COSO Releases New Guidance on Generative AI Internal Controls
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released new guidance on establishing internal controls for generative AI. The guidance is intended to help organizations, including manufacturers, manage the risks associated with the rapidly adopted technology. This is considered a critical resource for internal audit functions adapting their frameworks to address emerging technological risks.
- The guidance adapts COSO's five existing internal control components—Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities—for generative AI, rather than creating a new framework. It emphasizes that while the technology is new, the fundamental purpose of internal control remains to help organizations achieve their objectives. - A foundational principle of the guidance is that generative AI is probabilistic, not deterministic, meaning controls must treat AI outputs as claims that require validation, not as facts to be accepted by default. This is critical for manufacturers using AI for judgment-based processes like demand forecasting or quality control analysis. - The framework addresses specific fraud risks introduced by generative AI, such as deepfakes, synthetic records, and model manipulation through crafted prompts. It calls for fraud risk assessments to consider how these threats could be exploited and whether existing controls are sufficient to detect or prevent them. - An SEC Investor Advisory Committee recommended in late 2025 that the commission issue guidance for issuers on AI, including disclosures on board oversight mechanisms and the material effects of AI on internal business operations. This signals future regulatory expectations for manufacturers deploying AI in areas like financial reporting and cybersecurity. - The guidance is released amid ongoing geopolitical risks that directly impact manufacturing supply chains, including US-China trade tensions, tariff volatility, and export controls on critical materials like semiconductors and rare earths. These external pressures create operational risks that AI-related internal controls must be designed to address. - For manufacturers, the guidance's focus on data ingestion controls is paramount, as AI-driven production planning and quality control systems are highly dependent on reliable data from the factory floor and across the supply chain. Weak controls at the data intake stage can compromise all downstream processes. - The COSO guidance recommends continuous monitoring of AI-enhanced processes to track for accuracy, fairness, and model drift, noting the rapid rate of technological change. This is particularly relevant in manufacturing, where AI models used for predictive maintenance or process optimization can degrade over time, impacting operational efficiency and safety.
