Technology

AI Is In Your Financial Processes. Are Your Internal Controls Ready?


by FEI Staff

AI is moving into financial reporting processes faster than the governance frameworks designed to protect them have evolved. For financial leaders responsible for ICFR integrity, that gap carries real consequences – and a new practitioner-built framework offers a practical path through it.

The efficiency case for AI in finance has been made, and in many organizations, the decision has already been made along with it. AI is now embedded in journal entry processing, financial close workflows, variance analysis, and more. The conversation has moved from whether to adopt these tools to how to govern them – and for financial leaders responsible for the integrity of their organizations' financial reporting, that’s where the real work begins.

Because the same AI systems creating operational efficiency are operating inside environments governed by Sarbanes-Oxley, subject to PCAOB scrutiny, and dependent on the trust that capital markets place in reliable financial statements. Getting the governance right isn’t optional. And the frameworks most organizations are relying on weren’t built for this.

The black-box problem

One of the foundational principles of internal control over financial reporting is that accountability must be traceable. A person reviews. A person approves. The evidence exists, and the trail is legible.

AI disrupts that model. When an AI system processes a financial transaction, generates an estimate, or flags an anomaly, the logic driving that output may not be directly inspectable – even by the people responsible for overseeing it. For financial leaders, this creates a challenge that is both practical and regulatory: how do you evaluate the reliability of a control you cannot fully audit? And how do you defend that evaluation to an external auditor or regulator who is asking the same question?

Risks that existing frameworks weren’t designed to catch

Traditional ICFR risk assessment wasn’t built for the specific failure modes AI introduces. Hallucination – the tendency of AI systems to generate plausible-sounding but factually incorrect outputs – can affect financial estimates, disclosure language, and analytical summaries in ways that are difficult to detect without deliberate validation procedures. Model drift, the gradual degradation of AI system performance as underlying data patterns shift over time, can quietly erode reliability without triggering any obvious alert. And algorithmic bias can skew outputs in ways that compound across reporting periods before they are recognized.

Each of these risks has direct implications for the accuracy and completeness of financial statements. None of them fit neatly into the risk taxonomies and assessment processes that organizations have developed through decades of SOX compliance.

The governance gap

The COSO Internal Control – Integrated Framework and the requirements of the Sarbanes-Oxley Act remain the governing architecture for ICFR – and they remain sound. The problem isn’t the frameworks themselves. The problem is that they were not designed for an operating environment in which AI systems are making, influencing, or validating financial reporting decisions.

AI adoption in finance is outpacing the development of governance guidance specific to it. Organizations are integrating AI tools into financial reporting workflows without established approaches for scoping them under SOX, validating their outputs systematically, or maintaining meaningful human oversight as automation takes on more of the work. That gap – between where AI is being deployed and where governance has caught up – is where control deficiencies form.

A practitioner-built path forward

FEI’s Committee on Corporate Reporting (CCR) – a cross-industry group of corporate controllers, chief accounting officers, and accounting leaders from Fortune 100 and large public companies, with input from academia – developed the AI Framework: Internal Control Over Financial Reporting to address exactly this gap.

The framework takes a principles-based approach, designed to remain applicable as AI technology and regulatory expectations continue to evolve. Rather than attempting to audit the inner workings of AI systems directly, it centers on what can actually be tested and validated: outcomes. It identifies four business control approaches that organizations can deploy individually or in combination – Human-in-the-Loop oversight, Performance Testing, Multi-Model Validation, and Data Analytics monitoring – calibrated to an organization’s specific risk profile and AI use cases. The framework also provides SOX scoping and risk assessment guidance, an outlier management and resolution process, and direct treatment of AI-specific risks including hallucination, model drift, and algorithmic bias.

It is, in the most practical sense, guidance built by the people who have to make this work.

Looking ahead

For financial leaders working to integrate AI responsibly without compromising the internal control integrity their organizations depend on, the AI Framework: Internal Control Over Financial Reporting is available for $195 on the FEI website. Access the complete framework here.