New publication translating COSO’s Internal Control Integration Framework into practical auditing‑Ready guidance for managing GenAI
new york, February 23, 2026 /PRNewswire/ — The Committee of Sponsoring Organizations of the Treadway Commission (COSO) today announced a new publication. Enabling effective internal controls for generative AI (GenAI)provides organizations with a practical, COSO-compliant approach to managing the risks and opportunities presented by rapidly advancing generative AI technologies.
Generative AI is moving into boardrooms and day-to-day operations much faster than traditional governance models predicted. Organizations are already using AI-enabled tools to automate adjustments, accelerate analysis, compress timelines, and support decision-making at scale to reimagine workflows. This rapid adoption introduces new types of risks, from increased cyberattacks and prompt-based operations to opaque inference, model drift, and frequent configuration changes, which can jeopardize the integrity of operations, reporting, and compliance if not addressed with robust internal controls.
“Generative AI is transforming the way organizations work, make decisions, and manage information,” said Lucia Wind, executive director and chair of COSO. “While its rapid adoption offers tremendous potential, it also introduces new risks that require disciplined oversight. The COSO Internal Controls Integration Framework provides organizations with a clear, proven structure to ensure that GenAI is deployed responsibly and with the rigor necessary to support reliable operations, reporting, and compliance.”
Building on COSO’s previous thought leadership; Maximize the potential of artificial intelligenceThis new book, commissioned by COSO and written by Scott Emmett of Arizona State University, Mark Eulerich of Duisburg-Essen University, Jason Guthrie of Ernst & Young, Jason Picous of Meta, and David A. Wood of Brigham Young University, translates COSO’s Internal Control Integrated Framework (ICIF) into concrete internal control practices for GenAI.
Rather than proposing a new governance model, this publication adapts the five components of COSO-ICIF (control environment, risk assessment, control activities, information and communication, and monitoring activities) to GenAI-specific practices. It is designed for professionals responsible for implementing and monitoring AI processes, including:
- Management and operations team
- Compliance and risk management team
- Administrator and Financial Reporting Group
- IT governance and information security
- Board committees and supervisory bodies
- External auditor evaluating GenAI-related controls
- internal audit department
This report introduces several new elements to help organizations operationalize GenAI governance.
- Feature-first taxonomy: GenAI use cases are organized into eight functional types: ingestion, transformation, contribution, orchestration, adjudication, monitoring, regulatory intelligence, and human-AI interaction, each with tailored control considerations that reflect how GenAI risks manifest throughout the data-to-decision lifecycle.
- Audit-ready control mapping: Each feature includes examples, minimum management expectations aligned with all five COSO components, and illustrative metrics to support both operational monitoring and audit evidence collection.
- Actual implementation artifacts: Starter templates such as risk assessment matrices, control test procedures, and metrics dashboards help organizations accelerate adoption and reduce time to value.
“GenAI poses risks that are evolving as rapidly as the technology itself,” said author David Wood. “By grounding GenAI governance in COSO’s established internal control principles, organizations can build systems that are both adaptable and audit-ready.”
The publication emphasizes that while GenAI will transform the way we generate, process, and act on information, it will not change the fundamental purpose of internal controls: to help organizations ensure they achieve their goals. Instead, GenAI challenges organizations to apply COSO principles with new rigor, clarity, and traceability.
“GenAI can be wrong with conviction and can be easily manipulated or deployed outside formal monitoring channels,” Wind added. “This guidance will help organizations strengthen their internal control environments and enable them to leverage the benefits of GenAI while managing its inherent risks.”
Learn more or download your copy Enabling effective internal controls for generative AI (GenAI)visit www.coso.org.
About COSO
Founded in 1985, COSO is a voluntary private sector organization dedicated to helping organizations improve their performance by developing internal controls, risk management, governance, and thought leadership to strengthen internal controls. scam Deterrent power. COSO is co-sponsored by the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA). For more information, please visit www.COSO.org.
source coso
