Sales process narratives, flowcharts, and RCMs were checked against implementation standards for evaluating and auditing internal control over financial reporting. AI found missed key controls and risk ID inconsistencies across documents with evidence before audit.
"We created the three-piece set (process narrative, flowchart, and RCM), but before auditors find issues, we want to confirm ourselves whether it fully covers financial-reporting internal-control design and operating assessment viewpoints." We used INDX Compliance to solve this recurring annual J-SOX design-assessment problem in practice and walk through the real product screens.
A corporate planning team at a listed company was working on J-SOX design assessment for internal control reporting under the Financial Instruments and Exchange Act. It happens every year, but confirming completeness and consistency across the three-piece set still burdens the team.
The process narrative, flowchart, and RCM are often created independently, so risk IDs can drift between documents and key-control (KC) flags can be missed. In practice, reviewers manually compare them while reading dozens of pages of implementation standards for internal-control assessment and audit.
Design assessment is not the only issue. Each management assessment and auditor review brings questions, and teams must repeatedly find and explain the source evaluation-standard text. They had long wanted a way to show later why each control was acceptable and which evaluation standard supported it.
Challenges encountered
First, we did not configure anything difficult."Check whether the sales-process three-piece set satisfies design and operating-effectiveness assessment requirements for ICFR."We entered that in everyday language. After dragging and dropping the process narrative, flowchart, and RCM files, AI automatically assembled the workflow and review viewpoints.
Your instruction, in plain language
"Check whether the sales-process three-piece set (process narrative, flowchart, and RCM) satisfies the design and operating-effectiveness assessment requirements for internal control over financial reporting. Identify risk-control mappings and missing key controls with evidence."
Target documents (three-piece set)
01Upload and ingest the three-piece set
Ingest the process narrative, flowchart, and RCM (risk control matrix) as target documents
02Compare against internal-control requirements for financial reporting
AI judges consistency and completeness against the FIEA, evaluation standards, and management assessment guidelines
03Verify decision evidence and matching passages
Check whether RCM risk IDs align with the process narrative and flowchart descriptions
04Final confirmation by Internal Audit
Route only needs-review and non-compliant findings to Internal Audit and record approvals or returns
No programming knowledge or complex rule setup is required. You can inspect and edit the generated workflow, then reuse the same viewpoints for future design assessments. When the process changes, replace the target documents and run the same workflow.
After saving and running the workflow, AI compares the three-piece set against implementation-standard and assessment-guideline requirements one viewpoint at a time. Results are consolidated on this screen. The key point is thatevery decision always includes which evaluation standard and clause support it. Humans can verify the source text instead of taking AI on trust.
Compared against ICFR implementation standards / management assessment guidelines
Three-piece Set Completeness and Consistency Check
Run on 2026-04-25 | 8 review points
4
Conformant
2
Needs review
2
Non-compliant
Among control activities selected for evaluation,key controls that materially affect the reliability of financial reporting must be identified and documented. A control process without key controls is considered insufficient for design-effectiveness assessment.
The approval-control row in the RCM has no KC flag column, so key controls are not identified. This is inconsistent with the evaluation standard.
This time, AI found two non-compliant items: key controls (KC) were not identified in the RCM, and risk IDs were inconsistent between the process narrative and RCM. Both are typical design deficiencies that auditors often flag. INDX caught likely manual-review misses in advance, with evidence.
The 4 viewpoints AI marked as conformant can be cleared quickly because evidence is attached. Humans spend judgment ononly the 4 items that need attention: 2 needs-review and 2 non-compliant items. The reviewer returned the two non-compliant items to the document owner, reran AI on the corrected and resubmitted RCM, and finally approved all viewpoints.
Final review (human approval)
The implementation standard requires identifying and documenting KCs that materially affect financial reporting reliability. The RCM lacks a KC flag column and does not meet design-assessment requirements. Ask the document owner to revise it.
Humans review only the 4 needs-review and non-compliant items.The 4 conformant items can be cleared with evidence, so reviewers can focus on judgment.
Tamper-resistant audit log
Assessed 8 review points (4 conformant / 2 needs review / 2 non-compliant)
hash d4c1…7e
Returned two items, KC missing in RCM and inconsistent risk IDs, requesting document corrections
hash a8f2…3b
Added a KC flag column to the RCM, unified the risk ID scheme, resubmitted, and reran AI; status changed to conformant
hash e1b9…4f
Approved and finalized all 8 viewpoints (FY2026 sales-process design assessment complete)
hash c3a7…d2
All operations and decisions are recorded in a tamper-resistant audit log. You can fully trace who decided what, when, and based on which evidence, so it can be used directly for external auditor explanations. There is no need to recollect evidence when preparing management assessment reports; it can be presented immediately as an audit trail.
A consistency check that had taken 2-3 days per process manually was completed in just a few hours. The full design-assessment period across all processes was reduced from two weeks to two days. Most importantly, the team found the missing KC identification and risk-ID mismatch before auditors did. It was the first design-assessment period completed with zero deficiency findings from auditor review.
From setup to approval
Check implementation-standard text instantly
Design assessment phase completed
Key points from this case
This example used a J-SOX design-assessment inspection of the three-piece set, but INDX Compliance works the same way across use cases. Provide benchmark documents, such as implementation standards, assessment guidelines, and higher-level policies, together with the documents you want checked, such as the process narrative, flowchart, and RCM, then compare them with evidence. ISO internal-audit pre-checks, internal policy conformity checks, contract reviews, and any other work that involves matching against rules can use the same workflow. By reusing a workflow from design assessment through operating assessment and ongoing monitoring across fiscal years, J-SOX work can run as a system.
Bring a policy, contract, or application document, and we will demo the actual judgment screen. Closed-network and on-premise deployments are supported.
Use caseWe compared a newly revised information security management policy against higher-level basic policies, work rules, and APPI requirements, then had AI identify conflicting clauses with evidence.
Use caseWe compared a near-final specification against Patent Act Article 36, JPO formatting, and internal filing guidelines, then had AI identify support and clarity issues in the claims with evidence.
Use caseBefore the internal audit, AI performed a first-pass check on whether the quality manual and department procedures met ISO 9001:2015 clauses 4-10, detecting missing corrective-action and audit provisions with evidence.
Download the 3-piece product materials set for free
Product overview, sample checklist creation, and ROI estimate sheet (PDF)