When AI-Generated Data Seeds Financial Reporting: A Governance Guide

This guide provides a practical window into board and management roles as AI becomes embedded in financial reporting. While it generally contemplates a public company reporting structure, many of the same principles apply across entity types. Companies should adapt their governance models to their strategy and risk profile, the company's organizational and control structure, and the manner in which it is deploying AI. Governance that is technically sound but organizationally misaligned rarely takes root.

It may sound counterintuitive, but returning to fundamentals as the foundation is a good starting point. The 10-K and the 10-Q were designed to ensure that investors receive accurate, timely, and material information about a company's financial condition and results of operations. The SOX certification requirement added personal accountability for that accuracy. The principles have not changed. As finance professionals use new tools to produce data that flows into these reports, they should satisfy themselves that their analysis supports this purpose.

Lastly, the governance questions AI raises in financial reporting do not have uniform answers. Accordingly, a prescriptive approach is often not the best one. In many cases, the ability to ask the right questions will be the foundation that shapes the most effective governance programs.

1

Board of Directors

Role

Oversight - satisfying itself that management's approach to AI-assisted financial reporting is credible and that appropriate controls exist, without managing the process itself.

Representative Considerations

  • Calibrate oversight to the company's risk profile - the depth of inquiry should reflect how deeply AI is embedded in financial reporting processes and how material the outputs are to external disclosures.
  • Understand where AI is being used in financial reporting, disclosure, forecasting, and investor communications, as applicable.
  • Confirm that AI governance is treated as an enterprise risk issue, not merely a technology or compliance exercise.
  • Consider whether AI risk is integrated into ERM and financial reporting oversight rather than siloed as an IT risk.
  • Understand the AI governance framework, and not merely from a technology standpoint: what AI is doing, who owns it, what controls exist, and how issues are escalated.
  • Satisfy itself that management reporting on AI in financial reporting processes is supported by sufficient information to assess whether management's approach is credible.
  • Certain aspects of this oversight function may be performed by the audit committee or other committees. This guide assumes audit committee oversight as described in the sections that follow.
  • Periodically assess whether the full board and audit committee are coordinated on AI oversight.
2

Audit Committee

Role

Substantive oversight of the financial reporting system - satisfying itself that management has identified the relevant risks and established effective controls.

Representative Considerations

  • Apply the existing mandate over financial reporting integrity, ICFR, disclosure controls, and the external auditor to AI-assisted reporting processes.
  • Ask management how it identifies AI tools embedded in financial statements, MD&A, earnings materials, investor communications, ERP systems, and FP&A platforms, as applicable.
  • Understand whether AI tools are risk-classified, including distinctions among deterministic, probabilistic, generative, and agentic or autonomous tools - each category carries different control implications.
  • Confirm that ICFR assessments consider AI-enabled processes where those processes affect material financial reporting risks, including by considering COSO's 2026 GenAI guidance or other relevant control frameworks.
  • Understand the process for documented human validation before AI-generated outputs become financial statement inputs or disclosure support.
  • Ask the external auditor how AI affects the auditor's understanding of information systems, control risk, and audit evidence - and, for companies subject to SOX 404(b), how AI-enabled processes that affect ICFR are addressed in the integrated audit.
  • Confirm that internal audit is covering AI governance, including model documentation, validation, vendor changes, and completeness of the inventory or model registry.
  • Consider third-party risk oversight, including in the context of the AI tech stack and the extent to which AI vendor contracts include audit rights, data protections, change-management notice, and transparency around material model or functionality changes.
  • Ask specifically about shadow AI, including what tools finance and accounting teams are using.
  • Understand what AI-specific representations, if any, management is making in the management representation letter to the external auditor, and the process management undertook to support those representations.
  • Ask whether management has assessed whether the AI tools embedded in financial reporting processes create a fraud risk that existing controls need to address.
  • Focus on whether the system that produced the numbers is trustworthy, including the AI layer.
3

CEO

Role

Enterprise accountability - the CEO does not manage the controls personally but should understand whether the certification process has adapted to AI-enabled reporting risks, including whether subcertification processes effectively surface AI dependencies before they reach the executive level.

Representative Considerations

  • Understand that AI-assisted processes that materially influence financial reporting may need to be considered in the CEO/CFO certification process, including disclosure controls and procedures and ICFR-related responsibilities.
  • Remember that disclosure controls and procedures are designed to support the certifying officers' disclosure decisions. They provide a reasonable basis for signing only if the underlying processes have been adequately evaluated and controlled.
  • Set the organizational tone: AI governance in financial reporting is an enterprise accountability issue, not a matter to delegate entirely to finance, IT, or legal without clear ownership at the top.
  • Confirm that accountability for AI governance in financial reporting is assigned to a named executive and more broadly integrated into the overall AI governance structure within the organization, as appropriate.
4

CFO

Role

Process integrity - the CFO has the most direct executive accountability on behalf of management for the financial reporting and disclosure control environment, including AI tools embedded in processes that produce, analyze, or support reported information.

Representative Considerations

  • Ensure that the CFO's evaluation of disclosure controls and procedures addresses the design and operating effectiveness of AI-assisted processes embedded in financial reporting and disclosure.
  • Ensure that there is sufficient ownership and maintenance of the inventory of AI tools used in financial reporting, disclosure, FP&A, forecasting, earnings materials, and investor communications, as applicable.
  • Require documentation for each AI tool used in financial reporting and disclosure processes covering owner, risk classification, approved use case, and validation status.
  • Assess the quality and integrity of data inputs feeding AI models - a validated model operating on stale, incomplete, or unreliable data may produce unreliable outputs regardless of how well the model itself has been tested.
  • Extend ICFR assessments to address AI-enabled processes where those processes are significant to financial reporting.
  • Establish validation protocols for AI-generated outputs, including human review, reviewer identity, date, sources checked, and basis for reliance.
  • Include AI governance in regular audit committee updates on ICFR and disclosure controls.
  • Maintain visibility into AI-produced or AI-assisted outputs that flow into Exchange Act filings or management certifications.
5

Controller / Chief Accounting Officer

Role

Close process integrity - the Controller often serves as a key senior checkpoint before AI-generated outputs reach the CFO and the certification chain, and subcertification procedures should reflect that responsibility.

Representative Considerations

  • Address AI-assisted close and reporting processes within subcertification procedures where those processes affect material financial reporting.
  • Know which AI tools operate in the close process, what they do, who owns them, and when they were last validated.
  • Assess the quality and currency of data inputs feeding AI tools in the close process - input quality is a control risk distinct from model validation.
  • Require validation records for AI-generated schedules, reconciliations, estimates, analyses, or narratives that feed financial statements or footnotes.
  • Update close controls, review steps, approval thresholds, exception handling, and variance analysis for AI-assisted outputs.
  • Maintain a documented and tested manual fallback protocol for AI-enabled close processes, particularly for tools that affect material financial reporting during compressed quarter-end periods.
  • Own or co-own the financial reporting AI inventory or model registry.
  • Track version changes, vendor-driven updates, and changes requiring control assessment - including establishing a process to evaluate model updates before they take effect during active reporting periods.
6

FP&A Team and Finance Function

Role

Output ownership - finance professionals remain responsible for information they use, even when AI helps produce it.

Representative Considerations

  • Understand which AI tools are approved for financial reporting, forecasting, guidance, earnings materials, investor communications, and analysis.
  • Treat the analyst or finance professional accepting an AI output as the first control point in the reporting chain.
  • Validate AI-generated outputs before they move upstream into reporting, disclosure, forecasting, or investor-facing materials.
  • Check outputs against current business conditions, source data, assumptions, known developments, and management judgment.
  • Document validation: what was checked, what sources were used, who reviewed it, and the basis for reliance.
  • Escalate anomalous AI outputs rather than accepting, overwriting, or ignoring them without explanation.
  • Avoid consumer AI tools for reporting-related work unless explicitly approved and supported by data handling controls and validation protocols.
  • Treat shadow AI as a governance issue, even when well-intentioned.
  • Maintain practical fluency: what tool was used, whether it was approved, what it produced, how it was validated, and who exercised judgment before the output moved forward.
7

Disclosure Committee

Role

Disclosure integrity - ensuring that AI-assisted narratives reflect management's views and analysis, not merely what an AI tool inferred from patterns.

Representative Considerations

  • Identify AI-generated or AI-assisted content in draft filings, MD&A, risk factors, variance explanations, and earnings materials, as applicable.
  • Validate AI-generated narratives against actual business intelligence and current management knowledge.
  • Apply appropriate discipline around MD&A disclosures: does the explanation reflect known trends, demands, commitments, events, and uncertainties, or merely prior-period pattern recognition?
  • Assess whether AI-generated content is technically accurate but misleading by omission.
  • Update Disclosure Committee protocols to address AI-assisted content specifically.
  • Ensure legal, finance, accounting, investor relations, and business reviewers understand when AI has contributed to disclosure language.

A note on the external auditor.

How AI affects the auditor's understanding of information systems, control risk assessment, reliance on automated controls, and the sufficiency of audit evidence are active areas of guidance from the major accounting firms and the PCAOB. Those questions are better addressed directly with your auditor.

Key Principles

The Upstream Effect. AI-generated data and analytics travel upstream. The regulatory and governance framework will depend upon how these outputs are embedded in the financial reporting process.

Chain of Reliance. The reporting chain is only as strong as its weakest input. A flawed AI output has the potential to compound as one decision-variable feeds into another.

Risk of Flying Blind. Organizations cannot govern what they have not identified. Classification, validation, and oversight all start with a robust process for creating and maintaining an AI inventory.

Built for Purpose. The governance and control framework should match the operating model and risk. The more embedded and autonomous the AI system, the more rigorous the oversight and controls.

Key Questions

  • Where is AI being used in the financial reporting and disclosure process?
  • Which uses are material, high-risk, or relied upon in external reporting?
  • Who owns each AI-enabled process?
  • Has the tool been approved for the relevant use case?
  • Is the tool deterministic, probabilistic, generative, or agentic/autonomous? Do the controls reflect that distinction?
  • Is the data feeding the AI model reliable, current, and controlled?
  • What human validation is required before AI outputs move upstream?
  • How is validation documented?
  • If an AI system produces unreliable outputs or behaves unexpectedly, is there a documented and tested protocol for disabling or reverting to manual processes?
  • Are vendor-driven changes captured through change-management controls?
  • Are embedded AI tools inside existing platforms included in the inventory?
  • Has shadow AI use been assessed?
  • Has management assessed whether AI tools in financial reporting processes create distinct fraud risk, not just model error risk?
  • Can management explain the basis for AI-generated outputs in material financial reporting processes to auditors, regulators, and oversight bodies?
  • Are disclosure controls, ICFR, internal audit, external audit, and audit committee reporting aligned around the same understanding of AI use?

This guide is limited to AI in financial reporting and related disclosure processes. It does not address the broader use of AI across strategy, risk management, capital allocation, human capital, or operations, although AI-generated FP&A outputs may inform those areas. Similarly, the use of AI tools by Disclosure Committee members and reviewers to review, summarize, or analyze draft materials raises separate considerations that are also beyond the scope of this guide.

Next
Next

Elon’s New World and the SPCX Board - Without Power Can There Be Responsibility?