SOURCE COSO

New publication translates COSO's Internal Control–Integrated Framework into practical, audit-ready guidance for governing GenAI

NEW YORK, Feb. 23, 2026 /PRNewswire/ -- The Committee of Sponsoring Organizations of the Treadway Commission (COSO), today released a new publication, Achieving Effective Internal Control Over Generative AI (GenAI), offering organizations a practical, COSO-aligned approach to managing the risks and opportunities introduced by rapidly advancing generative AI technologies.

Generative AI is moving into boardrooms and day-to-day operations far faster than traditional governance models anticipated. Organizations are already using AI-enabled tools to automate reconciliations, accelerate analysis, and support decision-making at a scale that compresses timelines and reshapes workflows. Such rapid adoption brings a new class of risks - from heightened cyber exposure and prompt-based manipulation to opaque reasoning, model drift, and frequent configuration changes - that can jeopardize the integrity of operations, reporting, and compliance if not addressed with robust internal controls.

"Generative AI is transforming how organizations work, make decisions, and manage information," said Lucia Wind, Executive Director & Chair of COSO. "Its rapid adoption brings enormous potential, but also a new set of risks that demand disciplined oversight. The COSO Internal Control–Integrated Framework gives organizations a clear, proven structure to ensure GenAI is introduced responsibly and with the rigor needed to support reliable operations, reporting, and compliance."

Building on COSO's earlier thought leadership, Realize the Full Potential of Artificial Intelligence, this new publication, commissioned by COSO and authored by Scott Emett of Arizona State University, Marc Eulerich of the University of Duisburg-Essen, Jason Guthrie of Ernst & Young, Jason Pikoos of Meta, and David A. Wood of Brigham Young University translates COSO's Internal Control–Integrated Framework (ICIF) into concrete internal control practices tailored to GenAI.

Rather than proposing a new governance model, the publication adapts COSO-ICIF's five components-Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities-into GenAI-specific practices. It is designed for professionals responsible for deployment and oversight of AI processes, including:

  • Management and operations teams
  • Compliance and risk management teams
  • Controllers and financial reporting groups
  • IT governance and information security
  • Board committees and oversight bodies
  • External auditors assessing GenAI-related controls
  • Internal audit departments

The report introduces several new elements to help organizations operationalize GenAI governance:

  • A capability-first taxonomy: GenAI use cases are organized into eight capability types-ingestion, transformation, posting, orchestration, judgment, monitoring, regulatory intelligence, and human-AI interaction-each with tailored control considerations that reflect how GenAI risks manifest across the data-to-decision lifecycle.
  • Audit-ready control mapping: Each capability includes examples, minimum control expectations aligned to all five COSO components, and illustrative metrics to support both operational monitoring and audit evidence collection.
  • Practical implementation artifacts: Starter templates, including risk assessment matrices, control testing procedures, and metric dashboards, help organizations accelerate implementation and reduce time-to-value.

"GenAI introduces risks that evolve as quickly as the technology itself," said Author David Wood. "By grounding GenAI governance in COSO's established internal control principles, organizations can build systems that are both adaptable and audit-ready."

The publication emphasizes that while GenAI transforms how information is generated, processed, and acted upon, it does not change the fundamental purpose of internal control: to help organizations achieve their objectives reliably. Instead, GenAI requires organizations to apply COSO's principles with renewed rigor, clarity, and traceability.

"GenAI can be confidently wrong, easily manipulated, or deployed outside formal oversight channels," added Wind. "This guidance helps organizations strengthen their internal control environment so they can harness GenAI's benefits while managing its unique risks."

For more information, or to download a copy of Achieving Effective Internal Control Over Generative AI (GenAI), please visit www.coso.org.

About COSO 
Originally formed in 1985, COSO is a voluntary private sector organization dedicated to helping organizations improve performance by developing thought leadership that enhances internal control, risk management, governance and fraud deterrence. COSO is jointly sponsored by the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute of Internal Auditors (IIA). For more information, visit www.COSO.org.

©PR Newswire. All Rights Reserved.

Information contained on this page is provided by an independent third-party content provider. XPRMedia and this Site make no warranties or representations in connection therewith. If you are affiliated with this page and would like it removed please contact [email protected]