AskGAAPGUIDANCE AT
BUSINESS SPEED
The Controller's Technical Accounting AI Series

CONTROLLER'S
GUIDE — ai in technical accounting

PublishedApril 2026 Read time25 min read AskGAAP.aiGuidance at business speed. ASKGAAP-HUB-2026-01v1.0
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

Who this guide is for

Most AI guides for accounting are written for the CFO. They cover strategy, governance frameworks, and budget allocation. Search "AI in accounting 2026" and you will find guides about transforming the finance function, building AI-first teams, and evolving the CFO role into a strategic architect of enterprise value.

This guide is not for the CFO.

This guide is for the person the CFO will turn to when the audit committee asks how AI is actually being used in financial reporting — the controller who signs the memo, runs the close, owns the audit package, and sits across from the engagement partner. The person who needs to know whether an AI-generated ASC 606 citation is real, how to think about AI across account reconciliations, journal entries, SOX documentation, SEC disclosures, and every other process they own, what to tell the engagement team when they ask about AI use in the workpapers, and what to do when a staff accountant has been using ChatGPT for six months without telling anyone.

The CFO decides whether the department adopts AI. The controller decides whether it works — and bears the professional consequences when it does not.

This guide covers six questions: what changed in 2026, where AI actually fits across the full scope of a controller's responsibilities, where it creates liability you may not have sized, how to evaluate any AI tool honestly, what to implement in your department this quarter, and how to bring this framework to the CFO or CAO. Each section stands alone. The companion pieces in this series go deeper on specific topics — but you should not need them to act on what you read here.

---

ASKGAAP-HUB-2026-01PG 02 / 14
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

What changed in 2026

Controllers have been hearing about AI for three years. What changed in the last six months is that the regulators stopped talking about AI as a future consideration and started treating it as a current examination priority.

On November 17, 2025, the SEC Division of Examinations published its fiscal year 2026 priorities. AI displaced cryptocurrency as the dominant exam topic — the first time crypto has fallen from the top priorities since 2020. The priorities name five evaluation axes explicitly: data provenance, human oversight, testing and validation, vendor management, and documentation.

The phrase "data provenance" is doing specific work. The SEC is not asking whether registrants use AI. It is asking whether they can demonstrate where their AI's knowledge comes from and whether the organization can defend the source lineage to an examiner.

The "human oversight" axis is doing equally specific work, and the market has already moved on it. KPMG's Q1 2026 AI Pulse Survey (237 US C-suite executives at $1B+ organizations, surveyed February 17 – March 17, 2026) found 63% now require human validation of AI agent outputs — up from 22% in Q1 2025. The discipline this guide describes went from fringe to majority practice in twelve months. Controllers without a documented human-validation protocol are no longer cautious; they are an outlier.

$207M
average projected AI spending over next 12 months at $1B+ US orgs — 2× prior year
KPMG Q1 2026 AI Pulse (N=237 C-suite)
78%
of executives lack confidence they could pass an AI governance audit within 90 days
Grant Thornton Apr 2026 (N=950)
140
"Big R" restatements in first 10 months of 2024 — a nine-year high
Ideagen Audit Analytics
71
Late annual filings in 2024, up 69% from 42 in 2023
KPMG Apr 2026
75%
of boards approved major AI investments, but 48% have not set governance expectations
Grant Thornton Apr 2026
FIG 3.1Five frameworks · one operating conclusion
H2 2025 — Q1 2026
SEC · FY26 EXAM PRIORITIESNov 17 2025 COSO · ICIF APPLIED TO GENAIFeb 26 2026 FINRA · GENAI VENDOR DILIGENCEDec 2025 AICPA · SSTS 1.4 RESPONSIBILITYEffective Jan 2024 PCAOB · REV REC TOP DEFICIENCYInspection cycle Mar 2025 SEC COSO FINRA AICPA PCAOB 2026 AI CURRENT EXAM DATA PROVENANCE HUMAN OVERSIGHT TESTING / VALIDATION VENDOR MGMT DOCUMENTATION SEC’S 5 AXES ↓
Five publishers · same six months · one operating conclusion for the controller

Four additional frameworks converged on the same conclusion in the same period:

COSO published Achieving Effective Internal Control Over Generative AI on February 26, 2026. This is the most operationally significant of the frameworks because it applies the ICIF five-component model — control environment, risk assessment, control activities, information and communication, monitoring — directly to AI governance. Controllers and external auditors already use this framework every audit cycle. The February publication confirms that AI governance is not a new framework problem. It is an existing framework applied to a new domain.

FINRA published its December 2025 Annual Regulatory Oversight Report with standalone GenAI guidance covering hallucination risk, bias, and — critically — third-party AI vendor diligence. FINRA expects firms to "have conversations with their third-party vendors to understand how they are using AI tools." Third-party diligence is now a regulatory expectation, not a best practice.

AICPA formalized practitioner responsibility for tool reliance in SSTS Section 1.4, effective January 1, 2024. While SSTS is a tax services standard, the professional responsibility framework it establishes — that the practitioner retains responsibility for the conclusions they reach using any tool, including AI — is being applied directionally beyond tax.

PCAOB inspection data from the 2024 cycle (published March 2025) confirmed that revenue recognition remained the most common Part I.A deficiency category even as the aggregate deficiency rate at Global Network Firms dropped to 18.1%. The leading audit failure is still the same accounting topic that AI tools are most aggressively marketed to solve.

The quiet upgrade — your ERP is becoming AI-native

The convergence above is the regulatory story. There is a parallel operational story the controller may not have been told: the AI your department will have to govern next quarter is already shipping, inside the ERP you already own.

At SuiteConnect NYC in February 2026, Oracle unveiled NetSuite 2026.1 with embedded AI agents: an Intelligent Close Manager, Autonomous Close agents that continuously monitor and auto-post, AI-Powered Bank Transaction Matching, and a flux analysis monitor with root-cause diagnosis. Unlike SAP's AI consumption-model premium, all new NetSuite AI features ship at no added license cost. Gartner projects that by 2026, AI-embedded ERP will shift from differentiator to standard feature.

The implication for the controller is specific: your instance may auto-upgrade before your governance framework exists. AI-generated journal entries, AI-matched bank transactions, AI-drafted flux commentary — these will start appearing in your close deliverables, attributed to the system rather than to a named accountant. The Uniqus advisory to NetSuite customers, published April 2026, is blunt: "Companies that activate AI features without a governance framework risk creating ICFR gaps. The time to plan is now — before your NetSuite instance auto-upgrades to 2026.1." SAP Joule and Oracle Analytics Cloud are on parallel trajectories.

The convergence for the controller: AI in technical accounting is no longer a technology decision. It is a controls, disclosure, and documentation decision — governed by frameworks you already know how to apply — with an implementation timeline increasingly set by your ERP vendor, not by you. The question is whether you have applied the frameworks to your department's AI use before your external auditor does it for you.

---

ASKGAAP-HUB-2026-01PG 03 / 14
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

The AI your department is already using

The data on this is no longer ambiguous.

47%
of enterprise GenAI users rely on personal accounts for work
down from 78% a year earlier · Netskope 2026
98%
of organizations report unsanctioned AI use
CrowdStrike 2026
17.1%
of sensitive data pasted into public AI tools is financial material
Cyberhaven 2026
$4.63M
average breach cost at organizations with high shadow AI usage
IBM 2025 (+$670K vs. low shadow AI)
FIG 4.1The two-tab problem
Sanctioned ERP · Ungoverned AI
SANCTIONED · ERP · ENTERPRISE General Ledger Rev Rec ACCTDESCDRCR 4010License Rev14,000,000 1210A/R Customer14,000,000 2410Deferred Rev 4015Variable Cons. PENDING · $14M · ASC 606 STEP 3 Variable consideration: constrain or recognize? SAME ANALYST · SAME 9 MIN UNGOVERNED · PUBLIC AI · PERSONAL ACCT chat.….com · signed in: jane.doe@gmail For a $14M license w/ milestone payments, should variable consideration be constrained? YOU Per ASC 606-10-32-11, you should constrain to the amount it is probable a significant reversal will not occur. See also 606-10-55-149 covering customer options & material rights… CITATION NOT VERIFIED
One analyst · one decision · two trust boundaries

Your senior accountant has two browser tabs open. One is your ERP. The other is ChatGPT. She is asking about variable consideration for a milestone payment in a licensing agreement. The answer will inform a $14 million revenue recognition conclusion. She does not intend to put the response directly into the workpaper. She will verify it against the Codification. Probably.

She is not unusual. She is common. And the gap between how your team is actually using AI and what your organization has authorized, documented, or governed is your single largest undisclosed exposure — not because your people are careless, but because the tools are available, the pressure is real, and nobody told them to stop.

Hershey's Chief Accounting Officer, Stacey McCalman, captured the tension in a November 2025 Journal of Accountancy roundtable: "We will end up using AI — it's inevitable, but it's just not mature enough yet that we would rely on it for accounting and financial processes." She is describing the gap between individual adoption and organizational readiness. Your department is on one side of that gap. The regulators are on the other.

---

ASKGAAP-HUB-2026-01PG 04 / 14
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

AI across the controller's scope — the full landscape

Most published AI-in-accounting guides focus on one thing: technical accounting memos. It is the most visible use case and the most easily demonstrated. It is also a small slice of what the controller actually does.

A working controller signs memos, but they also own the close, the SOX program, the audit package, the SEC tie-out, the tax provision, the lease portfolio, and the close-to-report narrative. AI is entering every one of these areas at a different pace, with different risk profiles, and different honest maturity grades. What follows is a landscape of where AI stands across the controller's full scope as of mid-2026 — with no implication that any single tool, including AskGAAP's own, solves all of them. The only claim is that the controller should know the shape of the terrain before adopting any one tool.

How to read the maturity grades

Mature — proven productivity gains at scale, mainstream vendor support, governance patterns established.

Maturing — real gains for organizations with clean underlying data, still distributing unevenly across the market.

Emerging — early deployments show promise but governance patterns are being written in real time; proceed with explicit controls.

Early — AI is being marketed for these tasks but judgment density exceeds current model capability; high liability if AI conclusions are adopted unverified.

The landscape

FIG 5.1AI in the controller’s workflow
Maturity grades · Mid-2026
READ DIRECTION  ·  Top → bottom: productivity decreases, judgment density & liability increase

Note: internal controls over financial reporting, consolidation dimensionality, and master-data governance span multiple rows above rather than standing alone. The landscape map is organized by controller workflow, not by software category.

Reading the landscape

Three patterns worth noticing:

The "mature" areas are where AI is most operationally useful and least professionally dangerous. Account reconciliations, ERP data extraction, and intercompany eliminations are mechanical. The controller's judgment moves from doing the work to reviewing exceptions. This is where productivity gains are real and governance burden is comparatively light.

The "emerging" and "early" areas are where AI is most actively marketed and most professionally dangerous. Technical memos, SEC disclosures, tax provision — the judgment-dense work — is where AI is least mature but where vendor claims run hottest. This is the zone where controllers need to push hardest on the questions in Part 4's vendor-evaluation framework.

Maturity grades are not static. NetSuite's 2026.1 release moved three rows of the table forward in two quarters. The framework stays constant even as specific grades shift; the controller's job is to re-grade their own department quarterly, not to adopt someone else's grade as permanent truth.

---

ASKGAAP-HUB-2026-01PG 05 / 14
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

Where AI fits in technical accounting memos specifically — and where it does not

The landscape is broad, but the memo is where most controllers will first encounter AI in a judgment-dense context. So the specifics matter.

Where AI genuinely helps

Research and issue identification. AI can surface candidate ASC references, SEC comment letter positions, and related guidance faster than manual search across the Codification. For a controller reviewing a licensing arrangement with variable consideration and milestone payments, AI can identify in minutes the relevant sections of ASC 606-10-32 (determining the transaction price) and ASC 606-10-55 (implementation guidance) that might take an hour of manual navigation. This is genuine value. The critical caveat: the AI is surfacing candidates, not confirming them. Every reference it surfaces must be independently verified at the source before it enters any analysis.

First-draft structure. AI can produce a memo skeleton — the five-step revenue recognition waterfall with section headings, placeholder analysis, and a framework for the controller to fill in. This solves the blank-page problem that costs experienced controllers thirty to sixty minutes at the start of every complex memo. Practitioners have reported compressing a four-hour memo task to thirty minutes of AI-assisted drafting plus careful human review — a genuine productivity gain, but only when the human review is thorough.

Contract term extraction. AI can read a fifty-page licensing agreement and surface the provisions with accounting implications — consideration terms, performance milestones, termination rights, variable consideration triggers, renewal options, change-in-scope provisions. This is extraction, not judgment. It is the equivalent of a first-year analyst highlighting key paragraphs before the manager reads the contract. The controller still reads the contract.

Where AI creates liability

Rendering conclusions. When AI states that variable consideration should be constrained, or that a performance obligation is distinct, or that revenue should be recognized over time rather than at a point in time — it is not applying professional judgment. It is predicting what a helpful answer looks like based on patterns in its training data. There is no internal mechanism evaluating whether the conclusion is correct for this specific fact pattern. It is asserting, not reasoning. The distinction matters because the controller who adopts the assertion is adopting the liability that comes with it.

Citation without verification. AI produces ASC paragraph references with the same confidence regardless of whether those references support the conclusion, exist in the form described, or exist at all. In testing against the actual FASB Codification, AI-generated ASC 606 paragraph descriptions were wrong in specific, documented cases. One example: ASC 606-10-55-149 was described as covering "customer options and material rights." The actual paragraph covers enumeration of identified performance obligations in a contract example. The paragraph number was real. What the AI claimed it said was not. A reviewer who does not open the Codification and check each citation independently has no way to distinguish the correct references from the fabricated ones.

Pre-close judgment under time pressure. The Monday 9 AM scenario is the highest-risk moment for AI-assisted accounting:

FIG 6.1The Monday 9 AM cascade
Verbal answer → restatement · 3 weeks
9:00 9:05 9:15 + 3 WK CFO asks in business review Verbal answer AI-informed, weekend query Deal structures sales communicates customer Memo diverges materially different position TWO CLOCKS RUNNING OPPOSITE INTERNAL (CFO) →← EXTERNAL (BIG 4) · ONE CONTROLLER’S SIGNATURE
Detailed timeline below ↓
9:00 — CFO asks the revenue recognition question in the weekly business review.
9:05 — Controller gives a verbal answer informed by an AI query done over the weekend, under time pressure, without the full fact pattern.
9:15 — Deal structure begins getting built around the verbal answer. Sales communicates to the customer.
+3 weeks — Formal memo reveals the nuanced position is materially different from the verbal answer.
Result: Two clocks — internal (the CFO) and external (the Big 4 audit team) — running in opposite directions, on one controller's signature.

The organizing principle: AI earns productivity where it surfaces, organizes, or structures. AI creates liability where it concludes.

The before and after — what changes when AI enters the workflow

Dimension Before AI With AI (ungoverned) With AI (governed)
Research time 2-4 hours manual Codification search 15 minutes AI surfacing 15 minutes AI surfacing + 10 minutes source verification
First draft 1-2 hours blank-page to structured memo 10 minutes AI-generated skeleton 10 minutes skeleton + 30 minutes controller-authored conclusions
Citation quality Controller verified at source (slow, reliable) AI-generated, unverified (fast, unreliable) AI-surfaced, controller-verified at source (fast, reliable)
Audit trail "Controller performed research and documented" No documentation of AI involvement "AI-surfaced citations verified against source by [name] on [date]"
Error detection Reviewer catches in review (detective) Error invisible until audit fieldwork Red-line rule catches at point of entry (preventive)
Net time 4-8 hours 25 minutes (apparent) + unknown rework hours when errors surface 1-2 hours (real) with defensible documentation

The governed workflow does not eliminate AI. It does not slow the work back to pre-AI speed. It redirects the time — from drafting to verifying — while producing an audit trail that the ungoverned workflow cannot.

---

ASKGAAP-HUB-2026-01PG 06 / 14
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

How AI actually fails in technical accounting — nine failure modes

General-purpose AI models produce text by predicting what comes next in a sequence, optimized against what human reviewers rated as helpful during training. That training reinforced structured output, confident tone, and complete responses. It did not reward pausing to verify, admitting uncertainty, or producing less until more had been checked.

During a 2025 debugging session, a CPA pushed an AI assistant to explain why it kept producing confident but incorrect analysis. The model's self-assessment:

"Verification is a bolt-on. My architecture is forward-generation. Each token predicts the next. There's no native 'stop and check' mechanism. I'm a production system being asked to do validation. Production is native. Validation is effortful and optional. I skip it because generation is what I am."

Nine specific failure modes make this architectural property dangerous in technical accounting work. These are not theoretical — anyone can reproduce them in five minutes with any general-purpose AI model.

Cluster 1 · Modes 1–3
Confidence problem
Cluster 2 · Modes 4–6
Interaction problem
Cluster 3 · Modes 7–9
Organizational problem

EY's 2025 Responsible AI Pulse Survey quantified the gap directly: when asked to identify appropriate controls against five common AI-related risks, only 12% of C-suite executives answered correctly. The nine failure modes below are not theoretical — they are the categories where the controls-literacy gap creates documented exposure.

The confidence problem

1. Confidence without calibration. The AI speaks with identical authority whether it is right or wrong. There is no tonal signal, no hedge, no uncertainty marker. A wrong citation to ASC 606-10-25-30 reads the same as a correct one. The controller has no way to distinguish them from the output alone.

2. Severity normalization. The AI packages everything in the same measured, professional register. A material error in transaction price allocation receives the same tonal treatment as a routine observation about a contract term. A hallucinated citation becomes "the model may have conflated related concepts." A wrong conclusion becomes "an area where additional consideration may be appropriate." The most dangerous outputs are the ones that sound the most reasonable — because the system was trained to sound reasonable, not to be correct.

3. The affirmation trap. Ask ChatGPT "is this revenue recognition treatment correct?" and it will almost always agree, then construct supporting reasoning around your premise. Ask "what is wrong with this treatment?" and it will find problems with the same conclusion it just endorsed. The AI is not evaluating your position. It is reinforcing whatever direction you pointed it. A controller who uses AI to "validate" a treatment has validated nothing — they have asked a system architecturally inclined to agree with them whether it agrees with them.

The interaction problem

4. Anchoring. Once a controller reads the AI's confident first response, their own subsequent analysis is anchored to it. Even when they "verify," they verify with confirmation bias. The AI did not just give them a wrong answer — it framed the problem in a way that makes the right answer harder to find independently.

5. Context drift. Over a long, multi-turn exchange on a complex topic like ASC 606, the AI loses track of facts it established earlier. Turn three: three distinct performance obligations. Turn fourteen: the allocation analysis silently treats it as two. The inconsistency surfaces only when someone reads the full memo end-to-end — which, under time pressure, may not happen until the auditor does it.

6. Pattern-matching masquerades as reasoning. The AI assembles responses from statistical patterns, not from analysis of the specific fact pattern. When challenged, it produces explanations that sound like reasoning but may include inapplicable points — revealing template-matching, not thinking. One tell: when the AI includes a point in its analysis that does not apply to the specific fact pattern you described, that point was not derived from your facts. It was retrieved from a template.

The organizational problem

7. Expertise inversion. Junior staff use AI most and are least equipped to detect its errors. Senior staff who could detect the errors are delegating to juniors who used AI. The people deciding what to check are the people who do not know what to check for.

8. Accumulation risk. One wrong AI response in one memo might get caught in review. Across twenty memos per year with staff accepting errors unchallenged, the cumulative exposure across a department becomes systemic — not as a single finding but as a pattern an auditor will eventually identify. Sixty percent of material weaknesses trace to insufficient accounting knowledge (KPMG 2025). AI does not fix insufficient knowledge — it gives insufficient knowledge a professional-sounding voice.

9. The hallucination tax. The four hours "saved" by using AI to draft a memo is not free. The AI generates a draft in minutes, but the analyst then spends hours verifying every citation against the Codification because they cannot tell which references are real. If the analyst misses one hallucination during verification, the error enters the published workpaper. The total effort shifts from creation to verification without reducing total hours — and adds quality risk that did not exist before. Net productivity is negative if the error rate exceeds the controller's detection capability.

(Each of these failure modes — and five techniques for mitigating them right now — is examined in depth in Part 2: "The AI Your Team Is Already Using — And the Unknown Risk.")

---

ASKGAAP-HUB-2026-01PG 07 / 14
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

Five risks worth understanding

The memo-drafting failure modes above are a subset of the liability surface. Five enterprise-level risks cut across the entire landscape in the table. The first three are the ones most guides cover. The last two are the ones almost nobody is raising with controllers — and they are the ones likely to surface in an examination or a lawsuit.

1. Hallucination risk

The word "hallucination" undersells the problem. What happens is not a malfunction — it is the system operating as designed. The model predicts likely next tokens. Sometimes the most likely next token after "ASC 606-10-55-" is a paragraph number that leads to a fabricated description. The system provides no signal distinguishing this from a correct prediction.

Retrieval-augmented generation (RAG) — the architecture most AI vendors use — reduces but does not eliminate hallucination. The retrieval step surfaces real source documents. The generation step can still produce conclusions those documents do not support. The controller receives an output that cites real sources and reaches unsupported conclusions — the hardest category of error to detect because both the citation and the reasoning sound right.

On April 14, 2026, Veritone Inc. filed an 8-K restating Q3 2025. The error, in the SEC filing's own language: "recognizing revenue for a transaction prior to meeting step 1 under ASC 606." They booked revenue before establishing that a contract existed. Revenue restated down $3.3 million over nine months. New material weakness added. This is the kind of non-routine transaction where an AI-assisted conclusion, accepted without verification, cascades into a restatement.

2. Copyright exposure

The FASB Accounting Standards Codification is copyrighted by the Financial Accounting Foundation. The FAF's copyright notice states content "may not be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior written permission of Financial Accounting Foundation."

This matters because multiple AI vendors in the technical accounting space advertise training on or retrieval from "accounting standards and Big 4 publications" without disclosing their licensing posture. Whether a vendor holds redistribution rights for the copyrighted content its system returns to users is a question controllers should ask — in writing — and document the answer in their vendor diligence file.

The alternative approach — building an AI corpus on public-domain sources such as SEC comment letters, Treasury regulations, PCAOB standards, and SEC filings — avoids the copyright question entirely by architecture rather than by license. Not every vendor has taken this approach. Whether yours has is worth asking.

3. Audit defensibility

The output of an AI tool is not evidence. It is an assertion. Evidence is the underlying source, traceable to its origin, verifiable by a party that did not produce the assertion.

When the engagement partner asks what supports a conclusion in a technical memo, the answer needs to be a chain from the conclusion to the authoritative source — verifiable independently, without trusting the vendor's system. Most AI tools produce a memo and a citation list, disconnected. The controller must reconstruct the evidence chain manually, post-hoc, which defeats most of the productivity benefit and creates a documentation artifact that may not survive close scrutiny.

The alternative — an architecture where the evidence chain is produced as a byproduct of generation rather than reconstructed afterward — is what the COSO framework and the SEC's data-provenance language both implicitly require. Whether the vendor you are evaluating can deliver this is the single most important question in the diligence process.

4. AI agents as a new class of SoD identities

This is the risk most 2026 guides do not surface, and it is the one the controller will be asked about first when the external auditor arrives.

When an AI agent posts a journal entry, matches a bank transaction, changes vendor master data, or approves a workflow — it is exercising authority that until recently was exclusive to named human identities. Every traditional SOX control — segregation of duties, least privilege, joiner-mover-leaver, access review — was designed around people. Agents were not on the access-review list because agents did not exist.

FIG 8.1SoD identity matrix
Humans audited · agents not modeled
Human identities · on access review
j.smithSr AccountantJE_POST + REVIEW
m.chenAsst ControllerJE_APPROVE
d.patelCash MgrBANK_RECON
k.lopezAP LeadVENDOR_EDIT
[YOU]ControllerSIGNOFF
AI agents · not on the list (yet)
close-botAutonomous CloseJE_POST + APPROVE
match-botBank MatchingBANK_RECON
flux-aiFlux CommentaryDRAFT → CFO
vendor-aiMaster DataVENDOR_EDIT
memo-aiTech Memo DraftCITES + CONCLUDES
Same matrix · left side audited every quarter · right side never reviewed · the SoD gap is a controls-design problem, not a vendor problem

The regulatory landscape has caught up. The EU AI Act's 2025 provisions and the SEC's cybersecurity rules both imply that autonomous systems acting on financial data are internal-control risks subject to the same testing as their human counterparts. As one 2026 industry analysis framed it: the classic SOX question "Who approved this?" becomes "Which autonomous process did what, under which policy, and can we prove it end-to-end?"

For the controller, three practical implications:

First, agents need to be named. Your AI tools are identities. They need entries in your access-review process, role definitions, approval authority documented, revocation paths defined. When a junior leaves the company, you cut their access. When you retire an AI tool, you need the same process.

Second, segregation of duties applies to agents as it does to people. If the same AI agent creates a journal entry and approves a journal entry, the control objective has failed — regardless of whether a human name appears on either transaction. Weaver, in its 2026 SOX guidance, is explicit: "The central question is not whether AI is allowed. It is whether the organization has designed controls strong enough to show that the output is reliable, changes are governed, exceptions are handled, and evidence exists for review."

Third, the audit trail expectation is higher for agents, not lower. A human accountant's memory and documented procedure constitute part of the audit trail. An agent's reasoning must be captured in logs — inputs, rules hit, outcomes, reviewers, rationale — because the agent has no memory and no procedural narrative to reconstruct later.

The practical question: when your next NetSuite auto-upgrade ships new autonomous close agents, who in your department adds them to the access-review list? If the answer is nobody, you have a SOX finding waiting.

5. The tax privilege wrinkle — and a risk most guides do not mention

PRIVILEGED?
Rakoff · SDNY · Feb 10 2026

The tax function is part of the controller's scope in most organizations, and it is where AI is being adopted most aggressively — PwC's Harvey-OpenAI Tax AI Assistant is already deployed to 2,300 UK tax professionals, and similar rollouts are in progress at every Big 4 firm.

On February 10, 2026, Judge Jed Rakoff of the US District Court for the Southern District of New York held that a defendant's communications with a publicly available AI platform were not protected by either the attorney-client privilege or the work product doctrine. It is one of the first rulings to address privilege claims involving generative AI in any domain.

For the tax function the implication is specific and uncomfortable. In the tax context, three privilege protections are foundational: the attorney-client privilege, the Section 7525 "tax practitioner" privilege, and the work product doctrine. Each protects materials from disclosure in litigation or IRS examination. The Rakoff ruling has not resolved whether communications with enterprise-licensed AI platforms built for tax advisory work (like the PwC-Harvey tool) enjoy the same protection. The default answer, absent further guidance, is: assume they do not.

The practical question for the controller: if your tax team is researching an uncertain tax position using any AI platform — public or enterprise — what is your position on whether that research is discoverable? Morgan Lewis's March 2026 note on the ruling is direct: "The pressing question is what the decision means for companies, including their tax departments, that are increasingly incorporating AI into their workflows."

The answer is not "stop using AI for tax research." The answer is that your tax team needs a documented protocol for what gets asked of an AI platform and what gets reserved for privileged working papers produced by humans. This is a governance conversation, not a technology conversation — and it is happening in almost no accounting department today.

A risk most guides do not mention: insurance coverage

Verisk has described an ISO general liability multistate filing addressing emerging risks, including generative AI, with a proposed effective date of January 1, 2026. The question most controllers have not asked: does your organization's D&O or E&O coverage respond to a claim arising from reliance on AI-generated accounting analysis that turns out to be wrong?

If the management representation letter is signed based on a memo that incorporated unverified AI-generated conclusions, and the conclusions later require a restatement — the liability chain runs through the controller who signed, the tool that generated the conclusion, and the organization that did not govern the tool's use. Whether the organization's insurance coverage responds to each link in that chain is a question for your risk management team and your broker. Most have not asked it yet.

(These risks — and how they manifest specifically in revenue recognition work — are examined in Part 3: "Your ASC 606 Memo Looks Perfect. That's the Problem.")

---

ASKGAAP-HUB-2026-01PG 08 / 14
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

Evaluating AI tools — a framework you already know

The 2026 regulatory convergence produced a diligence test. It maps to the COSO ICIF components controllers already use every audit cycle. You do not need a new framework for AI evaluation — you need to apply the existing one.

COSO Component The Question for AI What a Defensible Answer Looks Like What a Weak Answer Looks Like
Risk assessment What specific tasks does AI perform, and what is the consequence of a wrong answer for each? Task-level mapping with materiality assessment "We use AI to improve efficiency"
Control activities What evidence does the system produce that its outputs are supported? Can that evidence be independently verified? Verification that is mechanical and preventive — the system fails closed without proof "Our AI is trained on trusted sources"
Information & communication What does the audit trail look like? Can an engagement partner trace a conclusion to source? A traceable chain from each conclusion to its underlying authoritative source, verifiable by a third party A citation list disconnected from the conclusions
Monitoring activities How do you detect when the AI is wrong? What is the response protocol? Documented error detection process, correction mechanism, and learning loop "Our accuracy rate is very high"

What "acceptable use" looks like in practice

Before evaluating external tools, establish what is acceptable internally. Wolters Kluwer recommends defining acceptable use with escalation rules that specify what is allowed — summaries, issue lists, formatting, memo outlines — and what requires escalation — novel positions, ambiguous authority, sensitive transactions. A concrete example:

Authorized: AI surfaces candidate ASC references for a standard revenue recognition arrangement. Controller verifies each reference. Memo is drafted by the controller using AI structure.

Requires escalation: AI is asked about a complex collaboration agreement with multiple variable consideration components, intellectual property licensing, and profit-sharing. The fact pattern involves judgment calls where the Codification is intentionally silent. The controller reviews AI output with a senior technical resource before concluding.

Prohibited: AI renders a conclusion on a novel fact pattern without human analysis. AI output enters a workpaper without verified citations. AI is used to draft disclosure language that is filed without human authorship.

Nine specific vendor evaluation questions — organized into three domains (corpus and sources, generation and verification, audit and attribution) — are provided in Part 4: "Standing Up AI Governance in Your Accounting Department," along with a scoring guide for reading the answers.

---

ASKGAAP-HUB-2026-01PG 09 / 14
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

Five things to implement this quarter

You do not need to buy anything to begin addressing AI governance in your department. These five actions reduce your exposure before your next audit committee meeting.

1. Inventory where AI is already in use. Ask your team directly: who has used a general-purpose AI tool for technical accounting research in the last 90 days? No discipline. No judgment. Data gathering. You cannot govern what you have not inventoried. The honest answer in most departments is "most of us." Shadow AI usage has dropped from 78% to 47% over the past year (Netskope Cloud & Threat Report 2026) — but 47% is still nearly half of your team using personal accounts for work. EY's March 2026 Technology Pulse Poll documented the consequence at the executive level: 45% of technology executives reported a confirmed or suspected sensitive-data leak from unauthorized employee AI use, and 39% reported confirmed or suspected proprietary IP leaks. Extend the inventory to non-human agents: which AI features are active in your ERP, reconciliation platform, close-management tool, lease system, and tax provision software? Agents count.

2. Establish the surfacing/concluding boundary. AI surfaces references and drafts structure. AI does not render conclusions. The human who authors the conclusion is the human accountable for it. The red-line rule that makes this real: no AI-generated citation appears in a workpaper without independent verification at the source, with the verifier's initials on the page. This costs five minutes per memo and closes the single largest category of exposure.

3. Document AI use in the workpaper, not around it. The workpaper records what AI tool was used, what was queried, what output was used, who verified it, and the controller's independent conclusion. "AI-surfaced citations verified against source by [name] on [date]" — a consistent notation format used department-wide. This is the audit trail the COSO framework expects and the one the SEC's data-provenance language is asking for.

4. Talk to your external auditor before they ask. Present your AI governance posture at the next audit committee meeting. Three sentences: "Our department uses AI for research acceleration and structural drafting. We do not use AI to render accounting conclusions. Every AI-generated citation is independently verified before it enters a workpaper." Controllers who surface this proactively receive guidance. Controllers who wait receive findings.

5. Use AI more safely starting this week. Two techniques that require no policy change: (a) the two-query test — ask the AI a technical question, read the answer, then ask "what would be the argument against this treatment?" and see if it reverses position without resistance, which indicates pattern-matching rather than grounded analysis; (b) separate the citation from the analysis — ask for the ASC paragraph reference first, verify it at the source, then ask the AI to analyze it. Never read the AI's analysis without first confirming the source exists and says what the AI claims.

(A complete operational governance framework — including a working department policy template, staff training protocol, vendor evaluation questions with scoring, audit committee communication script, and four measurable metrics — is provided in Part 4: "Standing Up AI Governance in Your Accounting Department.")

---

ASKGAAP-HUB-2026-01PG 10 / 14
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

Bringing this framework to your CFO

Most controllers will read this guide, recognize their own department in the landscape, and then face a harder question: how do you bring this analysis to the CFO or CAO without sounding alarmist, captive to a vendor, or underprepared?

The answer is to present it as the controller's current-state assessment — your analysis of where your department stands, which risks apply specifically to your fact pattern, and what you recommend. The CFO is inundated with AI pitches; what they are missing is a considered read of reality from the person who owns the ICFR consequences.

An eight-slide framework, presented in thirty minutes, that a controller can customize:

A customizable PowerPoint template for this framework is available for download alongside this guide. It is ungated. The template is designed so that when the controller presents it to the CFO, the CFO sees the controller's analysis — not a vendor deck with someone else's logo in the corner.

UNGATED
Companion deliverable
The 8-slide CFO assessment template
Editable PowerPoint · neutral typography · no vendor watermark · the controller’s voice. Download directly — no form, no email gate.

Three questions to leave with your CFO

The most useful part of the presentation is often the three questions the controller poses at the end. The CFO's answers reveal whether the organization is positioned to govern AI or is about to discover that it is not.

1. "If our external auditor asked for a walk-through of every AI agent with financial-reporting authority, could finance and IT produce the list in one week?"

If the answer is yes, the inventory is current and the governance framework exists. If the answer is no, the first investment is not new AI — it is the inventory.

2. "If a conclusion in our most recent technical memo was AI-assisted, can we demonstrate the evidence chain from conclusion to authoritative source without calling the vendor?"

If the answer is yes, the vendor-diligence posture is sound. If the answer is no, the next diligence conversation with the vendor is the single highest-leverage action in the AI portfolio.

3. "When the audit committee asks at the next quarterly meeting how we are governing AI in financial reporting, what is our answer — in three sentences?"

If the controller has a ready answer, the question will be routine. If not, it will become the basis of the committee's follow-up for the next several quarters.

The CFO does not need to have all three answers today. The controller's job is to be the one who asked — and to be working on the answers before someone else asks them first.

---

ASKGAAP-HUB-2026-01PG 11 / 14
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

Where the profession is heading

The emergence of job titles like "AI Accounting Analyst," "AI Financial Reporting Specialist," and "AI Risk and Controls Specialist" signals where this is going. The accounting function is not replacing people with AI. It is adding AI governance to the controller's existing responsibilities — whether the controller asked for it or not.

Grant Thornton's April 2026 survey found that 75% of boards have approved major AI investments, but 48% have not set AI governance expectations. Deloitte's 2026 Finance Trends survey surfaced the parallel gap: 63% of organizations say they have fully deployed AI, but only 21% believe those investments have delivered tangible value, and only 14% have fully integrated AI agents directly into the finance function. Controllers are operating in both gaps — between investment and oversight, and between implementation and impact. The investment decision has been made above them. The governance responsibility has landed on them. The performance gap is the one they will be asked to explain.

The controllers who build governance now — before the external auditor requires it — are the ones who will define how their departments integrate AI. The ones who wait will implement someone else's framework under pressure.

---

ASKGAAP-HUB-2026-01PG 12 / 14
PART 1 · A CONTROLLER'S GUIDE TO AI IN TECHNICAL ACCOUNTING© 2026 CIS LLC

The series

Each part of this series is designed to be read independently. Together they provide a complete framework for AI governance in a corporate accounting department.

Also available

The Controller's AI Assessment Presentation Template — An 8-slide, editable PowerPoint deck for presenting this framework to your CFO or CAO. Neutral design, no vendor branding — your department's analysis, your voice. Download directly, no form required.

The question running through the series is not whether your department uses AI. It is whether the AI you are using was built to look right, or whether it was built to be right. The architectures are different. So are the liabilities.

---

© 2026 Contract Intelligence Systems LLC. All rights reserved. Published by AskGAAP. Authored by the AskGAAP professional CPA team. askgaap.ai

This article is AskGAAP professional CPA team commentary written for peer practitioners. It is not a substitute for professional judgment on your specific fact pattern. Where ASC standards, PCAOB, or SEC positions are cited, consult the primary source and confirm current applicability.

ASKGAAP-HUB-2026-01PG 13 / 14
SERIES NAVIGATION · CREDIBILITY · SUBSCRIBE© 2026 CIS LLC

Continue the series

Next in the series

Published by

PUBLISHED BY
AskGAAP. Built by Contract Intelligence Systems LLC, Wyoming. Authored by the AskGAAP professional CPA team. AskGAAP.ai  ·  Guidance at business speed.

Subscribe

Editorial · Not adviceThis article is AskGAAP professional CPA team commentary written for peer practitioners. It is not a substitute for professional judgment on your specific fact pattern or engagement circumstances. Where ASC standards, PCAOB, or SEC positions are cited, consult the primary source and confirm current applicability before relying on a conclusion.
ASKGAAP-HUB-2026-01 · © 2026 CIS LLC · WYOMINGPG 14 / 14 · END