Internal Control in the Age of AI – When Governance Moves from Paper to Code

Invoices were stamped. Payments were signed. Warehouses were locked. Inventory was counted. Ledgers were reviewed line by line. The architecture of control was tangible — and therefore intuitively understandable.

If something went wrong, you could often point to a person.

Today, internal control still exists — but it has become architectural rather than procedural.

The modern annual report is no longer the product of clerks and paper trails. It is the output of integrated ERP systems, automated consolidations, API-fed data streams and increasingly algorithmic analysis. The warehouse has become a server cluster. The reconciliation has become an automated interface. The management review is often a dashboard populated by predictive models.

And this is where governance faces a silent inflection point.

Because the principles of internal control have not changed — but their operating environment has.

The Invisible Migration of Control

COSO’s internal control framework remains intellectually robust. Its five components — control environment, risk assessment, control activities, information & communication, monitoring — still define the architecture of reliable reporting.

But when COSO was formalised, financial systems were deterministic and human-centered. Transactions were entered manually. Reviews were physical. Errors were local.

In today’s environment, the system processes more transactions in a minute than a finance team once processed in a week. Adjustments can be deployed across entities globally through a configuration change. An algorithm can influence thousands of classification decisions instantly.

Control has not disappeared. It has migrated.

And migration without translation is dangerous.

If boards continue to think of segregation of duties purely as a staffing principle, they miss the fact that a single system administrator may override segregation logic digitally. If they think of review controls purely as managerial sign-off, they may overlook the fact that the numbers being reviewed were partially shaped by machine learning models.

The language of governance must evolve.

Why AI Is Not Just Another IT Tool

It is tempting to treat AI as a subset of IT. After all, it runs on servers. It is coded. It can be tested.

But AI is not just infrastructure. It is a decision-influencing system.

Traditional ERP systems are rule-based. If configured correctly, they produce predictable outcomes. AI systems, by contrast, are probabilistic. They identify patterns, generate predictions and adapt when retrained.

This distinction matters.

When an ERP interface fails, transactions may be incomplete. When an AI model drifts, financial judgments may gradually shift — without visible system error.

That is a different risk category.

Consider impairment testing under IAS 36. Historically, management developed cash flow forecasts based on economic assumptions. Today, predictive models may assist in forecasting. If such a model is retrained on optimistic historical data, it may systematically underestimate impairment triggers.

No fraud. No manual override. Just statistical momentum embedded in code.

That is why AI governance is not a technical detail. It is a financial reporting issue.

AI governance in financial reporting Internal control and AI COSO AI governance EU AI Act reporting Algorithmic accountability AI risk management

AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting AI governance in financial reporting

Segregation of Duties Reimagined

Segregation of duties has always been the cornerstone of internal control. No individual should initiate, approve and record the same transaction. It prevents concentration of power.

In ERP environments, segregation became role-based access control. User rights determine who can post, who can approve, who can configure.

But what happens when an AI system suggests journal entries?

Suppose a model scans transactions and proposes accruals. Suppose it flags anomalies and suggests reclassifications. Suppose management accepts 95% of those suggestions without adjustment.

Formally, segregation exists. In practice, algorithmic influence may dominate judgment.

The governance question becomes subtle:

Who challenges the model?

If the same team designs, trains and validates it, segregation has collapsed — not at human level, but at algorithmic level.

This is where the concept of model oversight becomes essential. Not because regulators demand it (though increasingly they do), but because internal control logic demands it.

Segregation must exist wherever power exists.

If models shape reporting outcomes, models must be subject to independent challenge.

From Physical Custody to Data Custody

There was a time when safeguarding assets meant locking doors.

In many industries, the most valuable assets were inventory and equipment. Governance ensured physical custody and periodic counting.

Today, the most sensitive reporting assets are data sets and system configurations.

But AI introduces a deeper layer: training data.

Training data is not merely stored information. It is embedded logic. It shapes classification behaviour, anomaly detection thresholds and predictive outcomes.

If training data contains embedded bias, the output reflects it. If training data is incomplete, the model’s “understanding” of economic reality is distorted.

In financial reporting terms, this can translate into:

Misclassification of revenue streams
Underestimation of expected credit losses
Misreporting of sustainability metrics

Training data therefore becomes a control object.

It must be documented, version-controlled and protected.

Data is no longer just an input. It is part of the control environment.

The Subtle Risk of Overconfidence

One of the most underestimated governance risks of AI is psychological.

AI outputs often look precise. Numbers are calculated quickly. Dashboards are visually convincing. Forecast curves are smooth.

Precision creates an illusion of certainty.

Boards must resist this illusion.

A human-generated forecast clearly carries judgment. An AI-generated forecast may appear objective — yet embed assumptions that are harder to detect.

This is where governance maturity becomes visible.

Strong governance does not reject AI. It interrogates it.

It asks:

What assumptions underlie this model?
When was it last retrained?
How sensitive are the outputs to input variation?
Who has authority to override it?

The goal is not to slow innovation. It is to anchor innovation in accountability.

A Turning Point for Annual Reporting

Annual reporting is entering a hybrid era.

Financial data flows through integrated systems. Sustainability data expands under CSRD. Predictive analytics assist in planning. AI tools generate draft narratives and analytical insights.

The annual report is no longer assembled. It is orchestrated.

And orchestration requires architectural governance.

The question is no longer whether internal control exists. It does.

The question is whether internal control has been translated into the language of systems and algorithms.

If not, governance rests on legacy assumptions in a transformed environment.

And that is fragile.

When Standards Meet Algorithms

IFRS Judgement, CSRD Expansion and the New Anatomy of Model Risk

Internal control does not exist in abstraction. It exists to protect the integrity of reporting under defined standards.

For financial reporting, that anchor is IFRS.
For sustainability reporting in Europe, it is CSRD and the ESRS standards.
For digital systems, it is IT governance.
For AI, an emerging architecture of model risk management and regulation — including the EU AI Act.

The complexity arises not because these frameworks conflict.
The complexity arises because they overlap.

And overlap without coordination produces blind spots.

IFRS Was Written for Humans

IFRS is fundamentally a framework of judgment.

Standards such as IAS 36 (Impairment of Assets), IFRS 9 (Expected Credit Loss), IFRS 15 (Revenue Recognition) and IAS 37 (Provisions) require management to make forward-looking estimates under uncertainty.

Historically, this meant management built models in spreadsheets, supported by economic analysis and documented assumptions. Auditors challenged the assumptions. Audit committees reviewed the rationale.

The accountability line was clear: management made the judgment.

Now imagine a multinational retail group implementing an AI-driven forecasting engine that analyses five years of transaction data, macroeconomic indicators and customer behaviour patterns to generate cash flow projections for impairment testing.

The output appears sophisticated. The data volume exceeds what a finance team could manually process. The forecast curves are statistically optimized.

The governance question is not whether the tool is advanced.

The governance question is this:

Who owns the judgment?

If management accepts the output with limited interrogation because “the model has higher predictive accuracy,” judgment has shifted — subtly — from human reasoning to algorithmic pattern recognition.

IFRS does not prohibit AI assistance. But IFRS presumes that management exercises judgment consciously and consistently.

A model retrained mid-year that shifts impairment outcomes by 8% without disclosure is not merely a technical event. It may be an accounting inconsistency event.

The issue is not whether AI is used.
The issue is whether its influence is governed and disclosed appropriately.

A Realistic Scenario: Revenue Recognition Drift

Consider a software company applying IFRS 15. Revenue recognition depends on identifying performance obligations and allocating transaction price appropriately.

Suppose the company implements an AI tool to classify contract types and identify performance obligations automatically.

Initially, the tool improves efficiency. Classification accuracy is high. Manual review declines.

Over time, new contract variants emerge. The model, trained primarily on historical patterns, begins misclassifying bundled arrangements. Revenue is recognized slightly earlier than appropriate — not materially at first, but consistently.

No fraud. No override. Just gradual model drift.

The finance team notices revenue trending slightly stronger than peer benchmarks, but attributes it to market performance.

Only during an external audit review is the classification drift detected.

This is not an IT failure.
It is a governance oversight failure.

The absence of model performance monitoring allowed accounting interpretation to migrate unnoticed.

This is precisely why model risk must be integrated into financial reporting governance.

CSRD: Expanding the Perimeter of Assurance

If IFRS challenges governance through financial estimation, CSRD challenges governance through data breadth.

Sustainability reporting introduces:

Scope 1, 2 and 3 emissions data
Supplier-related environmental metrics
Workforce diversity statistics
Governance indicators

Much of this data does not originate in accounting systems. It originates in operational systems — procurement, logistics, HR, supply chain platforms.

Now introduce AI.

A manufacturing company implements an AI classification engine to categorize supplier emissions based on purchase descriptions and geographic data. The tool estimates Scope 3 emissions where supplier data is incomplete.

Efficiency increases dramatically. The sustainability report becomes more granular.

But suppose the training data underrepresents suppliers in emerging markets. Emissions are systematically underestimated in certain regions.

The numbers are consistent year-on-year. The methodology appears stable. Assurance providers review documentation.

Yet embedded bias exists.

Under CSRD, limited assurance today may become reasonable assurance tomorrow. If algorithmic classification drives material ESG metrics, governance must ensure:

Transparency of methodology
Bias monitoring
Data source integrity
Change documentation

Unlike financial misstatements, ESG misstatements may damage credibility long before they trigger enforcement.

Sustainability data governance cannot be an afterthought. It must mature at the same pace as financial control.

Borrowing from Banking: Model Risk Discipline

The banking sector has confronted model risk for years, particularly in credit and capital modeling.

Regulators require:

Independent model validation
Conceptual soundness reviews
Ongoing performance monitoring
Outcome analysis
Clear ownership and documentation

While non-financial corporates are not subject to identical supervisory regimes, the logic is transferable.

If a model materially influences financial reporting or ESG metrics, it should not exist without:

Documented purpose
Defined owner
Independent challenger
Performance review cycle

Independence does not mean bureaucratic duplication. It means structured skepticism.

Governance fails not because models are imperfect — all models are imperfect — but because their limitations are not acknowledged.

Case Reflection: Wirecard and the Danger of Digital Opacity

Wirecard’s collapse was not caused by AI. It was caused by opacity, weak oversight and a culture that discouraged challenge.

But the lesson translates powerfully to the AI age.

Wirecard operated in a digital ecosystem where transaction flows were difficult to verify independently. External confirmations failed. Internal transparency eroded.

In an AI-driven reporting environment, opacity can deepen.

If board members do not understand how revenue classification models operate, if auditors cannot reconstruct decision logic, if management relies on algorithmic outputs without traceability — opacity multiplies.

The risk is not that AI creates fraud automatically.

The risk is that AI creates complexity faster than governance adapts.

History shows that complexity without oversight eventually collapses under scrutiny.

The Human Dimension: Judgment Must Remain Visible

One of the most subtle shifts in AI-enhanced reporting is the invisibility of judgment.

When management makes an estimate, it documents assumptions. When AI makes an estimate, assumptions are embedded in data weighting, training selection and parameter tuning.

Boards must ensure that judgment remains visible.

That means:

Explicit documentation of AI-supported estimates
Clear statements that management retains responsibility
Periodic critical review independent of the model developers

IFRS and CSRD do not prohibit AI. They require faithful representation.

Faithful representation in an AI context demands transparency about algorithmic influence.

Read more in our blog: AI, Audit Trails and Accountability – Why Human Confirmation Remains the Core of Governance.

Where the Lines Blur

The most interesting governance challenges emerge where IFRS judgment, CSRD breadth and AI automation intersect.

Imagine a global logistics company:

AI forecasts asset utilization affecting impairment testing.
AI classifies fuel consumption data for sustainability reporting.
AI supports contract classification for revenue recognition.

Three domains. One underlying architecture.

If model governance is fragmented — financial models overseen by finance, ESG models overseen by sustainability teams, operational models overseen by IT — inconsistencies emerge.

True governance maturity integrates these oversight structures.

Model governance cannot be siloed.

From Internal Control to Algorithmic Accountability

The Governance Architecture Boards Must Now Build

If Part I described the migration of control from paper to systems, and Part II explored how IFRS, CSRD and model risk intersect with AI, then the remaining question is unavoidable:

What does responsible governance look like in practice?

Not in theory.
Not in regulatory abstraction.
But in the boardroom.

Because annual reporting is ultimately not a technical document. It is a statement of accountability.

And accountability cannot be delegated to code.

The Three-Layer Architecture — Now in Narrative Form

We can describe the emerging control environment as layered — not as a diagram, but as a structural reality.

At the base lies financial integrity. Segregation of duties, reconciliations, documented judgments and supervisory review remain indispensable. These are not relics of a paper age; they are expressions of distributed authority. Without them, trust collapses quickly.

Above that sits system integrity. ERP configuration, access rights, change management and cybersecurity determine whether financial controls function as designed. A misconfigured system can neutralize perfect policies. IT governance is not support — it is structural.

Above both now sits algorithmic integrity. Where models influence classification, estimation or disclosure, governance must ensure oversight, documentation and challenge. Not because AI is inherently dangerous, but because it amplifies consequences.

These layers are not alternatives. They reinforce each other.

If financial controls are strong but IT governance is weak, segregation collapses digitally.
If IT governance is strong but AI oversight is absent, statistical drift undermines reporting silently.
If AI governance exists but financial fundamentals are weak, automation accelerates error.

Trust survives only when the layers align.

What This Means for Boards and Audit Committees

Boards often ask management whether internal control over financial reporting (ICFR) is effective. In many jurisdictions, management formally certifies this.

The question must now evolve.

It is no longer sufficient to ask:
“Are our financial controls operating effectively?”

Boards must also ask:

Where do AI systems influence financial or sustainability reporting?
How are these systems governed?
Who independently challenges model assumptions?
How is model drift detected?
Are algorithmic changes documented and communicated?

These are not technical questions. They are governance questions.

Audit committees, in particular, must resist the temptation to delegate AI oversight entirely to IT or digital transformation committees. If AI influences reporting outcomes, it belongs squarely within the audit committee’s remit.

Financial accountability cannot be separated from algorithmic influence.

Read more from COSO: Realize the Full Potential of Artificial Intelligence.

A Real-World Tension: Speed Versus Scrutiny

One of the defining pressures of modern reporting is speed.

Stakeholders expect faster closing cycles, real-time dashboards and near-instant analytics. AI promises precisely that.

But speed and scrutiny do not naturally coexist.

When an AI model can generate thousands of scenario simulations within minutes, the human instinct is to trust the scale. “Surely this is more robust than manual modeling.”

Yet scale does not replace judgment. It only accelerates it.

Consider a global industrial group using AI to forecast demand patterns and adjust revenue accruals dynamically. The system improves working capital forecasting. Management confidence increases.

But if macroeconomic conditions shift abruptly — geopolitical conflict, regulatory change, supply chain disruption — historical training data may lose relevance instantly.

Speed becomes fragility.

Governance must therefore preserve deliberate pause within accelerated systems. It must institutionalize review moments, especially during volatility.

The most dangerous period for algorithmic overconfidence is not stability. It is transition.

Culture: The Final Control Layer

All governance ultimately rests on culture.

COSO’s control environment component has always emphasized integrity, competence and accountability. In the AI age, cultural maturity must include algorithmic humility.

Algorithmic humility means acknowledging:

Models are abstractions of reality.
Training data reflects historical conditions.
Predictive accuracy does not equal economic truth.
Transparency strengthens trust, even when it reveals limitations.

Organizations that treat AI as infallible will eventually encounter dissonance. Organizations that treat AI as a tool within accountable governance will adapt.

Boards set that tone.

When directors ask thoughtful questions about model assumptions and data integrity, management culture shifts. When they do not, silence becomes acceptance.

Silence, in complex systems, is dangerous.

The Regulatory Horizon

The EU AI Act introduces structured obligations for high-risk AI systems, including human oversight and documentation requirements. CSRD expands assurance culture beyond financial metrics. Digital resilience regulations increase focus on system integrity.

These frameworks are not isolated developments. They represent a convergence.

Regulators increasingly recognize that technology shapes economic outcomes. Governance must therefore address not only what organizations report, but how they produce what they report.

In this context, annual reporting governance becomes a testing ground.

If boards can demonstrate that AI-supported reporting is transparently governed, independently validated and culturally integrated, they strengthen institutional credibility.

If not, external regulation will fill the vacuum.

Read more in the EU Artificial Intelligence Act – Reporting of Serious Incidents.

The Memory of Corporate Failure

History offers a sobering reminder.

Enron demonstrated how complex financial structures can obscure reality when governance fails. Wirecard demonstrated how digital opacity and weak oversight can persist in technologically advanced environments.

Neither scandal required AI to unfold.

But imagine similar governance weaknesses amplified by autonomous data classification, predictive revenue modelling and algorithmic disclosure drafting.

The speed of misstatement could outpace detection.

The lesson is not technological pessimism. It is governance realism.

Complexity demands proportional oversight.

A Forward-Looking Governance Discipline

The future of annual reporting governance will not be defined by whether AI is used. It will be defined by how transparently it is governed.

Organizations that mature successfully will:

Map AI-supported processes explicitly.
Integrate model oversight into ICFR structures.
Align sustainability and financial data governance.
Educate board members sufficiently to ask meaningful questions.
Preserve visible human judgment within automated systems.

This is not an additional compliance burden. It is a continuation of the internal control tradition — translated into contemporary architecture.

The essence has not changed.

Distributed authority.
Documented accountability.
Independent challenge.

What has changed is the medium.

The Closing Reflection

Internal control began as ink on paper.

It became configuration in systems.

It is now embedded in algorithms.

But its purpose remains constant: to ensure that the story an organization tells about its performance corresponds faithfully to economic reality.

Annual reports are narratives of performance and position. If algorithms influence those narratives, governance must ensure that influence is visible, tested and accountable.

Trust does not erode because technology advances.
Trust erodes when governance fails to advance alongside it.

The age of AI does not eliminate internal control.
It elevates it.

And boards that understand this will not merely comply with emerging regulation — they will lead in credibility.