Why Control Evidence is the New Finance Software Product

The real sales pitch for finance automation does not end in a vendor sandbox, nor does it conclude when the procurement team signs the Master Services Agreement. It ends months later, in a sterile conference room during an audit committee meeting, when a board member points to a specific variance in the quarter-end reporting deck and asks the controller a very simple question: "Why did this number change?"

In the legacy software era, the finance team would open a ledger, trace the entry back to a specific invoice, show the manual sign-off from a department head, and provide a clear, deterministic logic log. Today, in the rush to modernize, the scenario often plays out differently. Instead of a traceable logic log, the finance team produces a chatbot screenshot, a vendor's vague promise of accuracy, and an assurance that the system's underlying model was trained on millions of financial documents. Right there, under the scrutiny of the board and the external audit partner, the entire business case for the software dies.

Finance software buyers are still shopping for workflow efficiency. They are looking at dashboards that promise to cut accounts payable processing time in half, or automated agents that claim to reconcile intercompany accounts while the accounting team sleeps. But what they actually must buy is regulatory defense. When software alters judgment-categorizing an expense, estimating an accrual, or drafting a variance narrative-missing evidence is not an implementation bug. It is a fundamental control failure. The software industry sells seamless execution, but the only feature that actually matters to a controller is the control artifact the system spits out when something inevitably breaks.

The gap between automation promises and auditor requirements is widening rapidly, and the regulatory environment is unforgiving. Today, the Public Company Accounting Oversight Board (PCAOB) posted 10 new inspection reports and two expanded reports. This is a clear signal of sustained regulatory focus on how audit firms evaluate technology environments and automated controls. Regulators do not care how many full-time equivalent hours a new tool saved the accounts payable department. They do not care about the sleek user interface. They want the paper trail. They demand the control signoff.

Consider the mechanics of public disclosure. When ARKO Petroleum Corp. drops its financial results into an Exhibit 99.1 on the Securities and Exchange Commission's EDGAR database-as the company did today for the period ending May 11, 2026-every single automated entry feeding those financials must be entirely defensible. An Exhibit 99.1 is not a draft; it is a public declaration of financial reality. If the vendor's system operates as an opaque box, proving control effectiveness falls entirely on the internal accounting teams. They are forced to perform extensive manual sampling, pulling hundreds of automated entries and recalculating them by hand just to prove to the external auditor that the machine did not hallucinate a tax provision.

When you compare adoption metrics against actual performance in regulated environments, the reality of this burden becomes stark. Early 2026 research published on lesswrong.com highlighted a fascinating behavioral quirk regarding how these tools enter the enterprise. The research noted that Deloitte's internal audit processes hit an 85% AI adoption rate by specifically framing the tools as job augmentation. This framing was designed to bypass auditor loss aversion-the very real fear of job displacement. Driving usage and initial adoption is remarkably easy when you promise the staff that no one gets replaced and that the software will simply make their lives easier.

But adoption does not equal auditable value. That same research cited a brutal reality check from MIT: an estimated 95% of AI initiatives fail to deliver their intended value, and only 26% of companies report tangible return on investment.

Why does this massive disconnect exist? In the finance function, a tool that cannot produce audit-grade evidence creates significantly more work than it eliminates. Implementing a highly efficient system that forces the accounting department to manually reconcile outputs at year-end destroys the promised return on investment. Worse, it invites a material weakness flag from external auditors who cannot rely on the system's automated controls. The efficiency is an illusion if the governance layer requires human duplication of effort.

The broader market is finally waking up to the severe liability of un-auditable efficiency. According to analysis from stratechery.com, Gartner predicts that over 40% of agentic AI projects will be canceled by the end of 2027. The reasons cited are escalating costs, unclear business value, and inadequate risk controls. You cannot deploy an autonomous agent to execute sensitive treasury functions, manage cash pooling, or reconcile complex intercompany accounts across tax jurisdictions if that agent cannot generate a step-by-step logic trace that satisfies a Big 4 audit partner.

When the external auditor asks for the control walkthrough, "the agent handled it" is not an acceptable response. If the system cannot produce a workpaper detailing exactly which rules were applied, which thresholds were met, and why an exception was granted, the project will be shut down.

Even the foundational model providers themselves recognize the enterprise transparency gap, though they rarely advertise it to their finance buyers. CNBC reported today that OpenAI is granting the European Union access to GPT-5.5-Cyber, a specific variation of its latest model. The AI lab stated it was rolling this out in a limited preview capacity specifically to vetted cybersecurity teams. When vendors deliberately wall off specific models for security and compliance vetting, finance leaders must take the hint.

The underlying technology, in its generalized commercial form, is not ready for blind trust. If cybersecurity teams require vetted, ring-fenced models to ensure compliance, the finance function-which manages the primary regulatory risk of the enterprise-cannot settle for generic, opaque tools that offer no visibility into their decision-making pathways.

There is a fair counterargument to this strict demand for day-one governance. Startups and early-stage software vendors argue that new tools cannot possibly carry a full audit-grade burden before they have even proven their workflow value to the customer. Founders claim that forcing strict Sarbanes-Oxley (SOX) compliance onto a day-one procurement pilot kills software development and stifles operational improvement. They argue that demanding perfect control evidence during a limited trial keeps finance teams stuck on legacy, on-premise software for another decade, slowly drowning in manual spreadsheets. Their plea is simple: prove the workflow first, establish that the tool actually saves time, and then build the heavy governance and compliance layer later, once the return on investment is undeniable.

That argument fundamentally misunderstands the nature of financial reporting. In the office of the CFO, governance is not a version 2.0 feature to be bolted on later when the engineering team has spare capacity. It is the absolute baseline requirement to operate. A fast workflow that produces unverified numbers is not an operational improvement; it is a compliance breach waiting to happen.

Controllers and CFOs must rewrite their procurement rubrics today. They must stop buying software based on projected reductions in full-time equivalent hours. Instead, they must require vendors to demonstrate a rigorous control walkthrough during the very first demo phase. Finance leaders need to ask vendors a highly specific question: "How do we prove to our external auditor that this automated entry is accurate without resorting to manual recalculation?"

If the vendor responds with marketing language about model size, or if they cannot produce a sample control artifact, insert audit-evidence transparency requirements directly into the Master Services Agreement. Demand contractual guarantees that the system will produce logs that meet specific auditing standards. If the vendor refuses, walk away from the deal.

I will change my mind about this trajectory if enterprise buyers willingly absorb the burden of manual reconciliation just to keep a fast, opaque tool in their technology stack. If I see CFOs consistently accepting weak evidence layers because the workflow return on investment is so overwhelmingly compelling that they are willing to hire armies of junior accountants just to check the machine's work, then workflow truly is king.

But that is not how it actually plays out when the PCAOB arrives to inspect the audit file. When the regulatory pressure mounts, the tolerance for opaque systems drops to zero. Within four quarters, the ability to produce verifiable control evidence will become a hard procurement gate for every single finance automation deal. The slick workflow demo might still get the vendor the initial meeting. But the control artifact is what will actually get the contract signed. The control is the product now.