COSO Issues GenAI Governance Framework

- The guidance was authored by a team of academics and industry leaders from Arizona State University, the University of Duisburg-Essen, Ernst & Young, Meta, and Brigham Young University. It builds upon COSO's earlier thought leadership on AI, which was developed in collaboration with Deloitte. - A primary focus is on managing risks unique to generative AI that traditional governance models did not anticipate, such as prompt-based manipulation, opaque reasoning, model drift, and heightened cybersecurity exposure. - The framework is a direct translation of COSO's well-established Internal Control–Integrated Framework, which was first issued in 1992 and is the most widely used internal control framework in the U.S. The goal is to apply proven principles to the new technology rather than creating a new standard from scratch. - The publication provides practical, audit-ready tools to accelerate implementation, including starter templates for risk assessment matrices, control testing procedures, and metric dashboards. - For firms in regulated industries like finance, the guidance helps structure thinking around specific risk areas such as data privacy, cybersecurity vulnerabilities from third-party AI providers, and compliance with an evolving landscape of AI-specific regulations. - The framework emphasizes that a strong "control environment" is the foundation for managing GenAI. This involves establishing clear ownership of decision-making processes, which can be structured in a centralized, decentralized, or hybrid model depending on the organization's risk appetite and maturity. - While audit firms are increasingly using GenAI for tasks like drafting memos and researching accounting guidance, they emphasize that the technology is intended to augment, not replace, human auditors, and the same level of supervisory diligence is required.