Executive Summary

• If AI influences numbers, estimates, journal entries, reconciliations, or disclosures, it becomes part of your internal controls over financial reporting (ICFR).
• AI increases control risk because outputs can be probabilistic, hard to explain, and highly sensitive to data quality and configuration changes.
• Auditors will expect governance over AI systems similar to other SOX-relevant tools: access controls, change management, validation, monitoring, and evidence of review.
• The highest risk AI use cases are those that automate postings to the GL, influence key estimates, or generate external reporting narratives.
• The safest approach is “human-in-the-loop” controls with clear thresholds, logged overrides, and a documented model governance process.

If your finance team is using AI for close, reporting, forecasting, or automation, Ridgeway Financial Services can help you design an audit-ready control framework, document AI-enabled processes, and implement practical governance that scales from early-stage to pre-IPO.

---

Table of Contents

• Where AI Touches Financial Reporting
• Why ICFR Still Applies When AI Is Involved
• Key Control Categories for AI in Finance
• Common Gaps That Create Audit Findings
• Scaling AI Controls From Startup to Pre-IPO
• A Practical Implementation Blueprint
• Bottom Line

---

Where AI Touches Financial Reporting

AI is showing up in finance functions in three main ways, each with different control implications.

1) AI-assisted decision support

Examples:

• Revenue and cash forecasting models
• Expense prediction and anomaly detection
• Variance explanations and scenario analysis

Risk profile:

• High risk when it drives material decisions, public guidance, or significant estimates.
• Lower risk when used as one input among others and reviewed by management.

2) AI-enabled process automation

Examples:

• Drafting journal entries or accrual suggestions
• Auto-matching and reconciling subledgers
• Exception handling and write-off recommendations

Risk profile:

• High risk if AI posts entries, forces matches, or clears reconciling items without review.
• Elevated audit attention because it can bypass traditional segregation of duties and review controls.

3) Generative AI for reporting and disclosures

Examples:

• Drafting footnotes, MD&A, or board decks
• Summarizing accounting policies
• Drafting responses to diligence questions

Risk profile:

• High risk of inaccuracies, omissions, and “confidently wrong” narratives.
• Requires strong review and version control even if the tool only drafts language.

A simple rule: if AI output influences what goes into the financial statements or external reporting, treat the AI workflow as part of ICFR.

---

Why ICFR Still Applies When AI Is Involved

AI does not change accountability for financial reporting. Management is still responsible for accuracy, completeness, and appropriate judgment.

SOX logic applied to AI

Whether you are SOX-required today or preparing for SOX tomorrow, auditors will evaluate:

• What AI is used in finance processes
• What risks it introduces
• Whether controls are designed and operating effectively
• Whether evidence exists that controls were performed

AI often increases audit complexity because it can be:

• Hard to explain
• Hard to reproduce consistently
• Sensitive to inputs, configuration, and model updates

Because of that, auditors tend to push for more documentation and more human oversight, not less.

---

Key Control Categories for AI in Finance

To make AI auditable, controls must cover inputs, processing, and outputs, plus governance around change and access.

1) Data input controls

Goal: ensure the AI is working from accurate and authorized data.

Controls to implement:

• Source data reconciliations (source system to AI input dataset)
• Completeness checks (record counts, totals, missing fields)
• Data lineage documentation (where inputs come from and how they are transformed)
• Access restrictions on source data extracts

Practical example:
If AI reads contracts to suggest revenue treatment, the contract source and metadata must be controlled, complete, and versioned.

2) Model validation and pre-deployment testing

Goal: verify the AI behaves as expected before it affects reporting.

Controls to implement:

• Model purpose statement and scope (what it is allowed to influence)
• Back-testing against historical outcomes
• Benchmark comparisons (manual method vs AI method)
• Defined acceptance criteria and sign-off by finance leadership

Practical example:
Before using AI to recommend accruals, run it in parallel for 2 to 3 closes and document variance analysis and review conclusions.

3) Access controls and segregation of duties

Goal: prevent unauthorized changes and reduce the risk of a single person controlling inputs and outputs.

Controls to implement:

• Role-based access to the AI tool
• Separate roles for model configuration vs approval of outputs
• MFA and logging for privileged users
• Periodic access reviews

Practical example:
The person who can change prompt templates or model rules should not be the same person approving journal entries.

4) Change management and version control

Goal: ensure changes to models, prompts, rules, or training data are reviewed, tested, and documented.

Controls to implement:

• Change tickets and approval workflow
• Versioned prompts, rulesets, and model parameters
• Testing evidence before deployment
• Release notes and rollback procedures

Practical example:
If your team updates a prompt that drafts footnotes, treat that like a change to a reporting template: review, approve, and archive prior versions.

5) Output review controls with thresholds

Goal: require human review when AI output is material or unusual.

Controls to implement:

• Review and approval for AI-generated journal entries
• Reasonableness thresholds (variance triggers, dollar thresholds)
• Reconciliation exception queues
• Evidence retention (sign-offs, annotated reports, approvals)

Practical example:
Any AI-proposed entry over a defined threshold must be reviewed by the Controller, and the system should preserve the proposed entry, the final entry, and the reviewer sign-off.

6) Override logging and exception handling

Goal: ensure overrides are traceable and reviewed, not hidden.

Controls to implement:

• Logs of overrides, forced matches, and manual adjustments
• Mandatory reason codes for overrides
• Periodic review of overrides and exceptions by management
• Root-cause analysis for recurring exceptions

Practical example:
If an AI reconciliation tool auto-clears items, it must record what it cleared, why, and who approved it.

7) Performance monitoring and model governance

Goal: detect drift, degradation, bias, and unexpected behavior over time.

Controls to implement:

• Ongoing accuracy monitoring (forecast vs actual, recommendation vs outcome)
• Drift indicators (distribution changes in inputs, output stability)
• Periodic recalibration and re-validation
• Clear ownership (who monitors, who approves changes)

Practical example:
If AI influences key estimates, establish a quarterly model governance review with documented results and decisions.

---

Common Gaps That Create Audit Findings

These are the most common failure patterns when finance adopts AI quickly.

Blind reliance on AI outputs

Risk: material errors enter reporting because no one reviews the logic or results.

Fix:

• Require human review for material outputs.
• Start with shadow mode before relying on AI in production.

No audit trail

Risk: you cannot explain why a number changed or how an entry was generated.

Fix:

• Enable logging.
• Archive inputs, outputs, and approval evidence.
• Maintain documentation that links AI output to final reporting.

Uncontrolled model or prompt changes

Risk: behavior changes mid-quarter without anyone knowing, causing inconsistency and control failures.

Fix:

• Implement change management and version control.
• Require review and testing before deployment.

Segregation of duties collapses

Risk: one person can change the AI and approve the results, increasing fraud and error risk.

Fix:

• Define roles.
• Separate configuration from approval.
• Review access periodically.

Shadow AI tools

Risk: employees use unapproved AI tools in critical workflows, creating unmanaged risk.

Fix:

• Maintain an inventory of approved AI tools.
• Require disclosure and approval for finance use cases.
• Train the team on what is allowed.

---

Scaling AI Controls From Startup to Pre-IPO

Controls should be right-sized to company stage, but must scale predictably.

Early-stage

• Keep AI advisory, not autonomous.
• Use simple review controls and clear rules: no AI output hits the GL without human approval.
• Document major decisions and exceptions in lightweight form.

Growth-stage

• Build formal documentation: process narratives, risk-control matrices, and evidence retention.
• Establish access, change management, and validation as standard requirements.
• Implement exception workflows and dashboards.

Pre-IPO and public company readiness

• Formalize an AI governance program for finance.
• Treat AI tools as SOX-relevant systems where applicable.
• Test controls routinely and retain evidence in an audit-ready repository.

---

A Practical Implementation Blueprint

Use this sequence to implement controls without slowing execution.

Step 1: Create an AI-in-finance inventory

List:

• Tool name and owner
• Use case
• Outputs that impact reporting
• Whether AI can post, modify, or only recommend
• Risk rating (low, medium, high)

Step 2: Map AI workflows into your close and reporting process

For each use case:

• Inputs
• Processing steps
• Outputs
• Human touchpoints
• Where evidence is stored

Step 3: Implement minimum required controls by risk tier

Low risk:

• Document use case
• Require review of outputs used in reporting

Medium risk:

• Add access controls, change controls, and threshold-based review

High risk:

• Add validation, governance reviews, override logs, and formal evidence retention

Step 4: Build an evidence pack for auditors

Maintain a folder or binder that includes:

• Policies and procedures
• Validation results
• Access reviews
• Change logs
• Samples of approvals and exception handling

---

Bottom Line

AI can accelerate finance, but it also increases control risk. If AI influences financial reporting, it must be governed like any other system in ICFR: controlled inputs, validated logic, managed changes, secure access, reviewed outputs, and retained evidence. Companies that build these controls early avoid audit surprises and scale faster with investor confidence.

---

FAQs

Do AI tools used in finance fall under internal controls over financial reporting?
Yes when they influence journal entries, reconciliations, estimates, disclosures, or any process that impacts financial reporting.

What controls do auditors expect for AI-generated journal entries?
Human review and approval, clear thresholds, access controls, change management over the AI configuration, and audit logs showing what was proposed, what was posted, and who approved it.

How should companies document AI models used for forecasting or estimates?
Document purpose, inputs, validation testing, approval sign-offs, monitoring metrics, and change history, plus periodic reviews comparing outputs to actual results.

What is the biggest ICFR risk with AI in finance?
Lack of transparency and audit trail, especially when AI outputs are accepted without review or when models and prompts change without controlled governance.

---

Reviewed by YR, CPA
Senior Financial Advisor