Methodology proof · Financial controls intelligence

Agentic controls monitoring for every posted GL transaction.

SOX 404. Segregation of duties. Period-end manipulation. System account abuse. Each control failure has a distinct signal, a distinct regulatory consequence, and a distinct remediation path. FinGuard™ Core evaluates every GL transaction against a COSO-grounded rule library — in real time, with a complete audit trail, and with the escalation controls that CFOs and external auditors require.

Financial exposure Organizations with material weaknesses trade at a 7–10% equity discount and face median remediation costs of $4.4M per restatement^1,2

Control scenarios modeled 7 — SoD violations · terminated access · MFA bypass · period-end manipulation · split structuring · off-hours patterns · system account abuse

Solution tailored to your stack IBM · GCP · AWS · Azure · Snowflake · Databricks — detection logic invariant, infrastructure adapted to your ERP environment

Executive summary

The PCAOB reported that 35% of audits reviewed in 2023 contained deficiencies in internal control testing — the highest rate in a decade, with internal control over financial reporting the leading deficiency category for the third consecutive year.³ The Association of Certified Fraud Examiners estimates organizations lose 5% of annual revenue to occupational fraud, with financial statement fraud producing median losses of $766,000 per scheme and a median detection lag of 16 months.⁴ More than half of all asset misappropriation schemes are executed through the general ledger — the same system that ERP platforms treat as an unquestioned record of truth.

Existing controls are largely designed as period-end reviews: a human or a rules engine examines transactions after the fact, against thresholds set at implementation and rarely revisited. FinGuard™ Core replaces that model with continuous, event-driven monitoring. Every GL posting triggers an ML anomaly score, followed by a three-agent AI investigation pipeline that classifies the exception, assesses materiality against configurable thresholds, and routes to the appropriate control owner — with a complete audit trail on every decision, before the period closes.

The detection gap is timing, not coverage. Most SOX 404 controls identify exceptions after the period closes — when remediation is reactive and restatement risk is already present. Real-time GL monitoring moves detection from post-period review to intra-period intervention, while evidence is still available and transactions can still be reversed.

Every exception maps to a named COSO principle and regulatory citation. Each detection scenario traces directly to the governance framework that mandates it — creating a fully citable exception record for audit committee discussions and external auditor review.

The solution is shaped by the client's ERP environment — not the other way around. FinGuard™ Core operates alongside SAP, Oracle, or any ERP that exposes GL transaction events. Platform selection follows from the problem — never before it.

The problem

Three control failure categories. One monitoring gap.

GL fraud and control failures concentrate in three structural areas: access and segregation failures, period-end behavioral anomalies, and system-level integrity events. Traditional ERP controls address each retrospectively and in isolation. The monitoring gap is real-time detection across all three simultaneously — before the period closes, while evidence is still available and remediation is still possible.

Estimated annual revenue loss to occupational fraud. Financial statement fraud schemes produce median losses of $766,000 — with a median detection lag of 16 months, more than a full fiscal year after the control failure began.⁴

ACFE Report to the Nations, 2024

35%

PCAOB audit deficiency rate in 2023 — the highest in a decade. Internal control over financial reporting was the leading deficiency category for the third consecutive year, cited across all firm sizes and geographies in Part I.A findings.³

PCAOB 2023 Annual Inspection Findings Report

$4.4M

Median direct cost of a financial restatement — excluding equity discount, litigation exposure, and executive accountability consequences under SOX Section 304 clawback provisions. Organizations with disclosed material weaknesses trade at a sustained 7–10% equity discount.^1,2

Audit Analytics · Financial Restatements Study, 2023

38%

Proportion of asset misappropriation schemes involving an employee who circumvented access controls that existed on paper — controls present in policy documentation but never monitored continuously in the system that executes the transactions.⁴

ACFE Report to the Nations, 2024

Access & segregation failures COSO · Control Environment

Segregation of duties violations — the same user posting and approving a transaction — are the single most common SOX 404 material weakness finding. Terminated employee access persisting beyond offboarding, and MFA bypassed on privileged accounts, are the compounding failure modes. The ACFE finds 38% of asset misappropriation schemes involve access controls that existed on paper but were never monitored in real time. Detection in these cases averages 12 months from first occurrence.⁴

SOX 404 material weakness risk · PCAOB AS 2201

Period-end behavioral anomalies SEC · Earnings integrity

Manual journal entries posted in the final days before period close are the primary vehicle for earnings management and revenue recognition manipulation. Split postings structured below individual approval thresholds and off-hours postings outside documented business controls are the operational signatures of period-end pressure. SEC Staff Accounting Bulletin 99 defines the materiality framework that governs how these events must be assessed and disclosed.⁵

Restatement exposure · SEC inquiry trigger · PCAOB AS 2401

System-level integrity events PCAOB · IT General Controls

System account postings outside authorized maintenance windows are the primary indicator of unauthorized ERP configuration access or privilege escalation. An ERP configuration change on the same day as an unusual posting is a compounded ITGC signal — a pattern no period-end review detects until the damage is done. PCAOB AS 2201 requires documented and tested controls over system access and change management at every ICFR audit.⁶

ITGC deficiency · PCAOB AS 2201

Critical stakeholders

Select your role. Read your reality.

FinGuard™ Core is built for three distinct buyers — each with a different problem, a different vocabulary, and a different definition of success. The detection logic is the same for all three. What changes is what it means for your specific function and your specific risk exposure.

The situation

Your external auditor identifies control exceptions after the period closes. By then, remediation is reactive, restatement risk is already present, and the audit committee conversation is harder than it needed to be. Your ERP tells you what was posted. It does not tell you whether it should have been — and it certainly does not tell you in time to act.

What you get

Every exception carries a materiality rating — IMMATERIAL, SIGNIFICANT, or MATERIAL — assessed against your configurable dollar thresholds, not a system default that cannot reflect your business reality
Exception memos structured for audit committee presentation: materiality judgment, COSO principle, regulatory citation, and recommended disposition — not a raw score requiring separate interpretation
MATERIAL exceptions auto-escalated with a running SLA clock and a documented owner — no exception reaches the close without a tracked disposition your external auditor can review
Full audit trail satisfies external auditor inquiry and PCAOB inspection requirements on every exception, every cycle, without additional documentation effort at period-end
Restatement exposure quantified per exception: affected period, control owner, remediation status — available mid-cycle, not assembled under pressure when the auditors arrive

The situation

You are assembling audit evidence under period-end pressure, from systems that were not designed to produce it continuously. PCAOB deficiency rates are at a decade high. Every finding your team misses is a finding your external auditor surfaces instead — and the documentation you need to respond was never captured at the point of detection. You are always one step behind the evidence.

What you get

Detection across all seven primary SOX 404 control failure categories simultaneously — SoD, terminated access, MFA bypass, period-end MJE, split structuring, off-hours, and system account — in a single continuous layer, not seven separate point tools
Every exception tagged to its COSO principle and named regulatory citation at the point of detection — audit evidence ready when the exception surfaces, not assembled retrospectively under time pressure
Full agent reasoning chain per exception: classification rationale, materiality basis, and routing decision — structured for audit committee and external auditor review
Exception disposition history — SLA compliance, owner assignment, escalation path, final decision — constitutes a continuous monitoring record that directly satisfies PCAOB AS 2201 documentation requirements
False positive rate measured and reported at the individual rule level — precision treated as a first-class control quality metric, not discovered late when audit teams begin reviewing the flagged exception queue

The situation

Your ERP is your GL system of record. It is not a controls monitoring system. The gap between what was posted and whether it should have been posted lives in spreadsheets, manual reviews, and audit support tickets that pull your engineering team away from everything else. You need a monitoring layer that sits between the GL and the dashboard — one that adapts to the infrastructure you already have, without requiring your team to maintain it every time the auditors ask a new question.

What you get

Detection logic fully separable from ERP infrastructure — operates alongside SAP, Oracle, or any system that exposes GL events via standard database triggers, with no ERP modification required
Each architectural layer adapts to your existing platform independently: event trigger, ML serving, orchestration, and dashboard each have named enterprise-grade alternatives across IBM, GCP, Azure, AWS, Snowflake, and Databricks
Materiality thresholds, SLA hours, exception ownership, and LLM model selection are all runtime-configurable without code changes or redeployment — your controls team adjusts operational parameters, not your engineering team
Three LLM options at runtime — Claude Haiku, GPT-4o Mini, Llama 3.1 — model selection does not affect detection logic, rule library, or audit trail structure
REST API endpoint enables integration with existing GRC platforms, SIEM systems, or audit management tools — no platform migration, no middleware development, no ERP customization required

Methodology

Detection logic built from regulatory reality — not generic anomaly scoring.

Most financial controls demonstrations use threshold violation rules as a proxy for detection intelligence. FinGuard™ Core inverts that sequence: each control scenario was defined first — against COSO principles, PCAOB inspection findings, and SEC enforcement patterns — and the ML layer was built to reproduce those signals precisely, in a running system your auditors can interrogate directly.

COSO-grounded rule library

Each exception maps directly to a COSO framework principle — Control Environment, Risk Assessment, Control Activities, or Monitoring Activities. Every detection signal traces to the governance layer that mandates it, not derived from post-hoc pattern matching on historical data alone.

Regulatory-cited exception signals

Every exception surfaced by the agent pipeline maps directly to the regulatory framework that governs it — COSO, PCAOB, or SEC. Each exception is citable in an audit committee discussion, an external auditor inquiry, or a regulatory response without additional documentation effort.

Materiality judgment — not just flagging

Every exception carries a materiality rating — IMMATERIAL, SIGNIFICANT, or MATERIAL — against configurable thresholds. The agent pipeline produces a structured exception memo with materiality context, SLA ownership, and escalation recommendation. Output an audit committee can act on — not a score that requires separate interpretation.

Platform expertise

Built for your environment. Proven on every major platform.

data-fit™ LLC's relationships with IBM, GCP, Snowflake, Azure, AWS, and Databricks are not a preferred-vendor list — they are a depth-of-expertise inventory. Each engagement begins with your ERP environment, your existing infrastructure, and your control framework. Platform selection follows from the problem — not before it. Broad platform relationships mean proven, enterprise-grade components are available for whatever that conclusion demands.

IBM

Silver partner

ML: watsonx AutoAI · Agents: Orchestrate · LLM: Granite · Governance: OpenPages · Audit: wx.governance