News & Blogs

COSO Releases New Guidance on Internal Controls for Generative AI

Global · · internalaudit360.com

COSO has issued new guidance, "Achieving Effective Internal Control Over Generative AI (GenAI)," to help organizations manage the risks and opportunities of rapidly evolving GenAI technologies. This publication adapts the COSO Internal Control–Integrated Framework (ICIF) to GenAI, providing practical, audit-ready control practices and implementation artifacts. Internal audit professionals should leverage this guidance to ensure robust internal controls are in place for GenAI adoption, addressing risks from heightened cyber exposure to model drift and opaque reasoning.


COSO's Framework for GenAI Governance

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released crucial new guidance titled "Achieving Effective Internal Control Over Generative AI (GenAI)." This publication is designed to assist organizations in navigating the complex landscape of Generative AI, which is rapidly integrating into business operations and decision-making processes. Recognizing that GenAI introduces a new class of risks—such as increased cyber exposure, prompt-based manipulation, model drift, and frequent configuration changes—the guidance emphasizes the need for robust internal controls to safeguard operational integrity, reporting accuracy, and compliance. Internal auditors should view this as a foundational document for establishing and evaluating GenAI-related controls within their organizations.

Adapting the COSO-ICIF for AI Risks

Rather than proposing an entirely new governance model, the COSO guidance strategically adapts the existing Internal Control–Integrated Framework (ICIF) to the specific challenges posed by GenAI. It translates the five core components of COSO—Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities—into concrete, GenAI-specific practices. This approach ensures that organizations can leverage a familiar and proven structure while addressing the unique characteristics of AI. The guidance is particularly relevant for internal audit departments, management, compliance teams, and IT governance, providing a common language and framework for discussing and implementing GenAI controls.

Practical Tools for Implementation and Audit Readiness

The publication offers several practical elements to facilitate the operationalization of GenAI governance and enhance audit readiness. Key among these are a capability-first taxonomy that categorizes GenAI use cases into eight types (e.g., ingestion, transformation, judgment, human-AI interaction), each with tailored control considerations. Furthermore, it includes audit-ready control mappings, providing examples, minimum control expectations aligned to all five COSO components, and illustrative metrics for both operational monitoring and audit evidence collection. Starter templates for risk assessment matrices, control testing procedures, and metric dashboards are also provided, enabling organizations to accelerate implementation and demonstrate effective control over their GenAI initiatives. Internal auditors can directly utilize these tools to develop comprehensive audit programs for GenAI.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →