Achieving Effective Internal Control Over Generative AI (GenAI)

COSO (Committee of Sponsoring Organizations of the Treadway Commission) has just released “Achieving Effective Internal Control Over Generative AI (GenAI)”, and for anyone working in governance, risk, internal control, audit, or compliance. It is a structural bridge between the most recognized internal control framework in the world and the realities of Gen AI adoption.

As someone who has been operating within the COSO ecosystem for years, including in the context of SOC1 and SOC2 engagements that are deeply rooted in COSO principles, I see this publication as a natural but extremely important evolution.

Photo: Freepik

COSO did not create a separate “AI framework.” Instead, it extended the Internal Control Integrated Framework and translated its five components into the GenAI context.

COSO clearly acknowledges the AI shift and frames GenAI as a technology that compresses decision cycles while amplifying both value and risk.

Taxonomy

COSO identifies eight GenAI capability types that follow a logical data-to-decision sequence:

1️⃣ Data ingestion and extraction

2️⃣ Data transformation and integration

3️⃣ Automated transaction processing and reconciliation

4️⃣ Workflow orchestration and autonomous task execution

5️⃣ Judgment, forecasting and insight generation

6️⃣ AI-powered monitoring and continuous review

7️⃣ Knowledge retrieval and summarization

8️⃣ Human–AI collaboration

This is practical. It allows organizations to understand where risks originate and how they propagate downstream across processes.

From my perspective, this mirrors how we think about control design in SOC engagements: identify the process layer, identify the risk, map to control objectives, and then test design and operating effectiveness.

AI reliance and ICFR

The document explicitly introduces a working definition of AI reliance in the context of internal control over financial reporting. If management depends on AI outputs as evidence supporting a control’s design or operating effectiveness, then AI control patterns must meet the same evidentiary standards expected for ICFR, including documented prompts, configurations, model versions, sampling rationale, and retained evidence. We are clearly moving toward a future where AI-enabled controls will be subject to the same rigor as traditional automated controls under SOX.

I would not be surprised if AICPA frameworks for SOC reporting evolve in this direction in the near future.

Practical implementation roadmap

1️⃣ Establish AI governance structure

2️⃣ Inventory GenAI use cases

3️⃣ Assess risks by COSO component

4️⃣ Design and map controls

5️⃣ Implement and communicate

6️⃣ Monitor and adapt

Link

Author: Sebastian Burgemejster