The eight questions auditors will start asking about your AI.

What COSO actually published

On February 26, 2026, the Journal of Accountancy reported that COSO had created audit-ready guidance for governing generative AI, titled "Achieving Effective Internal Control Over Generative AI." The AICPA is one of five sponsoring organizations behind COSO, which is why this matters to anyone in accounting and finance: it speaks directly to the framework your controls already run on.

The significance is the word audit-ready. COSO is the body whose internal-control framework underpins how most finance teams design and test controls in the first place. When COSO maps generative AI to that framework, it stops being a side conversation about technology and becomes part of the control environment your internal audit team and external auditors evaluate. The message is plain. If your finance function is using generative AI, the controls around it are now in scope.

The reason this carries weight is that COSO does not usually publish about tools. It publishes about control. When the body that defines how you test a control turns its attention to a specific technology, it is signaling that the technology has crossed from novelty into something that has to be governed like anything else that can move a number. The phrase audit-ready is the tell. This is written so that controls built against it can be tested, documented, and defended, which is precisely the form a finance team can act on.

You do not have to overhaul anything overnight. But you do need to know what the guidance asks for, because the questions in it are the questions that will land on your desk. The teams that get caught flat are not the ones using AI. They are the ones using it with no answer when someone asks how it is controlled.

How it maps to the five components you already know

The guidance does the helpful thing: it maps generative AI to COSO's five internal-control components rather than inventing a parallel system. Those components are the familiar ones, the control environment, risk assessment, control activities, information and communication, and monitoring.

That structure is good news for a controller. You are not learning a new model. You are applying the one you have to a new input. The practical translation looks like this:

• Control environment: who owns AI use in finance, and what is the stated policy that governs it?
• Risk assessment: which AI uses create the risk of a material error, and have you actually assessed them?
• Control activities: what review, approval, and verification steps sit between an AI output and a number that lands in the books?
• Information and communication: can you explain to an auditor what the AI did and on what data?
• Monitoring: how do you catch a degrading or wrong AI output over time, not just on the day you set it up?

If you can answer those five cleanly for each material use, you are most of the way to defensible.

The value of staying inside the five components is that you do not have to invent a new vocabulary, and neither does your auditor. A control that sits between an AI draft and a posted entry is a control activity, full stop. A periodic check that the model has not started producing worse output is monitoring. Naming an owner for AI use in finance is control environment. When you describe your AI controls in the language your audit team already speaks, the conversation gets shorter and the gaps get easier to see. The teams that struggle are usually the ones treating AI as a special case with its own rules, when the framework you already run handles it fine.

The eight use-case types, and why that taxonomy is your checklist

The most usable part of the guidance is the capability-based taxonomy of eight use-case types. Alongside it the framework provides control mapping, risk matrices, and control-testing procedures. In plain terms, it sorts the ways finance teams use generative AI into categories, then tells you what controls and tests belong with each.

This is the part to lift directly into your own work. You do not need to read the whole framework to start. You need to do the inventory: list every place generative AI touches your close, your reporting, your reconciliations, your analysis, and your disclosures, then sort each one against the use-case types. For each, ask the audit-shaped question: what is the control, and how would I test that it is working?

That inventory is your one-page checklist. It is also exactly what an auditor will ask for. Walking in with it already done is the difference between leading the conversation and scrambling through it. The eight categories give you the columns. Your own systems fill the rows.

Start small and honest. You do not need every use mapped before the work is worth anything. Take the three places generative AI most directly touches a reported number and do those first, with the control and the test written next to each. That alone changes the posture of the next audit conversation, because you are no longer describing intentions, you are pointing at controls. The risk matrices and testing procedures in the guidance exist so you are not guessing what good looks like. Use them as the answer key. The point is not to admire the framework. It is to have, on one page, a defensible account of where AI sits in your numbers and what keeps it honest.

Where this fits with your general AI policy

You may already have a general AI policy, and you should. But do not confuse the two. The broad, cross-industry governance work is covered elsewhere: the one-page AI policy and AI governance training handle the general rules every team needs, regardless of function.

This guidance is narrower and more specific. It is the internal-control framework built for accounting and finance, tied to the COSO components your auditors already test against. The general policy tells your whole company how to behave. The COSO control mapping tells your finance function exactly which controls and tests have to exist around the numbers. Keep the general policy as the foundation, and treat this as the layer your internal audit team will actually hold you to. Do not relitigate the policy basics here. Build the controls on top of them.

The practical sequence matters. A company-wide policy that no finance team has translated into testable controls gives an auditor nothing to test, and a stack of finance controls with no policy behind them has no stated standard to point back to. You need both, in that order: the policy sets the rule, the COSO mapping turns the rule into controls and tests that hold up under examination. If your firm already has the policy, your work now is the second half, and this guidance is the blueprint for it.

The skill under the framework

A controller does not get judged on knowing the framework exists. You get judged on whether the controls are real, documented, and testable when someone asks. The teams that handle this well will be the ones who treated generative AI like any other source of control risk: inventoried it, mapped it, and built the verification step before the auditor arrived.

That is a discipline, not a download, and it transfers to every framework that lands after this one. Claude AI for Accountants teaches that control-minded way of working for finance teams, and the two minute course quiz will point you to the right starting place for your role.