AI for ICFR: Embedding Controls and Oversight

AI use in financial reporting has moved past the pilot phase, and organizations transitioning from experimentation to execution should implement clear controls and oversight.

AI tools can streamline financial reporting, provided strong governance is in place that balances innovation with sound risk management practices. But can AI be trusted as it becomes part of day-to-day internal control over financial reporting (ICFR) processes and the controls behind it?

Recent guidance on internal controls regarding generative AI use from the Committee of Sponsoring Organizations reinforces a useful point for finance leaders: AI does not replace the internal control framework. Rather, it changes how organizations apply it in environments where outputs are uncertain, models are dynamic, and configuration changes can materially affect results.

These factors matter because AI is increasingly assisting with matching transactions, extracting data, identifying anomalies, drafting variance reports, and supporting aspects of the financial statement close process. In some cases, management is simply using AI as a productivity aid. In others, management relies on AI-generated outputs as part of a control or as part of evidence supporting a control. This distinction will shape how organizations govern AI going forward.

As AI use becomes more common in financial reporting, companies need to think carefully about where it can be used and what controls should be in place before they rely on it. Organizations can take practical steps to mitigate risk as AI becomes more embedded in financial processes, and internal auditors can sharpen their focus on key control areas. When using AI in financial reporting, establishing clear structure, accountability, and transparency is essential for effective operations and audit readiness.

Inventory and risk

Before any AI tool touches financial reporting, management should confirm their AI governance program applies across the company’s business functions. Organizations should maintain a current inventory of AI tools and use cases along with a documented rationale for risk ranking and clear linkage to control ownership and IT general controls (ITGCs). The governance program should help dictate where these tools fit within the control environment and what conditions must be met before reliance is allowed. Steps to consider include:

Developing a use case inventory for controls. Identify where tools touch reconciliations, close activities, reporting, or control execution, even if the initial purpose was only productivity support.
Establishing risk tiers. Risk-rank use cases based on financial statement impact, degree of judgment, level of automation, and reliability of data inputs and outputs.
Performing an ICFR impact assessment. Evaluate the effect on in-scope business processes, IT processes, and the overall control environment as part of the risk-ranking exercise.
Defining access and change controls. Control who can use the tools, who can change prompts or settings, and how those changes are tested, approved, and tracked before being deployed into financial reporting processes.

A simple tiering model can help management align the level of oversight needed and control evidence required to provide assurance over each use case. The following chart provides an illustrative view of risk tiers and examples when classifying use cases into risk categories. Companies should consider their own facts and circumstances and related risks of material misstatement when risk-tiering and designing controls.

Risk tier	Tier 1 (High risk)	Tier 2 (Moderate risk)	Tier 3 (Low risk)
Typical characteristics	Material financial statement impact; management judgment and estimations	Structured activity with meaningful impact and moderate judgment or interpretations	Objective, easy-to-verify task with contained impact
Potential use cases	Manual journal entries; fair value estimates; forecasting	Accounts payable accruals; reconciliations; close support; account analysis	Data extraction; matching classification support
Human role	Output is reviewed and approved through a human-in-the-loop (HITL) process before use	Human-monitored process and intervention on exceptions	AI execution within designed rules; human-set guardrails; periodic human review of output for exceptions
Potential control	Tier 2 controls and real-time review	Tier 3 controls and periodic governance revaluations; exception rate monitoring; sampling	Traditional change management procedures in addition to logging, approval, and drift analysis

Source: Crowe analysis, April 2026

External audit lens: External auditors often ask for a current inventory of in-scope AI use cases, documented rationale for the risk ranking, and evidence that management tied those use cases back to existing non-AI business process controls for risk mitigation.

Accountability and review

As adoption increases, organizations might consider shifting select use cases from HITL to human-led agents, but only where performance is well understood and supported by effective monitoring and review controls. Organizations should define who owns each use case, what level of review is required, and when escalation is needed based on judgment, materiality, or exceptions. HITL processes are quickly becoming integrated into business applications. On the other hand, human-led agents are making their way closer to financial processes but are not widely used as ownership and governance are harder to pinpoint. Accountability needs to be explicit at the process, governance, and oversight levels and when each level of involvement is appropriate. Regardless of which risk tier an AI model is connected to, management is still ultimately accountable for results. Areas that can benefit from specific focus include:

Management ownership. Clearly define who owns what. Finance and process owners should know where AI is embedded, what it is doing, and what level of review is required before results are used in financial reporting.
Strategy review. Match the level of human involvement to the risk of the task. High-risk areas (tier 1) might need direct review (HITL); structured, lower-risk activities (tier 2) might require more exception-based oversight.
Governance leadership. Assign a designated leader or committee to oversee use cases, policy updates, change management, and issue escalation.
Board and audit committee oversight. Provide governance bodies with a clear view of where these tools affect financial reporting and how related risks are being mitigated.

For most current ICFR use cases, HITL remains the standard when outputs could affect estimates, disclosures, or other high-risk areas. Following is a helpful overview of criteria to consider when applying this approach from an internal control perspective.

Oversight model	HITL	Human-led agents
Human role	Output reviewed and approved by a human before use	Human-monitored process and intervention when thresholds or exceptions are triggered
When to use	High-judgment or disclosure-sensitive areas	High-volume, structured activities with well-defined rules and tolerances
ICFR implication	Human review as primary control; assistive tool	Automated process part of control design; oversight of system performance and exception handling; could necessitate the need for ITGCs based on the level of AI reliance
Audit evidence	Reviewer sign-off, re-performance, or documented corroboration for each item or sample reviewed	Exception logs; threshold governance; tuning history; evidence of timely alert resolution

Source: Crowe analysis, April 2026

External audit lens: Auditors will understand whether management clearly defined ownership, responsibilities, and appropriate oversight and escalation where AI is used in ICFR. They also will expect transparency into how performance is monitored and accountability is maintained as use evolves.

Traceability and evidence

When AI affects financial reporting or controls, management needs documentation that explains how the output was produced, reviewed, and retained. Organizations need to gather sufficient detail on source data, inputs, configurations, outputs, and reviewer actions to explain how a result was produced.

For ICFR purposes, completeness and accuracy no longer stop with the report when AI is involved. Relevance and reliability also extend to the data, model version, and configuration used to produce information provided by entity documentation. Factors to consider include:

Process documentation. Document where the tool is used, what it does, what data it relies on, and how management reviews the result before it affects financial reporting.
Traceability. Retain specific details about source data, prompts, settings, and model versions to explain how a result was produced.
External auditor communication. Provide external auditors early and direct communication to align reliance, evidence, and planned testing.
Data lineage. Document the origin, completeness, and known limitations of the data feeding the model or retrieval process.
Prompt and configuration management. Treat prompts, thresholds, and related settings like controlled configurations that are versioned, tested, and approved.

External audit lens: External auditors will look for a usable audit trail, not just a statement that a tool was involved. Management should be able to show inputs and outputs, who reviewed them, and what changed over time.

Monitoring and change controls

Once a use case is live, management’s focus shifts from one-time validation to ongoing monitoring. A control that works at go-live still needs to prove it remains reliable over time. Organizations need to be able to demonstrate how performance is monitored over time, including validation results, exception handling, and controlled approval of changes to prompts, thresholds, or models. Actions to consider include:

Real-time or near-real-time review. Especially early on, compare outputs to expected results and investigate exceptions promptly.
Exception-rate monitoring. Watch for changes in the volume or pattern of exceptions. A sudden spike can signal a control breakdown, a configuration issue, or a change in the underlying data.
Performance trend analysis. Track changes in accuracy, completeness, or other quality indicators over time rather than relying only on a point-in-time test.
Logging and auditability. Maintain records of configurations, review steps, exceptions, and changes that could alter results. AI models should have strict change management and logging procedures in place to confirm all changes are approved and traceable.
Periodic governance reevaluation. Reassess strategy, risk ranking, and oversight responsibilities as the technology and the underlying processes evolve.

External audit lens: External auditors will not stop at initial validation. They will look for evidence that management identified, investigated, and corrected performance issues throughout the reporting period. All changes must be monitored and documented.

Strengthening trust

AI can create real value in financial reporting, from first-line control preparation and execution through third-line testing, review, and reporting. However, these benefits depend on how well companies govern, review, and monitor their AI use.

Organizations that have clearly defined policies, risk-based oversight, and strong documentation can better position themselves to scale AI with confidence across their internal audit function. Additionally, they can be better prepared to show external auditors and other stakeholders that the process is reliable and controlled. In the end, the goal is not simply to adopt AI faster but to use it in a way that strengthens trust in financial reporting.

Contact us

AI in financial reporting has advanced from pilots to embedded use, requiring structured governance, risk tiering, and controls. Contact Crowe to help your organization apply oversight, traceability, and monitoring to support reliable, auditable ICFR processes.