SK
Shakeel Hussain Khan FCA, CIA, CISA, CRISC
June 2, 2026 · 5 min read · SOX Compliance
How to Build a SOX RCM in 10 Minutes Using AI
A Risk and Control Matrix used to take a senior auditor 2–3 days per business process. With AI, the same output takes 10 minutes. Here's exactly how — with a real walkthrough on the Revenue Cycle.
The RCM (Risk and Control Matrix, sometimes called RACM — Risk and Control Matrix) is the foundational document of any SOX programme. It maps financial statement line items to the risks that could cause misstatement, then to the controls that mitigate those risks. Every test you run traces back to it. Every deficiency you classify references it. It's the backbone of AS 2201 compliance.
It's also, traditionally, one of the most tedious documents in audit. I've seen teams spend 2–3 weeks building an RCM from scratch for a new client. Here's how to do it in 10 minutes.
What goes into a PCAOB-compliant RCM
Before we get to the AI prompts, understand what a complete RCM requires under PCAOB AS 2201. Each row should document:
- Financial Statement Line Item (FSLI) — the account or disclosure at risk
- Risk of Material Misstatement — what could go wrong (aligned to COSO assertions)
- COSO Assertion — Completeness, Accuracy, Valuation, Existence, Rights & Obligations, Cutoff, Presentation
- Control ID — unique identifier for tracking
- Control Description — what the control does, written in attribute form
- Control Type — Preventive vs Detective
- Control Nature — Manual, Automated, or IT-Dependent Manual
- Control Frequency — Daily, Weekly, Monthly, Quarterly, Annual, Ad hoc
- Control Owner — the person accountable
- Key Control? — Yes/No (key controls require ToE testing)
The AI shortcut: You provide the process name and a brief description of how it works. The AI generates all 10 fields for every risk-control pair — typically 15–25 rows for a standard financial process — in under 60 seconds.
Step-by-step: Revenue Cycle RCM in 10 minutes
Step 1 — 2 minutes
Describe your revenue process to the AI
In the AssurAI SOX module, open the RCM Builder tool. Paste a brief process description. It doesn't need to be perfect — 3–4 sentences is enough to generate a comprehensive RCM.
"Our company recognises SaaS subscription revenue under ASC 606.
Customers sign contracts, we create the subscription in Salesforce,
which syncs to NetSuite. Revenue is recognised monthly on a straight-line
basis over the contract term. Invoices are generated automatically.
Sales team has quota, so there's pressure at quarter-end.
About 10% of contracts include variable consideration (usage-based fees)."
Step 2 — 30 seconds
AI generates the full RCM
The AI identifies the key FSLIs, maps risks to COSO assertions, and generates control descriptions — including the attributes each control must demonstrate (who, what, when, how often, what happens with exceptions).
Here's a sample of what the output looks like for just the revenue recognition section:
| FSLI | Risk | Assertion | Control | Type | Nature | Frequency | Key? |
|---|
| Revenue |
Revenue recognised before performance obligation satisfied |
Cutoff / Accuracy |
Controller reviews deferred revenue roll-forward monthly; investigates variances >$50K |
Detective |
Manual |
Monthly |
Yes |
| Revenue |
Contracts with variable consideration misstated |
Completeness / Valuation |
System automatically identifies usage-based contracts; VP Finance approves variable fee calculation before period close |
Preventive |
IT-Dependent Manual |
Monthly |
Yes |
| AR |
Fictitious or duplicate invoices inflating revenue |
Existence / Occurrence |
NetSuite system controls prevent duplicate invoice numbers; AP Specialist runs duplicate invoice report weekly |
Preventive + Detective |
Automated + Manual |
Weekly |
Yes |
Step 3 — 5 minutes
Review, adjust, and fill in owners
The AI generates typically 18–25 rows. Review each for accuracy — the risk descriptions and control attributes are usually 85–90% correct out of the box. Add the specific owner names and control IDs, and flag any controls that don't exist yet (the AI will flag these as "gaps").
Step 4 — 2 minutes
Export to Excel or Word
One click exports the full RCM in the format your external auditors expect — formatted Excel with all 10 fields, or a structured Word document with your company header already populated from Brand Settings.
Common mistakes to avoid
Even with AI, there are common RCM errors that will get flagged in external audit review. The most frequent ones I've seen:
- Controls without attributes. "CFO reviews revenue monthly" is not a control description. "CFO reviews the revenue recognition summary report monthly, investigates items >$25K, and documents her review via sign-off on the report" is a control description.
- Detective controls marked as key without a compensating preventive. If a quarterly detective review is your only key control for a high-risk assertion, external auditors will push back. You need preventive controls too.
- Missing IPE validation. Every report your control relies on needs to be documented as an IPE (Information Produced by the Entity) with completeness and accuracy validated. The AI flags these automatically — don't ignore them.
- Frequency mismatches. A monthly control can't mitigate a risk that could occur daily. Match your control frequency to the speed at which the risk could materialise.
What this means for your SOX programme
A full SOX programme for a mid-sized company typically covers 8–12 business processes. At the traditional pace — 2–3 days per process RCM — that's 3–4 weeks of senior auditor time just for the RCM phase. With AI, it's an afternoon.
That's not a marginal improvement. That's a fundamental reallocation of where your team's time goes — from building documentation frameworks to reviewing and exercising judgement on AI-generated output. The documentation is still there, still PCAOB-compliant, still auditor-ready. It just took 10 minutes instead of two weeks.
If you're building your first SOX RCM — for a pre-IPO company or a new engagement — this is where to start. Open the AssurAI SOX module, describe your revenue cycle, and see what you get. The first RCM usually surprises people.
Want to try this yourself? The RCM Builder is available in the AssurAI SOX module — free to start.