COSO Issues First-Ever AI Audit Guidance
The AICPA and COSO have released new audit-ready guidance for generative AI, built on the Internal Control–Integrated Framework. The guidance includes a capability taxonomy and templates for risk and testing, arriving as experts predict AI will shift the audit profession's focus from routine tasks to human judgment and scenario analysis.
The new guidance extends COSO's five components of internal control—Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring—to address GenAI-specific risks. It avoids creating a new framework, instead translating established principles for emerging technology, acknowledging that AI accelerates decision cycles and amplifies both value and risk. A key feature is a "capability-first" taxonomy that organizes GenAI use cases into eight types, including ingestion, judgment, monitoring, and human-AI interaction. This structure helps organizations pinpoint where risks originate and provides audit-ready control mappings and metrics for each capability, tailored to how risks manifest across the data-to-decision lifecycle. For manufacturers, this provides a structure to govern AI applications already transforming supply chains. Companies are using AI for demand forecasting, warehouse automation with robotics, and optimizing shipping routes to reduce fuel costs and delivery times. AI-driven analysis of supply chain data is also being used to identify patterns and predict disruptions, a critical capability as geopolitical tensions are cited by 90% of manufacturers as a stall to strategic development. The guidance arrives as manufacturers navigate a complex web of new regulations requiring deeper supply chain visibility. European Union rules like the Digital Product Passport, starting with iron and steel in 2026, and the Carbon Border Adjustment Mechanism (CBAM) mandate granular, verifiable data on product origin and embedded emissions, making robust data governance essential. This heightened regulatory environment, combined with tariff uncertainty and shifting trade blocs, is forcing manufacturers to re-evaluate global sourcing strategies. Companies are increasingly favoring stability over pure cost savings, leading to more localized or regionalized operations to mitigate disruptions from geopolitical events like US-China trade friction. The SEC is also increasing disclosure mandates for public companies, covering cybersecurity incidents, human capital management, and climate-related risks. These rules require firms to report on board oversight of such risks and their material impact on business strategy and financial condition, elevating the importance of internal controls over new and evolving data sources.
