As artificial intelligence (AI) continues to evolve in the context of financial reporting and regulatory compliance, organizations are expanding governance and oversight, enhancing existing risk assessments, and designing new internal controls to address AI-specific risks.
At present, AI-enabled tools may be used to facilitate the flow of transactions and to support traditional financial reporting processes and controls (including but not limited to journal entries, pricing, estimates, and financial close activities), as well as third-party and regulatory reporting.
Ultimately, organizations that proactively identify where and how AI is used — and align existing governance frameworks and internal control programs to those activities — will be better positioned to address emerging AI-related risks.
Auditing when AI is present in an environment involves evaluating the governance, risks, and controls associated with AI systems used in key processes to confirm they produce complete and reliable output. This includes assessing how AI supports internal controls over financial reporting (ICFR) as well as other third-party and regulatory reporting requirements (e.g., SOC reporting). Auditors may focus on things such as transparency, data integrity, and bias mitigation to confirm the suitability of design, implementation, and operation of key processes and controls.
Organizations should consider the use of AI within existing business processes through both risk and control lenses. When embedded into business processes, AI may influence transaction flows, operational outcomes, and financial reporting results.
As a result, the use of AI may introduce new or enhanced risk considerations related to data quality, model logic, bias, explainability of outputs, and accountability for review decisions. These risk considerations are important to support business and financial reporting outcomes that are complete, accurate, timely, and reliable over time. Further, in response to new or enhanced risk considerations, an enhancement to existing or the creation of new manual and/or automated controls may also be required.
Inventorying and managing AI usage in financial reporting and close processes is essential as AI increasingly performs judgment-oriented activities that affect financial statement integrity. When used for account mapping, ledger postings, estimates, reconciliations, accounting logic, or data classification, AI becomes part of the financial reporting and control environment. Without clear visibility into where AI is used, what data it relies on, what decisions it influences, and how outputs are reviewed, organizations may fail to identify risks related to accuracy, completeness, bias, unauthorized change, data quality, or over-reliance on automation.
A disciplined AI inventory is foundational to effective risk and control mapping, auditability, and governance. It enables organizations to apply appropriate rigor to AI-enabled financial reporting activities, reduce reporting risk, preserve trust, and support timely, reliable financial statement issuance.
AI intersects with the common ITGC domains by introducing new considerations, for example:
- Access controls: understanding who can access AI model logic and data;
- Change management: evaluating how AI models, configurations and algorithms are updated;
- Computer operations: assessing how job scheduling, processing, and error handling for AI inputs and outputs are controlled;
- Program development: designing, building, and testing AI models — particularly for new implementations and/or major releases;
- Cybersecurity: evaluating new and emerging cybersecurity risks that could impact AI systems and data.
Guidance like BDO’s AI Governance Guide (which is aligned with publications such as the NIST’s AI Risk Management Framework) serve as a base for organizations to evaluate governance models and enhance Information Security Policies — helping to drive explainability and oversight of biases. Auditors can develop tests to evaluate AI inputs/outputs for bias, confirm model transparency, and validate alignment to business goals.
A strong first step is establishing and executing protocols for updating AI models — including version control, testing before deployment, and appropriate approval prior to the implementation of source code and data changes. In addition, a robust program to continuously monitor and test AI models and underlying data helps support ongoing governance that change controls operate as intended over time.
For organizations navigating this evolving landscape, now is the time to assess AI usage, align governance practices with regulatory and audit expectations, and evaluate control readiness. If you would like to discuss how these considerations apply to your organization or explore practical steps to enhance AI oversight and audit readiness, we encourage you to reach out to BDO’s Technology Risk Assurance team to continue the conversation.