to contain

A CFO evaluating readiness should expect four artifacts, each with a distinct job.

The input fingerprint is a SHA-256 hash of the data the agent consumed before deciding. It is not a copy of the invoice. It is proof that specific inputs were used, while the invoice stays inside the company's environment. Auditors verify the hash against a reproduction procedure; they do not need the underlying document in the audit platform.

The decision record captures decision type, amount, vendor reference, and the agent's rationale at the moment of the decision. Reconstruction from payment files weeks later is not equivalent. The record must exist when the decision is made.

The reliability signal shows how the organization monitors agent quality over time. A supervisor reviews a sample of decisions each period and records agreement or disagreement. That agreement rate feeds a state such as allow, limit, or block. One-time model validation before go-live does not satisfy a recurring automated control.

The attestation is a period-end cryptographic summary of decisions in scope. It yields a verification string an auditor can check independently, without accessing raw invoice content in the auditor's systems.

The human oversight requirement

PCAOB guidance on automated controls expects evidence that humans remain in the loop for financial reporting risks. For an invoice approval agent, two practices matter in operation.

The first is a structured sample review. A named supervisor reviews a defined sample, records judgment on each item, and stores that assessment in the same immutable store as agent decisions. The review is not a spreadsheet maintained outside the system of record.

The second is a gate for material amounts. Invoices above a documented threshold should require explicit human approval before payment executes. That approval carries timestamp, approver identity, and reason. Like agent decisions, it must be immutable once recorded.

Three things to do before your next audit

Verify immutability at the database layer. Ask engineering to demonstrate that an update or delete on a decision row is rejected by the database, not only blocked in application code. If the demonstration fails, treat the control as deficient until it passes.

Establish a reviewer workflow with a fixed sample size each period. Compute agreement rate between agent decisions and reviewer judgment. If disagreement exceeds ten percent on a recurring basis, remediate before the auditor samples the same population.

Document the agent methodology in a versioned memo. State approval rules, escalation triggers, and block conditions. Auditors will request it. An undocumented model is a documented deficiency.

Closing the loop

The team that instrumented its AP agent with an immutable decision log, hashed inputs, human review records, and a period attestation can walk an auditor through the control in a single working session. The team that relied on platform logs alone often receives a deficiency. It may not rise to a material weakness, but it requires remediation, retesting, and follow-up in subsequent years until closed.

Sigmodx provides audit trail infrastructure for AI agents in financial workflows, including the invoice approval scenario described here. Pilot access for Q3 2026 is listed at sigmodx.com/enterprise.

Your AP Agent Is Approving Invoices. What Happens When Your Auditor Asks How?