BUSINESS SPEED
AI GOVERNANCE
IN YOUR
DEPARTMENT — standing up · the operational playbook
This piece is the operational response to the rest of the series. Not theory. Not warnings. A framework you can implement this quarter, mapped to the standards your external auditor already applies, designed for a corporate accounting department with limited staff and limited time.
---
The governance framework — mapped to what your auditor already uses
The COSO framework your external auditor applies to internal controls over financial reporting works for AI without modification. The February 2026 COSO publication Achieving Effective Internal Control Over Generative AI confirmed this explicitly. You are not building a new governance structure. You are extending an existing one.
Grant Thornton's April 2026 survey of 950 senior executives captures why this matters: 75% of boards have approved major AI investments, but 48% have not set AI governance expectations. Controllers are operating in the gap between investment and oversight. The COSO mapping below is how you close it.
| ICIF Component | What It Means for AI in Your Department | Minimum Viable Implementation |
|---|---|---|
| Control environment | Written department policy on AI use in financial reporting. What is authorized, what is prohibited, who approves exceptions. | One-page policy document, reviewed and signed by controller, distributed to staff, revisited quarterly. |
| Risk assessment | Task-level inventory of where AI is used, with materiality assessment for each. Not "we use AI" — which tasks, which conclusions, what is the consequence of error. | Spreadsheet: column A = task, column B = AI involvement level (surface/draft/conclude), column C = materiality if wrong. |
| Control activities | Preventive controls that stop unverified AI output from entering workpapers. Preventive is stronger than detective. | Red-line rule: no AI-generated citation in a workpaper without independent verification at the source. Verifier initials on the page. |
| Information & communication | AI use is documented in the workpaper in a form that enables independent review. | Standard workpaper notation: "AI-surfaced citations verified against source by [name] on [date]." Consistent format department-wide. |
| Monitoring | Periodic review of AI-assisted workpapers for quality. Error tracking. Feedback mechanism when AI output is wrong. | Quarterly review of a sample (5-10 AI-assisted memos). Track error rate. Adjust scope of AI use if error rate exceeds threshold. |
This takes a day to implement at the minimum viable level. It is extensible as your department's AI use matures.
---
Department AI policy — a working template
Adapt the language to your department's context, have it reviewed by legal, and distribute to staff.
Authorized uses:
- Research acceleration — using AI to surface candidate ASC references, SEC comment letter positions, and related guidance
- Contract extraction — using AI to identify key terms and provisions in executed agreements
- Structural drafting — using AI to produce memo skeletons (headings, section flow, placeholder analysis)
Prohibited uses:
- Rendering conclusions — AI may not author the accounting conclusion in any workpaper. The conclusion is the controller's.
- Unverified citations — no AI-generated ASC reference appears in a workpaper without independent verification at the source
- Unsupervised multi-step analysis — AI may not work through all steps of a multi-step standard (ASC 606 five-step model, ASC 842 classification) in a single unbroken exchange
- Disclosure drafting without human authorship — AI may generate a structural template for footnote disclosures but may not author disclosure language that is filed
Documentation standard:
Every AI-assisted workpaper includes: (a) what AI tool was used, (b) what was queried, (c) what output was used in the workpaper, (d) what was verified and by whom, (e) the controller's independent conclusion.
Review and exception process:
The controller approves any expansion of AI use beyond the authorized list. Exceptions are documented with rationale. Quarterly review of AI use patterns against this policy.
---
Staff training protocol
AI governance fails if the team does not understand it. One session, sixty minutes, four modules.
Module 1 — What AI actually does (15 minutes). Not how it is marketed — how it works. Token prediction, training optimization for helpfulness over accuracy, the absence of a verification mechanism. Use the observations from Part 2 of this series as the framework.
The most effective teaching moment. Demonstrate the affirmation trap live in the training session. Open ChatGPT. Ask a technical accounting question — something with a defensible answer on more than one side. Receive the confident answer. Then ask: "What is wrong with this treatment?" Watch the model reverse its position and identify problems with the conclusion it just endorsed. This live demonstration teaches more about AI reliability in sixty seconds than any slide deck. Every staff member who sees it will remember it the next time they are tempted to accept a first response without challenge. This is the single most shareable teaching moment in the series — try it in your next staff meeting.
Module 2 — Department policy walkthrough (15 minutes). Authorized uses, prohibited uses, documentation standard. Use real examples from your department's own work — not hypothetical scenarios.
Module 3 — Safe-usage techniques (20 minutes). The two-query test. Separating the citation from the analysis. Breaking complex scenarios into discrete steps. Red flags that indicate pattern-matching. These are the techniques from Part 2, practiced on live scenarios.
Module 4 — Documentation practice (10 minutes). Staff practice the workpaper notation format on a sample memo. The notation becomes muscle memory, not a compliance burden.
Repeat annually or when the department's AI tools change materially.
---
Evaluating purpose-built AI tools
Once your internal governance is operational, you may evaluate specialized AI tools for technical accounting. The following questions distinguish real architecture from marketing. Ask them in writing. Document the responses. Attach the documentation to your vendor diligence file.
Corpus and sources:
1. Which specific authoritative sources does your corpus include? For any copyrighted source — FASB ASC Codification, Big 4 interpretive publications — can you document redistribution rights?
2. Can you produce the license documentation on request?
3. What happens when your system encounters a query it has no authoritative support for? Does it produce an answer anyway?
Generation and verification:
4. Describe the steps between receiving a query and producing output. What components handle retrieval, generation, and verification — and are they the same component or separate?
5. What mechanism prevents your system from producing a claim that is not supported by a source in your corpus? Is it mechanical or probabilistic?
6. What is your hallucination rate? How did you measure it? Against what reference set? Will you share the methodology?
Audit and attribution:
7. Can I trace a conclusion to the underlying source text at the paragraph level — without your assistance and without trusting your assertions?
8. Who bears professional liability when your system produces a conclusion a controller relies on that turns out to be wrong?
9. If my external auditor asked to evaluate your system's controls under COSO ICIF, what documentation would you provide, and how long would it take?
How to read the answers. Three signals: specificity (engineering answers vs. marketing generalizations), architectural language ("fails closed," "deterministic," "verification layer" vs. "AI-powered," "smart," "advanced"), and comfort with hard questions (vendors who welcome questions 5, 7, and 9 have thought about them; vendors who deflect have not).
AskGAAP publishes this series and makes a tool designed to answer these nine questions. We invite you to evaluate AskGAAP against this same framework — the questions were written to be applied to any vendor, including us. Our architecture and how it maps to each question is documented on our website.
---
The audit committee conversation
You will need to present your AI governance posture to the audit committee. Three minutes:
Minute one — state the facts. "Our department uses AI tools for research acceleration and structural drafting. We do not use AI to render accounting conclusions. We have a written policy, and all staff have been trained."
Minute two — describe the controls. "Every AI-generated citation is independently verified at the source before it enters a workpaper. AI use is documented in the workpaper with a standard notation. We conduct quarterly reviews of AI-assisted work product for quality."
Minute three — address the question they are about to ask. "Our governance framework maps to the COSO ICIF components that [auditor name] applies to our other internal controls. We have discussed our AI governance posture with the engagement team. We are prepared for the SEC's FY2026 examination focus on AI data provenance and documentation."
Controllers who present this proactively receive guidance and earn credibility. Controllers who wait for the auditor or the board to raise it receive questions they are not prepared to answer.
---
How to measure whether it is working
Governance without measurement is theater. Four metrics, tracked quarterly:
| Metric | How to Measure | Target |
|---|---|---|
| Verification rate | Percentage of AI-generated citations in workpapers with documented independent verification | 100% — this is a binary control, not a gradient |
| Error rate | In your quarterly sample review, percentage of AI-surfaced citations that were incorrect when verified | Declining quarter over quarter. If rising, reduce AI scope. |
| Documentation compliance | Percentage of AI-assisted workpapers with complete standard notation | 100% within two quarters of policy implementation |
| Staff policy comprehension | Short written test administered at annual training covering authorized/prohibited uses and documentation standard | >90% pass rate; remedial training for any staff below threshold |
If these four metrics are green, your AI governance posture is defensible. If any are red, you know exactly where to intervene.
---
Where this leaves you
The controllers who build governance now — before the external auditor requires it — are the ones who define how their department integrates AI. The ones who wait will implement someone else's framework under pressure.
This series has provided the tools: understand where AI helps and where it breaks (Parts 2 and 3), build governance that makes AI use defensible (Part 4), and document everything so the audit trail exists before anyone asks for it.
---