IIA & Standards

COSO Publishes Practical Roadmap for Managing Generative AI Risks and Controls

Global · · prnewswire.com

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released a new publication, "Achieving Effective Internal Control Over Generative AI (GenAI)," providing a COSO-aligned approach to managing the risks and opportunities of GenAI. This guidance translates COSO's Internal Control–Integrated Framework (ICIF) into practical, audit-ready controls specifically for GenAI, addressing the rapid adoption of these technologies in organizations. It aims to help professionals responsible for AI deployment and oversight ensure responsible implementation and robust internal controls.


COSO%20favicon.png

COSO Addresses Generative AI Risks with New Guidance

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has unveiled a crucial new publication titled "Achieving Effective Internal Control Over Generative AI (GenAI)." This document offers organizations a practical, COSO-aligned methodology for navigating the inherent risks and opportunities presented by the rapidly evolving landscape of generative AI technologies.

The Challenge of Rapid AI Adoption

Generative AI is quickly integrating into corporate boardrooms and daily operations, often outpacing traditional governance models. While AI-powered tools offer significant benefits, such as automating reconciliations and accelerating analysis, their rapid adoption introduces a new class of risks. These include heightened cyber exposure, prompt-based manipulation, opaque reasoning, model drift, and frequent configuration changes. Without robust internal controls, these risks can compromise the integrity of operations, reporting, and compliance.

COSO Framework for GenAI Governance

Lucia Wind, Executive Director & Chair of COSO, emphasized that the COSO Internal Control–Integrated Framework provides a clear and proven structure for introducing GenAI responsibly. The new publication, authored by Scott Emett, Marc Eulerich, Jason Guthrie, Jason Pikoos, and David A. Wood, adapts COSO-ICIF's five components—Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities—into GenAI-specific practices. This approach avoids creating a new governance model, instead leveraging an established framework.

Key Elements of the New Publication

  • Capability-First Taxonomy: GenAI use cases are categorized into eight capability types (ingestion, transformation, posting, orchestration, judgment, monitoring, regulatory intelligence, and human-AI interaction), each with tailored control considerations.
  • Audit-Ready Control Mapping: Each capability includes examples, minimum control expectations aligned with all five COSO components, and illustrative metrics for operational monitoring and audit evidence collection.
  • Practical Implementation Artifacts: The publication provides starter templates, including risk assessment matrices, control testing procedures, and metric dashboards, to expedite implementation.

David Wood, one of the authors, highlighted that grounding GenAI governance in COSO's established principles allows organizations to build adaptable and audit-ready systems. The guidance underscores that while GenAI transforms information processing, the fundamental purpose of internal control—to achieve organizational objectives reliably—remains unchanged. It calls for organizations to apply COSO's principles with renewed rigor, clarity, and traceability to manage GenAI's unique risks effectively.

For more information, visit www.coso.org. Click this link to download the publication.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →