I Spent 20 Years in Big 4 and CFO Roles.
So the AI Tool I Built Didn't Have to Guess.

Financial Policy Generator — Platform Demo · Tariq Salam, CFO

The Problem Every CFO Recognises

There is a folder in almost every company — physical or digital — labelled Policies and Procedures. Inside that folder are documents that were accurate on the day they were written and increasingly fictional since.

I know this because I have been on both sides of it.

As a Big 4 professional I conducted the engagements that produced those documents — the stakeholder interviews, the gap analysis sessions, the COSO framework mappings, the draft reviews. I know exactly what goes into producing a genuinely useful policy document, and I know exactly how much it costs and how long it takes.

And as a CFO I have lived with the consequences of the gap between the policy on paper and the process in practice. The approval thresholds that were set three years ago for a business that is now twice the size. The ERP system that changed but whose implications for the control framework were never documented. The regulatory amendments — to IFRS, to UAE VAT Law, to UAE Labour Law — that nobody tracked back to the relevant policy sections.

The problem is not that organisations do not care about financial governance. The problem is that maintaining living, accurate, current policy documentation has always been prohibitively expensive and time-consuming for most businesses. The result is a set of documents that provide the appearance of governance without its substance.

I decided to solve that problem — not as a product launch, not as a consulting service — but because I needed to solve it for myself.

Why Existing Tools Don't Work

I looked at what was available before building anything.

Template generators produce generic documents. You select a policy type, answer a few basic questions, and receive a document with your company name inserted at the top. It describes what should happen in a typical business. It has no knowledge of what actually happens in yours. It does not know your ERP system, your approval thresholds, your industry, or your regulatory obligations. It cannot identify a control gap because it never asked about the controls that were missing.

Enterprise GRC platforms are serious tools for serious organisations — multinationals with dedicated compliance teams and six-figure technology budgets. They solve the problem for the organisations that can already afford to solve it.

For the mid-market company that needs financial governance most urgently, nothing existed that did what a qualified professional would do.

The gap between a template generator and a Big 4 engagement is not a technology gap. It is a domain knowledge gap. Building something that closes it requires knowing what good looks like — how COSO maps to operational financial controls, which IFRS standard governs which transaction type, which UAE regulatory provision applies to which control area, and how risk calibration changes depending on industry and operational context.

That knowledge is accumulated over years of doing the work. It cannot be replicated by technology alone. It can, however, be embedded into technology. That is what I set out to do.

The Approach — Diagnostic First, Document Second

The fundamental insight was this: policy documents go stale because they are written about how a process should work rather than how it actually works. The moment you document the ideal rather than the real, you have produced something that is aspirationally accurate and operationally useless.

The solution was to design the diagnostic before designing the document.

I built a structured interview process based on the questions I would ask if I were conducting a Big 4 controls review. Not questions about what the policy says. Questions about what actually happens.

These are uncomfortable questions. They are uncomfortable because the honest answers reveal the gap between governance on paper and governance in practice. That gap is precisely what needs to be documented and addressed.

The diagnostic answers then become the input to an AI reasoning process designed to do what a Big 4 manager does with interview notes — identify not just what was said, but what was not said. A missing reorder point system. An undocumented approval process. A regulatory obligation that the current policy does not address. The absences matter as much as the presences.

The COSO Framework — Why It Changes Everything

Every serious internal controls framework in the world references COSO — the Committee of Sponsoring Organizations of the Treadway Commission. Its Internal Control — Integrated Framework remains the most widely recognised internal control standard globally. Its five components — Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities — provide the structure against which every audit function, every regulator, and every sophisticated Board assesses whether an organisation's controls are adequately designed and operating effectively.

When Big 4 firms present internal audit findings, they map them to COSO. When audit committees evaluate whether management has addressed a control weakness, they ask which COSO component it falls under. When regulators assess governance adequacy in a licensed entity, COSO provides the benchmark.

The policy documents sitting in most company folders have no COSO alignment. They describe what should happen. They do not explain where each control sits in the risk and governance hierarchy or what its failure would mean for the organisation's overall control environment.

I built COSO mapping into every control and every gap. Not as a label but as a structural element that explains why each control exists, what risk it mitigates, and how its absence or failure affects the broader framework.

Regulatory Intelligence — The Feature That Changes Everything

Policy documentation has always had a shelf life problem.

The FTA has issued multiple public clarifications on VAT treatment of specific transaction types since the introduction of UAE VAT in 2018. Federal Decree-Law No. 8 of 2017 on Value Added Tax, as amended by Federal Decree-Law No. 18 of 2022, has been updated in ways that have direct implications for how inventory write-offs, deemed supplies, and input tax recovery are treated in financial policies. The CBUAE has amended its regulations on banking facilities. The UAE Labour Law has been updated with new end-of-service benefit provisions.

Each of these changes has direct implications for financial policies — and in most organisations, none of those implications are tracked back to the relevant documents.

The approach I built monitors IFRS amendments, FTA guidance, CBUAE circulars, and UAE legislative changes. When a relevant change is detected, it identifies which policy sections are affected and generates a structured update brief — specifying what has changed, which controls require revision, and what the updated language should say. The policy becomes a living document rather than a historical one.

What It Found When I Used It on My Own Company

I ran the diagnostic on the Inventory Management process at Al Reem Hospico — the healthcare and facilities management group where I serve as CFO.

I chose this area deliberately. I had clear visibility of the gap between our documented process and our operational reality. And I wanted to evaluate the output against a situation I understood well enough to assess its quality honestly.

I answered every diagnostic question as I would have answered myself during a late-night month-end review — not as I would have answered an external auditor.

Nine gaps. All of them real. None of them in the existing policy document.

Every gap had the same structure: a description of the current state, the specific risk it creates, the COSO component it maps to, the precise remediation, the named owner, and the target completion date. Not aspirational. Actionable.

What This Means for Financial Governance

The document produced reflects how the business actually operates — not how it wishes it operated. It went to the Board.

The significance is not the speed. Producing something in an afternoon that would have taken weeks through a traditional engagement is interesting but not the point.

The significance is that the output reflects a level of diagnostic depth, COSO alignment, and regulatory specificity that was previously accessible only through expensive external engagements — and that it was produced by applying twenty years of domain expertise to the problem of how AI reasons about financial controls, not by building a faster template generator.

The difference between those two things is everything.

The Honest Limitations

I will not oversell this.

The diagnostic is only as powerful as the willingness to answer honestly. Describing your process as it should work rather than how it actually works will produce a policy that looks comprehensive and means nothing. The system is designed to ask uncomfortable questions. The value comes from answering them uncomfortably accurately.

And there are things this approach will never do. It will not sit in a room with your warehouse manager and hear what he is not saying. It will not look at three years of zero inventory write-offs in a business where that figure is implausible and ask the question that changes everything. Those moments of professional judgment — the ones that come from two decades of sitting in those rooms — remain irreplaceable.

What it does is compress three weeks of structured work into an afternoon, at a level of COSO alignment, regulatory specificity, and diagnostic depth that no template generator comes close to matching.