Summary:
COSO’s February 26, 2026 publication, Achieving Effective Internal Control Over Generative AI, gives finance leaders a practical way to think about GenAI within the existing COSO internal control framework rather than as a standalone technology issue. The publication is explicitly aimed at practitioners responsible for AI processes, internal controls, risk management, assurance, and financial reporting, and it translates COSO’s 2013 framework into GenAI-specific practices.
The headline point for CFOs, controllers, and chief accounting officers is that GenAI should not be governed like traditional deterministic automation. COSO organizes GenAI into eight capability types across the data-to-decision lifecycle and pairs that with an implementation roadmap built around governance, inventory, risk assessment, control design, implementation, and monitoring. This framing is impactful because finance teams are no longer dealing only with bots that follow fixed rules; they are increasingly dealing with tools that generate, summarize, recommend, draft, and act in ways that can directly affect reporting, judgments, and controls.
For public companies, this matters because the control expectations have not changed. SEC guidance still requires management to assess ICFR, and registrants must disclose material changes in ICFR in quarterly and annual reports, including changes such as implementation of a new information system if the change materially affected ICFR.
Key Highlights for Finance Functions
Start with what the AI is doing, not what the vendor calls it. COSO’s capability-first model is a strong fit for finance because it focuses on the role AI plays in a process: extracting data, transforming data, processing transactions, orchestrating workflows, generating judgments or forecasts, monitoring anomalies, retrieving knowledge, or supporting human-AI collaboration. This is the right lens for finance organizations that may be using AI through ERP, close, and reporting platforms rather than through a single visible “AI tool.”
Build a complete inventory of finance use cases before scaling them. COSO’s roadmap calls for identifying all active and planned GenAI use cases, including periodic scans for shadow AI, and documenting key attributes such as owner, objectives, data sources, model used, deployment model, criticality, dependencies, version, and change logs. For finance, that inventory should cover not only obvious use cases like disclosure drafting and technical accounting research, but also embedded AI in reconciliations, close management, journal support, forecasting, variance analysis, and reporting workflows.
Risk-rank use cases based on reporting significance. COSO’s guidance calls for assessing each use case through the five COSO components and identifying GenAI-specific risks such as bias, drift, provenance gaps, prompt injection, third-party dependencies, and segregation-of-duties conflicts. In practice, finance teams should separate general productivity uses from process-affecting uses and, most importantly, from reporting-significant uses that touch journal entries, estimates, reconciliations, management review controls, technical accounting conclusions, or SEC disclosures.
Treat outputs as assertions that require validation. A finance organization should not accept GenAI output because it is fluent or fast. COSO’s guidance emphasizes transparency, validation, and traceability, and its roadmap contemplates control design that includes confidence thresholds, human review, sampling, exception queues, escalation paths, and monitored KPIs and KRIs. In finance terms, “human in the loop” should mean defined review criteria, not informal oversight.
Expand change management beyond code releases. COSO highlights rapid configuration changes, vendor updates, and model changes as core GenAI risks, and its monitoring step calls for validating vendor updates before deployment and reporting material changes to governance forums. Finance teams should therefore extend change-control discipline to prompts, models, retrieval sources, connectors, and embedded AI feature releases, not just traditional code changes.
Preserve evidence and auditability from the outset. COSO describes the guidance as audit-ready, and PCAOB AS 2201 reminds issuers and auditors that ICFR is evaluated as part of the integrated audit. For finance teams, that means AI-enabled processes should be designed so management can reconstruct what was used, what was generated, who reviewed it, what exceptions arose, and why the output was accepted, revised, or rejected.
Effective Date
There is no formal effective date because COSO’s publication is guidance, not a new accounting standard, SEC rule, or PCAOB standard. But for public-company finance teams, the practical effective date is now. Once GenAI affects a reporting-sensitive process, management needs to evaluate whether the related control design, monitoring, and disclosure considerations are keeping pace.
That point is reinforced by SEC guidance requiring disclosure of material changes in ICFR and specifically noting that implementation of a new information system may need to be disclosed if it materially affected ICFR. Companies do not need a new rule to reach the conclusion that a GenAI-enabled workflow could fall inside this analysis.
Why It Matters to Finance
GenAI changes the risk profile of finance work in ways prior automation often did not. It can be confidently wrong, it can change as vendors update models or connected data changes, and it can spread informally through shadow-AI use before ownership and control expectations are clear. These characteristics are especially important in finance because the underlying processes involve precision, consistency, evidence, and management accountability.
At the same time, the upside is real. COSO’s capability model maps directly to use cases finance teams care about: data extraction, transaction processing and reconciliation, workflow orchestration, judgment and forecasting, monitoring, and knowledge retrieval. Used well, those capabilities can improve speed and operating leverage; used casually, they can weaken the support behind reporting conclusions.
The right takeaway is not to slow AI adoption indiscriminately. It is to bring AI into the finance operating model deliberately: clear ownership, controlled implementation, validated outputs, governed data sources, documented evidence, and ongoing monitoring. For broader enterprise AI governance, many issuers will also find the National Institute of Standards and Technology’s (NIST) AI RMF and Generative AI Profile useful as a complement to COSO because NIST frames GenAI risk management as a voluntary, cross-sector discipline for identifying unique GenAI risks and aligning responses to organizational priorities.
What Finance Leaders Should Do Now
Create a finance-specific GenAI inventory. Catalogue every current and planned use case across accounting, reporting, FP&A, treasury, tax, and internal audit support, including embedded AI in third-party platforms. Capture owner, purpose, data sources, model or vendor, downstream systems, criticality, and change history.
Tier use cases by ICFR relevance. Separate general productivity tools from process-affecting tools and reporting-significant tools. The closer the use case is to journals, estimates, reconciliations, management review controls, or disclosures, the more formal the control expectations should be.
Define validation standards before broad deployment. Require documented review procedures, thresholds for escalation, exception handling, and evidence retention for higher-risk use cases. Finance should be able to show not only that a human reviewed the output, but how that review supports management’s reliance on it.
Extend change management to prompts, models, and connectors. Treat model updates, prompt changes, new retrieval sources, and embedded vendor AI releases as controlled changes when they affect reporting-sensitive processes. Revalidation should not wait for a control failure.
Reassess service-organization and oversight implications. Where GenAI functionality is delivered through third-party platforms, management remains responsible for controls over the flow of information to and from the service organization. Finance, IT, compliance, and internal audit should align on what evidence is needed to support reliance on those tools.
Bring the audit committee into the discussion early. If GenAI is moving into reporting-sensitive processes, audit committee reporting should evolve with it. The committee does not need to approve every use case, but it should understand governance, scope, risk concentration, and how management is preserving ICFR discipline as adoption expands.
How Virtas Can Help
Virtas helps finance teams operationalize GenAI responsibly while leveraging its advantages to improve processes and insights. We bring practical experience across audit, controllership, SEC reporting, internal controls, PMO execution, enterprise risk management, and internal audit design to help clients manage the process, assess and prove use cases, build solutions, employ governance, design controls, and support audit-ready implementation across finance and reporting processes.