Financial institutions are turning to artificial intelligence to automate everything from transaction processing to regulatory reporting, but regulators and auditors are demanding a deeper level of oversight.

The first step for any organization is to inventory where AI is embedded in the financial reporting and close cycle. A clear inventory shows which systems rely on AI for account mapping, ledger postings, reconciliations, or data classification. Without visibility, firms expose themselves to data quality issues, model logic errors, bias, and over‑reliance on automation. The inventory also informs the design of manual or automated controls that can be tested for effectiveness.

Auditors now evaluate AI systems as part of internal control over financial reporting (ICFR) and other regulatory reporting frameworks. Their focus includes transparency of model logic, integrity of data inputs, bias mitigation, and the accountability of review decisions. Auditors may test AI outputs against known benchmarks, assess the adequacy of change‑management procedures, and verify that model updates are properly versioned and approved.

AI introduces new risk considerations that intersect with the five core IT general‑control (ITGC) domains: 1. Access controls – who can view or modify model logic and the data it consumes. 2. Change management – how model updates, configuration changes, and algorithm adjustments are documented, tested, and authorized. 3. Computer operations – controls around job scheduling, processing, and error handling for AI inputs and outputs. 4. Program development – design, build, and test procedures for new AI models or major releases. 5. Cybersecurity – protection of AI systems and data from emerging threats.

Guidance such as BDO’s AI Governance Guide, which aligns with the NIST AI Risk Management Framework, helps firms structure these controls. The guide recommends establishing protocols for model versioning, pre‑deployment testing, and approval before source‑code or data changes go live. Continuous monitoring and testing of AI models and underlying data are also emphasized to ensure that change controls remain effective over time.

The ISO/IEC 42001:2023 standard on responsible AI management further reinforces the need for systematic governance. It outlines principles for ethical use, accountability, and risk mitigation, and can be mapped to existing internal‑control frameworks.

Regulatory expectations are tightening. The European Union’s 2024 AI Act, for example, imposes obligations on high‑risk AI systems, which include many financial‑reporting applications. In the United States, auditors under the Sarbanes‑Oxley Act and the AICPA’s SSAE 18 guidance are increasingly incorporating AI‑specific testing into their engagements.

For firms that have not yet mapped AI usage, the risk is twofold: potential non‑compliance with evolving regulations and the likelihood of material misstatements if AI outputs are inaccurate or biased. Conversely, a robust AI inventory and governance framework can reduce audit scope, preserve stakeholder trust, and support timely, reliable financial statement issuance.

BDO’s Technology Risk Assurance team offers tools and expertise to help organizations assess AI usage, align governance with regulatory and audit expectations, and evaluate control readiness. Firms interested in strengthening their AI oversight are encouraged to engage with BDO for a tailored assessment.

In summary, as AI becomes integral to financial reporting, firms must move beyond ad‑hoc usage to a disciplined, documented approach. By mapping AI systems, embedding controls across ITGC domains, and adopting industry‑aligned frameworks, organizations can mitigate emerging risks, satisfy auditors, and comply with evolving regulatory mandates.