Not theory. Not vendor pitch. A practitioner's perspective on how agentic AI is reshaping the controller function — frameworks, technical questions, governance implications. A reference for controllers thinking through agentic AI — articles, assessments, and prompt tools. Updated as the practice evolves.
Not marketing diagrams. Actual workflow patterns — with the control points, review gates, and failure modes included.
Mapped by maturity, domain, and what kind of human oversight is still required.
The leverage model, the judgment stack, the career divide, and the AI tool layers — visualized.
AI output amplification by work type. Highest on written/volume work. Near zero on judgment and relationships.
What agents can handle vs. what requires a human with signing authority. The dividing line is accountability, not complexity.
Two trajectories from the same starting point. The gap between controllers who internalize AI fluency and those who don't is already visible — and compounds monthly.
The gap is already visible in teams with both kinds of people. It is not theoretical and it is not coming — it is here.
The layers a practitioner uses. The governance layer matters most and gets the least attention — most AI-in-finance failures are missing review protocols, not model failures.
The operator view. Based on actual use in finance project work, not demos.
Memos, commentary, policy redlines, status reports, issue briefs. The output needs review, but the blank-page problem is gone. Senior controllers spend time editing instead of drafting.
→ 3-5x leverage on written deliverablesPulling relevant guidance from ASC, IFRS, external precedents, and prior work you've researched in parallel. Still requires validation but eliminates the manual scavenger hunt.
→ 4–6 hour research task → 30–45 minutesReconciliation exception classification, flux anomaly detection, duplicate transaction flagging. Consistent and tireless in ways humans aren't at the end of a close sprint.
→ Most valuable in high-volume, rule-based workFeed the agent a technical memo and ask it to produce an executive summary, a board talking point, or an answer to a specific question from legal. Genuinely useful in project work.
→ Underrated use caseWhen the answer requires knowing what your auditor will accept, how aggressive your historical posture has been, and which positions are worth defending — the model has none of that context and confidently fills the gap anyway.
→ Dangerous precisely because outputs look rightReserve adequacy, impairment triggers, restructuring determinations. These positions depend on facts in management's heads, not documents. Agents work from documents.
→ Controller must own these, periodAuditors, regulators, counterparties. The output of an AI can inform your position; it cannot be your position. The relationship, the history, and the credibility are yours.
→ AI is your prep, not your presenceThe single most dangerous property of current LLMs for accounting work: confident outputs in areas of genuine uncertainty. The model doesn't know your company, your auditor, your prior positions, or your regulatory environment — and doesn't caveat the gap well.
→ Your review gate is not optionalMost finance AI content is written by people who've never closed a book, run a reserve analysis, or defended a technical position under audit pressure. This is the other kind of content.
Ask a controller what they do, and they'll tell you they close the books. That's technically true and practically incomplete. The real senior controller job is the other thing: the projects, the technical issues, the implementations, the one-off questions that land on your desk because they don't fit anywhere else in the organization.
New revenue recognition system needs a data validation protocol? That's you. Auditor questioning the reserve methodology? That's you. New entity onboarding with no accounting policy precedent? That's you. ERP cutover with a six-month integration window? That's you. The procedures manual doesn't cover any of this — which is why it takes senior judgment, and why it's where the real hours go.
This is the territory the controller function operates in. And it's the territory where the questions about agentic AI become substantive — where the difference between a tool that drafts and a tool that decides matters operationally, not just philosophically. What follows is a framework for thinking through that.
The skill that used to separate senior from junior was domain depth. Now it's domain depth plus AI fluency — and the gap between controllers who've internalized both and those who haven't is becoming the most significant career divide in the function.
The simplest way to describe the shift: one senior controller with AI can now produce the output that used to require a small team. A research memo that took a day takes two hours. A policy redline that took a week takes an afternoon. A project status synthesis that required four people's inputs and a coordinator takes one person with the right prompts and a careful review.
That's not hypothetical — it's the actual experience. The leverage ratio of a competent controller just went up by a factor of three to five on written, research, and synthesis work. The people who've internalized this are doing more, moving faster, and spending their senior judgment on higher-order decisions. The people who haven't are still doing manually what their peers are doing with AI.
This is the divide. It's not theoretical and it's not coming — it's already here, in every finance team that has both kinds of people. The gap compounds every month.
Here's where most AI-in-finance content gets it wrong by omission: the list of things that genuinely don't change is long and important.
Judgment under audit exposure. Management intent. Reserve adequacy. Positions you'll defend in a confrontational audit conversation. Any decision where being confidently wrong is worse than being cautiously uncertain. These require context the model doesn't have: your auditor's historical positions, your company's risk tolerance, your CFO's view on aggressiveness, your relationship with the regional examiner, the prior-period matter that's still in the back of everyone's mind.
The test I use: if a human has to sign their name to the output and take responsibility for it — in front of an auditor, a board, or a regulator — the AI is a drafting tool, not a decision tool. That distinction is not optional and it's not conservative: it's the correct technical framing for how these systems work and where they fail.
Here's what the accounting standards community hasn't caught up to: when an agent drafts your flux commentary and a controller reviews it, what exactly is the control? When the underlying model is updated between periods, is that a change in a key financial reporting system? What does an ITGC look like for a tool that's helping produce work that goes into financial statements?
Major audit firms will have formal opinions on AI in close processes in roughly 18 months. Regulators will have guidance in approximately three years. Controllers are being asked to make these governance decisions right now with no authoritative framework. The answer will be written by practitioners — not standard-setters — for at least the next two years.
These questions don't have good answers in the current literature, which means they're landing on controllers' desks right now with no framework. Major audit firms will have published opinions in 18 months. Regulators will have guidance in three years. Controllers are being asked to make these decisions today.
That's the actual frontier of this work — not "will AI replace controllers" but "how do controllers govern AI in the finance function before anyone tells them how to." The answer will be written by the people doing it, not the people advising on it.
The most useful mental model I've developed for navigating all of this: if a human has to sign their name to the output and take responsibility for it in front of an auditor, a board, or a regulator — the AI is a drafting tool, not a decision tool.
This isn't a conservative posture — it's the correct technical framing for how these systems actually work and where they fail. The signature creates accountability. The accountability requires judgment. The judgment requires context. The context requires a human who has it.
This test doesn't say AI is useless in high-stakes work. It says AI is preparation, not principal. Use it to research the position, draft the memo, stress-test the logic, structure the presentation. But the position is yours. The memo has your name on it. You sign it, you own it.
This site is a reference for finance practitioners thinking through agentic AI in the controller function. The content focuses on frameworks, failure modes, and the technical questions that don't yet have authoritative answers — the things that come up when accounting standards meet probabilistic systems.
No hype. No skepticism theater. A practitioner's view on the framework and the discipline, written in a personal capacity.
If you want to connect and discuss — find me on LinkedIn.
Not a vendor roadmap. A practitioner's sequence, based on what breaks and what doesn't.
Before any tool decision: document your top 10 monthly deliverables with time estimates and judgment-point maps. If you can't produce that document in two hours, that's the actual problem to solve first. Most AI implementations fail not because the technology doesn't work — they fail because the team automated a process they hadn't mapped. The diagnostic question that exposes this every time: what does each step cost in hours and where does the irreducible judgment live?
The biggest mistake is deploying agents in high-judgment areas first because that's where the time is. Start with work where errors are correctable and volume is high. Build the review discipline before you raise the stakes.
For any workflow where agent output influences financial reporting or audit evidence, you need a documented control. Not a general AI policy — a specific description of what the agent does, what the human reviewer verifies, and what the escalation path is when the output is wrong.
Once you have reliable performance in low-stakes workflows and a proven review discipline, you can selectively expand. The boundary to never cross: the agent does not make decisions that require management judgment, legal interpretation, or audit defensibility.
The operator read on where attention is going — and what the hype-to-reality gap actually looks like. Percentages reflect practitioner adoption estimates, not survey data.
Highest adoption. Flux commentary, reconciliation support, and period-end reporting assistance are the leading deployments. Mature enough to use now.
Research and drafting assistance is mainstream. Position-taking still requires human judgment. Vendors are adding accounting-specific fine-tuning but validation still falls on the controller.
Synthesis, status reporting, and issue tracking agents are emerging fast in finance project work. Still fragmented — no dominant tool has won this space yet.
Control documentation, testing support, and deficiency analysis. Promising but cautious adoption — audit firms are still formulating views on AI-assisted evidence and nobody wants to be the test case.
Early stage but fast-moving. Merchant payment rails are shifting. Controllers at acquiring and treasury functions need frameworks that don't fully exist yet. Watch this space.
The idea that agents will make accounting decisions without human review. Current hype significantly outpaces reality and governance frameworks. Structural barriers are real, not temporary.
Operator-grounded. Nine pieces published. Latest: A09 — Continuous Accounting on Real-Time Rails. Click any card to read.
The opening thesis. What changes, what doesn't, and what nobody's saying out loud about the career divide coming in finance.
NotebookLM, base models, prompt versioning, the review discipline — and what doesn't make the cut. A real kit, not a product review.
When an agent drafts your flux commentary, what exactly is the control? The ITGC gap, the prompt-change problem, and a framework for today.
Merchant acquiring is moving to stablecoin rails. Revenue recognition, FX treatment, reserve methodology — the accounting questions with no clean answers yet.
The forward-looking shift. Producer vs. designer, the new skill stack, why the career math has changed, and what to do about it before the formal infrastructure catches up.
What to actually cover when you brief the AC on AI in financial reporting — the six topics, the framing, what to avoid, and the documentation that lives on.
SR 11-7 translated to corporate finance AI deployments. The framework that solves what the accounting profession hasn't yet addressed.
The regulatory forward-look. What audit firms are quietly building, what controllers should have ready, and the 18-month operational window.
FedNow, stablecoin networks, 24/7 settlement. The accounting framework still requires periodic statements; the rails don't pause. Where the disconnect lands.
I'm a finance controller working in payments and acquiring finance. My day-to-day is not just the close — it's the projects, the technical issues, the implementations, and the cross-functional problems that don't fit cleanly into anyone else's lane.
That work spans revenue recognition, scheme economics, reserve methodology, FX exposure, pricing and margin analysis, and the full controller project stack: ERP implementations, SOX control redesign, close acceleration, new entity integrations, technical accounting position development. I've also written the Payments Controller Handbook — a reference-grade resource for controllers in the acquiring finance function — and the Controller PM Handbook on how controllers run change projects.
This site is a personal reference focused on agentic AI in the controller function. The content covers frameworks, governance questions, and the technical considerations that show up when AI tools meet financial reporting work — written from a practitioner's vantage point, in a personal capacity.
The audience is other finance practitioners. The voice is operator-grounded — focused on frameworks and questions rather than vendor pitches or innovation stories. If that perspective is useful to you, read, share, and find me on LinkedIn.
New articles roughly monthly. No marketing automation, no drip sequence — just the work as it ships. Or find me on LinkedIn if you'd rather talk directly.
1. Educational and informational purpose only. All content on this website — including articles, frameworks, assessments, prompt templates, diagnostic tools, and related materials — is provided solely for educational and informational purposes. Nothing on this site constitutes professional accounting, legal, tax, audit, financial, investment, or any other form of professional advice.
2. Personal capacity; no employer or client representation. All views, opinions, frameworks, and analyses expressed on this site are those of the author solely in a personal capacity. They do not represent, reflect, or constitute the views, opinions, policies, positions, or practices of any current or former employer, client, partner, affiliate, or any other organization with which the author is or has been associated. No information on this site is derived from or shared based on any non-public information from any employer or client.
3. No professional engagement; no fiduciary relationship. Use of this site does not create any client, advisory, fiduciary, or professional relationship between you and the author. The author is not your accountant, lawyer, auditor, or financial advisor. Reading or interacting with content on this site does not constitute professional engagement of any kind.
4. Accuracy and currency limitations. Accounting standards, regulatory guidance, audit standards, and AI technology capabilities referenced on this site are subject to ongoing change. Information is believed accurate as of the publication or update date noted on each article, but the author makes no representations or warranties as to its current accuracy, completeness, or applicability to any specific situation.
5. Consult qualified professionals. Readers should not act or rely upon any information on this site without seeking advice from qualified professionals familiar with their specific facts and circumstances. Any decisions regarding accounting, legal, tax, audit, regulatory, technology, or business matters should be made only after appropriate consultation with such professionals.
6. AI tools and frameworks. References to AI tools, prompts, workflows, and governance frameworks reflect personal exploration and experience. They should not be relied upon as authoritative guidance on AI use in regulated environments. Tool capabilities, vendor policies, and applicable regulations evolve rapidly; readers must evaluate suitability for their own circumstances and obligations.
7. Third-party references. References to standards bodies (PCAOB, FASB, SEC, Federal Reserve, NIST, AICPA, etc.), specific accounting standards, regulatory guidance, third-party tools, vendors, products, or services are for educational reference only. They do not constitute endorsement or recommendation, nor do they imply any relationship with or affiliation between the author and those entities.
8. No warranties; limitation of liability. All content is provided "as is" without warranty of any kind, express or implied, including but not limited to warranties of accuracy, completeness, fitness for a particular purpose, or non-infringement. The author shall not be liable for any direct, indirect, incidental, consequential, or other damages arising from use of or reliance on any content on this site.
Diagnostic Tool
How ready is your finance function for agentic AI — really? Twelve questions. Four categories. Scored results with specific gaps and recommendations.
Not a product review. A practitioner's perspective on the categories of AI tools that show up in finance work, the prompts and review practices that make them defensible, and why the stack tends to look the way it does.
The most common question among finance practitioners exploring AI is also the most practical: what does a useful stack actually look like? Not in a trend-chasing way — in a "I want to be effective and don't know where to start" way. The answer this article walks through is not a list of tools that sound impressive, but a categorical view of what tends to be in a working stack and what each piece does.
The short answer is that the stack is simpler than people expect, the tools are less exotic than the press coverage implies, and the thing that makes it work isn't the tools at all — it's the review discipline. More on that at the end, because it's the part that matters most and gets the least attention.
Layer 1 — The base model. Claude and GPT-4o are the two most common base models in current practitioner stacks, used depending on the task. For long-context work — reading a full contract, working through a complex accounting standard, analyzing a lengthy policy document — Claude is my default. For faster iteration tasks, GPT-4o. Practitioners largely stop trying to optimize which model to use for each task; at current capability levels both are good enough that the prompt matters more than the model choice.
Layer 2 — Context loading. The single biggest leverage point in my stack is NotebookLM. Notebooks tend to get built around frequently referenced materials: relevant ASC sections, publicly available accounting guidance and standards, prior research, and current project reference materials. When I research a question, The model isn't starting from blank — it's starting with the relevant context already loaded. The output quality difference is substantial.
Layer 3 — Structured prompt workflows. Practitioner stacks tend to accumulate a library of prompts over 12-18 months for recurring high-effort tasks: the research memo template, the policy redline workflow, the flux commentary generator, the project status synthesizer. These aren't clever prompts — they're well-structured ones that tell the model exactly what output format I need and what judgment I'll apply on review. I keep them in a versioned markdown file.
Layer 4 — Code and analysis. For anything quantitative — model builds, sensitivity tables, data manipulation — Cursor (AI-assisted coding) is the typical choice. The ability to write a Python script to process a large transaction file or build a reserve model without spending three hours in Excel has changed how I approach analytical work. The barrier between "thing I can do in Excel" and "thing that requires IT" is mostly gone.
Technical accounting research. This is where the time leverage is highest. The workflow: load the relevant standard sections into NotebookLM, write a precise question that includes the specific fact pattern, ask for the guidance hierarchy. The output is a first-pass research synthesis in 15-20 minutes that would otherwise take 3-4 hours of Codification navigation. Then I spend 45-60 minutes validating, extending, and converting it into a memo. Net time saved: significant. Quality: equal to or better than manual, because the research phase is more systematic.
Flux commentary. I feed the model the period-over-period trial balance, a description of known business drivers, and a prompt that specifies what good flux commentary looks like. First-draft commentary for every material account in one pass. I edit for accuracy and add context the model can't know. Editing takes 20-30 minutes. Drafting used to take 2-3 hours.
Policy drafting. Most useful when there's an existing document to redline. Load the current policy, describe the change driver, ask for tracked changes with rationale. For complex changes affecting multiple sections, this goes from a multi-day task to a few hours of editing. The model is good at structural logic but not always good at institutional nuance — so I review every proposed change against how the policy is actually interpreted in practice.
Project status synthesis. I usually run 3-5 concurrent finance projects. Weekly status updates used to be 90 minutes. Now I feed the model a structured dump of the week (I keep a rolling notes doc in each project) plus the prior update and any new issues. It drafts. I edit. Total: 20-25 minutes. The output is consistently more readable than what I was writing manually because it naturally prioritizes and doesn't bury the lead.
This is the part that doesn't get written about, and it's the most important part.
Every AI output that enters audit-facing work needs a review step. Not a skim — a review. For a research memo: check every ASC citation, does the cited paragraph actually say what the model claims it says? More often than you'd expect, the paragraph is real but the interpretation is slightly off. For flux commentary, I verify the model's characterization of each variance against what I know to be true. For policy redlines, I read every proposed change against the existing language.
The review step isn't a friction cost — it's the actual work. AI produces the draft. You do the job. The question is whether you've shifted time from production to judgment, which is always the right direction.
I've also started logging AI errors I catch — not every minor imprecision, but the substantive ones: wrong citation, incorrect interpretation of management intent, missed nuance. This log does two things: it calibrates how much I trust model output in different task types, and it's the foundation of control documentation if anyone ever asks about my process.
Finance-specific AI tools (the dedicated accounting applications). Most are wrappers around the same base models with a finance-themed interface and a significant price premium. Base models tend to get used directly with custom context loaded. The underlying model quality isn't better; the context loading is often worse.
AI for anything audit-facing without a human principal review. Not because the output is necessarily wrong — because the accountability structure requires human ownership. I'll use AI to draft the response; I write the response.
Autonomous agents for financial data. I've tested setups where agents read data, make decisions, and write to outputs without a review step. Not ready. The failure modes are subtle enough that you wouldn't catch them without the kind of review that defeats the purpose of the autonomy.
Start with one workflow. Pick the one that costs you the most time in first-draft production. For most controllers that's flux commentary or technical accounting research. Build a repeatable prompt for it. Use it on every instance for 30 days. Develop the review checklist. Then decide if it earns a permanent place.
Invest in context before tools. A good prompt with your own reference materials — relevant standards, guidance you've researched, prior work you've written — loaded in context will outperform a specialized tool that knows nothing about your domain. NotebookLM is free and effective. Build your notebooks first.
Document your prompts like process documents. If you change a prompt, note what changed and why. If an AI output enters something reviewed by auditors, be able to describe your process, including what instructions you gave the model and what your review step was.
The stack isn't the point. The leverage is. A simple stack with disciplined review practice will outperform a sophisticated one used carelessly every time.
The tools listed above are not the differentiator. The discipline applied to using them is. When AI-assisted output enters audit-facing deliverables — financial statement memos, ICFR documentation, technical accounting positions — the same standards that govern human-produced work apply: relevance and reliability of evidence (PCAOB AS 1105 framing), sufficient documentation to support the conclusion, and traceability of the reasoning. The tool stack supports this. It doesn't replace it.
When an agent drafts your flux commentary, what exactly is the control? The questions your auditors will start asking — and the answers the literature doesn't have yet.
In the last two years, controllers at companies of every size have quietly started using AI tools in their close and reporting processes. Flux commentary drafted by Claude. Technical accounting research synthesized from ASC text by a language model. Reconciliation exceptions triaged by an agent. Policy documents redlined by a model that read the original and the change driver.
None of this is controversial in practice — the outputs are good, the time savings are real, and the humans are reviewing before anything gets filed. But here is the question that finance teams are not answering publicly, often because they haven't asked it privately: when this work product enters your close package or audit evidence, what exactly is the control?
SOX was designed for a world where material financial reporting processes were performed by people and systems whose change management, access controls, and testing regimes were well-understood. PCAOB AS 2201 contemplates people following procedures and software executing coded logic. It does not contemplate a probabilistic language model that produces different outputs to the same input, whose underlying parameters may change between periods without a traditional system change, and whose "procedure" is a natural language prompt that a controller may have updated last Tuesday.
This gap is real. It is landing on controllers' desks right now. And the accounting community's guidance on how to address it is, charitably, nascent.
Walk through a concrete scenario. Imagine an LLM-based assistant is used to draft first-pass flux commentary. The model is given the trial balance movement, a description of known business drivers, and a prompt specifying the output format. A senior accountant reviews the output, edits for accuracy, and incorporates it into the management commentary. The CFO reviews and approves. The commentary goes into the MD&A disclosure.
Under your current ICFR framework, you likely have a control that says something like: "Management reviews and approves period-end flux commentary prior to inclusion in external reports." The control owner is the CFO or Controller. The evidence is the sign-off.
But what did the control actually catch? If the AI subtly mischaracterized a variance — attributed a revenue decline to business mix when it was actually an accounting reclassification — would the review step have caught it? Maybe. Would it always? That depends on whether you've defined what the review step entails. This is the first problem: the existing control may be nominally present but functionally weaker, because the reviewer is now editing rather than originating, and editing tends to anchor on what's already there.
IT General Controls provide assurance that systems used in financial reporting are operating reliably and that changes to those systems are controlled. Standard ITGC categories: access controls, change management, computer operations, data backup/recovery.
Change management is the sharpest edge. When a model provider updates the underlying model, that is a change to a system influencing your financial reporting process. Does it need to go through your IT change management process? The answer isn't obvious. The model change wasn't initiated by your company, wasn't communicated through your normal change channels, and may have changed your AI-assisted workflow outputs without anyone noticing.
When your controller updates the prompt used to generate flux commentary, is that a process change requiring documentation and approval? A prompt is the instruction set for a key part of your reporting process. Changing it could change the outputs. Most companies are treating prompt changes informally — undocumented, no change management. That is a control gap.
Access controls. Who can modify the prompts used in close-critical processes? Is there segregation of duties between the person writing the prompt and the person reviewing the output? At most companies right now: no. The same person writing the prompt is reviewing the output. This may be acceptable given the overall review structure, but it's a question an auditor could reasonably ask.
Audit trail. For a traditional automated control, there's a system log. For AI-assisted work, what's the evidence? You have the human's review sign-off. You may or may not have a record of what the model produced before the human edited it. You almost certainly don't have a record of the specific model version. If an error surfaces a year later and auditors want to understand the process, what can you show them?
If your auditors don't know you're using AI in your close process: they'll find out eventually, through inquiry or when an error surfaces. The conversation where you disclose this in the context of a clean audit is better than the conversation in the context of a restatement.
If your auditors know but haven't asked pointed questions yet: they're likely still developing their views. This is the window to shape the conversation — to show them your control framework before they form opinions about what they'd need to see.
The questions they'll eventually ask: What AI tools are used in your financial reporting process and for what tasks? How do you ensure the outputs are accurate? What controls exist over changes to the AI tools or prompts? What would you do if you discovered an AI output error in a prior period's disclosures? How do you differentiate a key control when it involves AI assistance?
Most controllers cannot fully answer these today. That's fine — it's early. But controllers who have a thoughtful answer are in a materially better position.
Each traditional ITGC category has a direct AI-adapted analog. The frame is the same — the specifics shift to address probabilistic outputs, vendor model changes, and prompt versioning.
Document AI use in process narratives. Every process narrative that includes AI assistance should say so explicitly. "The period-end flux commentary is drafted using an AI language model based on trial balance movement data and known business drivers. The output is reviewed and approved by [role] prior to inclusion in external reports." Simple, honest, creates the documentation base for auditor inquiry.
Define review specifically. The generic "management reviews" control is insufficient when the output being reviewed is AI-generated. Document what the reviewer actually checks: every material variance characterized by the model against source data; all citations or references verified; judgment areas flagged for additional scrutiny. Specific enough that a different person could perform it to the same standard.
Version-control your prompts. Treat a prompt used in a key control process as a process document. Keep a version log: what changed, when, why, who approved. This costs almost nothing and closes a real gap.
Document the model version when it matters. For key control processes, note the model name and version in your audit evidence. "Claude Sonnet 4, prompt version 1.3, [date]" is a defensible audit trail.
Brief your auditors before year-end. Don't wait for the audit to surface your AI use. Schedule a discussion during interim procedures. Show them your process, your control documentation, your thinking on the ITGC questions. Most audit teams will appreciate the transparency.
The honest conclusion: the control framework for AI-assisted financial reporting is being written right now, by practitioners, in real time, without authoritative guidance. PCAOB hasn't issued staff guidance. Major audit firms have internal positions that haven't been published. The SEC has been signaling concern but hasn't given specific control requirements.
Controllers are the de facto standard-setters for this question for the next 12-24 months. The frameworks we build, the conversations we have with auditors, the documentation we create — these will form the template that eventually gets codified into guidance. That's an unusual amount of agency to have in the accounting world. It's worth using it thoughtfully.
To make this concrete, walk through one specific control: the monthly flux commentary process for a public company. Today it operates roughly like this — controller pulls the period-over-period balances, reviews material variances, drafts commentary, sends to VP Controller for review and approval before flux goes into the close package. The control objective: ensure material variances are explained accurately and consistently for management and audit review.
Now layer in AI. The controller uses an LLM-based drafting tool with reference materials loaded as context to produce the first-pass flux commentary. The agent ingests the trial balance movement, the prior-period commentary for context, and a reference to the chart of accounts with descriptions. Output: a structured first draft with variance characterizations grouped by driver. The controller reviews, edits, validates against source data, and sends to VP Controller. VP Controller reviews and approves. Same control objective. Different production path.
The control documentation today probably says: "Controller prepares flux commentary monthly. VP Controller reviews and approves before flux is incorporated into close package. Evidence: signed flux package." The AI-adapted version needs three additions:
What the agent does. "Controller uses [tool name] to draft initial variance commentary using period-over-period trial balance data and prior-period commentary as input context."
What the human review specifically checks. "Controller validates that variance characterizations match source data, that material drivers identified by the agent are correct, and that no material variance has been missed or mischaracterized."
What evidence is retained. "Original AI-generated draft, controller's edited version, source data inputs, and prompt version reference are retained as part of the close package supporting documentation."
That's it. Three additions to the control narrative. The control objective is unchanged. The control owner is unchanged. The reviewer signs off the same way. What changes is that the documentation now matches what's actually happening — and an auditor reviewing the control finds documented evidence rather than discovering AI use through inference.
The prompt change problem deserves a concrete procedure. Here's a practical version that doesn't over-engineer:
Trigger. Any change to a production prompt used in a workflow that produces output entering financial reporting requires going through this procedure before the new prompt is used in production.
Documentation. Three things captured: (a) what the old prompt was, (b) what the new prompt is, (c) the rationale for the change in 1-3 sentences.
Approval. Material prompt changes (changes that affect what the workflow produces, not just minor wording cleanups) require sign-off by the workflow owner's manager. Non-material changes can be self-approved but still documented.
Testing. Before the new prompt enters production, run it on at least one prior period's data and compare the output against the previously-validated output. If outputs differ materially, document why and confirm the new behavior is correct.
Logging. Maintain a prompt change log per workflow. Date, change description, approver, testing summary. This becomes the audit evidence trail.
This procedure is intentionally lightweight — it imposes friction proportional to the risk. It addresses the auditor's eventual question ("how do you control changes to AI components of your reporting process?") with a documented answer rather than a hand-wave.
When the external audit team eventually starts asking about AI in financial reporting workflows — and they will — the controllers who can produce a documented prompt change log demonstrate operational maturity. The controllers who can't produce one find themselves in the position of explaining why prompt changes weren't being tracked, after the fact, to a skeptical audit team. The cost of putting the procedure in place now versus reverse-engineering it later is asymmetric.
The traditional ICFR audit evidence trail for a manual process is well understood: the work product itself, the reviewer's signoff, the supporting documentation, the timestamps and identities involved. The AI-adapted equivalent is similar but adds five elements:
1. The prompt version used. Captured at the time of execution. If the prompt is changed before the next run, the prior version is archived.
2. The model version used. Whatever model and version produced the output. This matters because vendor model updates can shift outputs without your team initiating any change.
3. The input context loaded. What data, documents, or reference materials were provided to the agent. The output is meaningless without context on what was loaded.
4. The original AI output. Before any human edits. This shows what the agent actually produced versus what the human shaped it into.
5. The human review evidence. The validated output, the reviewer identity, the timestamp, and ideally a brief note on what specifically was checked or modified.
None of this requires special tooling. A folder per period per workflow with five files in it satisfies the evidence requirement. The point isn't sophistication — it's that the evidence exists and can be produced when requested.
Merchant acquiring is moving to stablecoin rails. The accounting questions are real, the guidance is sparse, and the timeline is shorter than most controllers think.
Most controllers outside of crypto-native companies think of stablecoin accounting as a niche problem — someone else's issue, relevant to fintechs and exchanges but not to mainstream corporate finance. That view is becoming wrong faster than most people realize.
The migration of payment infrastructure toward stablecoin rails is not a future event — it's happening now, in production, at scale. Major payment networks are running live stablecoin settlement pilots. Large processors have made acquisitions specifically to accelerate stablecoin payment infrastructure. Branded stablecoin products from established payments players are now live for merchant transactions. Several large acquiring processors are actively testing stablecoin-denominated merchant settlement.
The controller who works in payments, treasury, or acquiring finance and thinks "we'll deal with this when it arrives" is likely already behind. The question is not whether stablecoins will require accounting attention; it's whether you'll be building the framework or responding to an urgent CFO request after the fact.
Merchant settlement in stablecoins. Some acquirers are beginning to offer merchants the option to receive settlement in USDC rather than via ACH. The accounting question: is this a change to the liability held between authorization and settlement? What's the carrying value of a stablecoin receivable? How does a peg break affect the settlement obligation?
Treasury diversification into stablecoins. CFOs are asking whether holding a portion of working capital in stablecoins (for faster cross-border movement, for yield on idle cash) makes sense. The accounting question: what standard applies? Fair value? Amortized cost? Neither maps cleanly.
B2B payments on stablecoin rails. Cross-border vendor payments, intercompany settlements, and supply chain finance are moving toward stablecoin infrastructure because it's faster and cheaper than correspondent banking. Each transaction has an accounting moment: what rate do I use, how do I recognize FX gain/loss if any, what's the functional currency question?
Customer-facing acceptance. Some consumer-facing businesses are beginning to accept USDC as payment. Revenue recognition question: is USDC-denominated revenue recognized at spot rate at transaction date? What if the stablecoin depegs between transaction and settlement?
Here is where the honest assessment has to happen: the GAAP framework for stablecoins is incomplete. Not "evolving" in the sense of getting better — incomplete in the sense that the relevant standards weren't written with stablecoins in mind, and the analogies are imperfect enough that reasonable accountants disagree.
The FASB issued ASU 2023-08 in December 2023, requiring fair value accounting for certain crypto assets. But ASU 2023-08 explicitly applies to cryptocurrency that meets the definition of an intangible asset under ASC 350 — and there is active debate about whether a fiat-backed stablecoin meets that definition or falls somewhere else (a financial instrument? a deposit? a prepaid claim?). The FASB deliberately excluded "crypto assets that provide the holder with enforceable rights to receive a specified amount of fiat currency" from the scope of ASU 2023-08. That exclusion should cover dollar-pegged stablecoins, but the standard's application still requires judgment.
So where does that leave the controller holding USDC on behalf of merchants, or carrying PYUSD as a treasury asset? Without clear authoritative guidance, making a defensible policy election that is consistently applied and well-documented.
If your company accepts USDC as payment, the revenue recognition question is technically an ASC 606 question. The transaction price is the amount of consideration you expect to receive. For a USD-pegged stablecoin at a 1:1 peg, the answer seems simple. But the peg is not contractual — it's maintained by the issuer's reserves and redemption mechanism. A temporary depeg creates variable consideration that, strictly applied, would require a constraint analysis under ASC 606-10-32-11.
March 2023: USDC briefly traded at $0.87 following SVB's failure (Circle held approximately $3.3B in reserves at SVB). Companies that had recognized revenue at $1.00 and held the stablecoin through the depeg had a real measurement question with no established policy to apply. Building the policy before the next event is the right sequence.
The FX question is equally contested. ASC 830 applies to transactions denominated in a currency other than the entity's functional currency. If a company's functional currency is USD and it holds USDC — is that a foreign currency transaction? The intuitive answer is no, but USDC is not USD. It is a claim on a reserve, redeemable for USD at 1:1, subject to the issuer's solvency and operational continuity. Whether that claim should be treated as a USD equivalent or as a financial instrument denominated in a synthetic unit that happens to be pegged to USD is not settled.
My current view: a well-designed, dollar-pegged stablecoin with strong reserve transparency is sufficiently USD-equivalent that applying ASC 830 remeasurement would produce misleading financial information — showing volatility that doesn't correspond to any real economic exposure. But this is a judgment call that needs documentation, and one where your auditors' position matters as much as yours.
The reserve question is one of the least-discussed and most practically consequential aspects of stablecoin accounting. If your company holds stablecoins as a treasury asset or as a float against pending merchant settlements, what reserve — if any — do you carry against that balance?
The peg break history makes this non-trivial. If you're treating your stablecoin balance as a USD equivalent with no reserve, you need a policy basis for that treatment. The most defensible basis is a combination of: the issuer's published reserve attestation, the historical stability of the peg, and an assessment of the issuer's operational resilience. None of these are guaranteed, which is why a small credit reserve or disclosure of the exposure is increasingly standard practice for material balances.
For companies holding stablecoins specifically against merchant settlement obligations, there's an additional question: if the stablecoin depegs between the time you receive it and the time you settle, who absorbs the difference? The answer should be in your contracts with merchants and in your accounting policy — preferably before the scenario arises.
Build the policy before the transaction. Get ahead of the treasury and payments teams — they're evaluating stablecoin solutions now. A one-page policy covering: classification of the instrument, recognition approach, FX treatment election, peg break procedures, and disclosure requirements will serve you far better than making these calls under deadline pressure.
Pick your standard of analogies. Since there's no perfect guidance, you're reasoning by analogy. The strongest analogies: demand deposits (for reserve-backed fiat stablecoins), money market instruments (for yield-generating stablecoins), prepaid assets (for network-specific tokens). Document which analogy you've applied and why. Consistency matters as much as the choice.
Have the auditor conversation now. Your external auditors are forming views on stablecoin accounting as their clients encounter it. Getting into that conversation now — sharing your policy, getting their feedback, understanding where they'd push back — is vastly better than presenting a completed policy to ratify at year-end under time pressure.
Monitor the standard-setters. The FASB has stablecoin and digital asset accounting on its technical agenda. SEC Staff Accounting Bulletin 122 rescinded SAB 121's controversial on-balance sheet treatment for custodied crypto. This space is moving fast enough that a policy written today may need to be revisited within 12 months.
The controllers who handle this well are those who engage with it as a genuine accounting problem — uncertain, judgment-intensive, requiring real analysis — rather than either avoiding it or dismissing it as a crypto curiosity. The accounting questions are real. The transactions are coming. The framework is yours to build.
The forward-looking shift: the senior controller stops competing on output speed and starts competing on system reliability. A different job, different skills, different career math.
Open any LinkedIn job posting for a Senior Controller in 2026. You'll see roughly the same description that existed in 2016: oversight of close, technical accounting positions, SOX compliance, audit liaison, business partnership. Some forward-looking ones add "leverages technology" or "drives automation" as bullet points. None of them describe the actual job that the best controllers will be doing in 2028.
The real shift is not that controllers will use AI. The real shift is that the job stops being primarily about producing output and becomes primarily about designing the systems that produce output. The controller of 2028 spends less time writing memos, drafting flux commentary, and assembling research — and more time designing the workflows, governance frameworks, and review protocols that make AI-assisted work safe to sign.
This is a different job. The skills required are different. The career path that leads to it is different. And the people who recognize this shift first — and reposition for it — will be operating at a different altitude than peers who continued to compete on production speed.
The producer's job is to make the output. The research memo, the policy redline, the close package, the position paper. The producer's value is measured in throughput and quality. A senior producer is faster, more accurate, more insightful, more reliable than a junior producer.
The designer's job is different. The designer's value is measured in system performance over time. Did the workflow they designed produce reliable output across hundreds of instances? Did the governance framework they built survive an audit? Did the review protocol catch the errors it was supposed to catch? The designer's craft is in the architecture — the workflow, the prompts, the controls, the human-in-the-loop checkpoints, the escalation logic, the audit evidence.
The producer competes on output speed. The designer competes on system reliability. AI made the first competition winnable by anyone with a subscription. The second competition is just beginning, and it requires a fundamentally different set of skills.
This isn't an analogy. It's literally the role transition. A senior controller in 2024 might have spent 70% of their time producing and 30% of their time designing. The forward-looking controller in 2027 will spend 30% producing and 70% designing — because the production layer has been automated and the new bottleneck is in the design and governance of the automated layer itself.
The mix shifts from execution to architecture. The producer competes on output speed; the designer competes on system reliability. Different jobs, different skills, different career math.
Mapping the actual skill stack the agentic controller needs:
Workflow architecture. The ability to take a finance process — close, reconciliation, technical research, project management — and decompose it into automatable steps, judgment-required steps, and review checkpoints. This is harder than it sounds. Most controllers can't articulate their own workflow at the granularity required to safely automate it.
Prompt engineering as process design. A prompt is no longer a casual instruction to a model. In production it's a process document — versioned, tested, governed. Writing a prompt that consistently produces audit-grade output is a real skill, and it's closer to writing a control narrative than to writing a Slack message.
Control framework adaptation. The frameworks were written for human-and-software systems. Adapting them for human-and-agent systems requires understanding both the current frameworks deeply enough to know what they were trying to accomplish, and the new technology well enough to know where the gaps are.
Output validation discipline. The producer's job was to get the output right. The designer's job is to design a review process that reliably catches the errors AI-assisted output produces — which are different from the errors a junior staffer produces. This requires understanding model failure modes, not just accounting failure modes.
Cross-functional translation. The designer translates between IT (who owns the model infrastructure), Internal Audit (who tests the controls), External Audit (who assesses ICFR), and the finance team (who uses the system). This translator role didn't exist in the producer-era controller's job description. It's increasingly the centerpiece.
The honest implication, for finance leaders and ambitious controllers alike: the recruiting and development pipelines for this role don't exist yet. CFOs hiring senior controllers today are using job descriptions designed for the producer-era job. The candidates being trained in major audit firms are still being trained primarily as producers. The internal promotion ladder still rewards production excellence.
This creates a window. The controllers who recognize the role shift early, develop the designer-tier skills deliberately, and position themselves as system architects rather than process executors will compound their professional value much faster than peers who wait for the position to be standardized. By the time the formal job descriptions catch up — probably 2027 — the early movers will already occupy the senior positions and the skill premium will be priced in.
If you're in a senior controller role right now, draft your own job description for the position you'll have in 2028. Be specific about the percentage of time spent on production vs. design, the specific systems and workflows you'll own, and the deliverables you'll produce as a designer rather than a producer. Then map the skill gaps between today and that target. That gap analysis is the most valuable career artifact you can produce in the next 12 months.
For finance leaders hiring or developing controllers: the question isn't whether your next senior controller hire knows AI tools. The question is whether they can architect systems, write process specifications, and govern automated workflows. Most of them cannot — yet. The ones who can will be the ones who matter.
The other dimension of this shift, less remarked upon but possibly more consequential: the controller function is converging with functions historically separate. The CFO who needs AI deployed in finance can't simply hand the requirements to IT and expect a working system back. They need someone in the finance function who understands the technology deeply enough to design with it, govern it, and own its outputs.
That person used to be a CIO or CTO function. Increasingly, it has to be a controller — or a new role that sits between the controller and the CTO. Some companies will create a "Chief Accounting Technology Officer" role or a "Head of Finance Operations & Systems" role to hold this work. Others will simply expand the controller's mandate.
Either way: the boundary between accounting and technology, between finance operations and finance systems, is dissolving. The controllers who lean into that dissolution rather than defending against it are the ones who will define what the role becomes. The ones who treat it as a threat will find themselves managing a shrinking domain while the actual work moves elsewhere.
This isn't a feel-good piece about how AI creates new opportunities for controllers. It's an observation that the job is changing in a specific direction, that the change creates winners and losers, and that the timing window for repositioning is shorter than most people realize.
The producer-era controller wasn't worse than the designer-era controller. They were optimized for a different problem. The problem is changing. The optimization needs to change with it. The controllers who recognize this — and start the work of repositioning today, while the formal infrastructure of the role still rewards production — will find themselves disproportionately well-positioned by the end of this decade.
The ones who don't, won't.
To make the producer-to-designer transition concrete, here is a sketch of what the senior controller job description will plausibly look like in 2028. This is illustrative — not a recommendation, not a forecast. But it captures the shift in tangible language:
This role owns the design and operation of the AI-enabled financial close, control, and reporting infrastructure. Candidates will spend approximately 30% of time on production execution and 70% on system design, governance, and continuous improvement of automated workflows. Reports to the Chief Accounting Officer.
The shape of the job is recognizably "controller" — but the specific responsibilities have shifted from execution to architecture. The hiring rubric shifts with it: candidates are evaluated less on close-cycle execution speed and more on systems thinking, governance fluency, and demonstrated ability to design rather than execute.
For controllers currently in the producer mode who want to position for the designer mode, here is a practical 12-month skill development map. Not theoretical — specific, achievable, and visible to your organization:
Months 1-3: Build the inventory. Document your function's current AI use. What workflows touch AI? What tools? What controls? Producing this document — and circulating it to your CFO and CAO — establishes you as the person who is thinking about this systematically.
Months 4-6: Design one workflow end-to-end. Pick a single AI-assisted workflow and design it properly: process narrative addendum, review protocol, prompt versioning, evidence retention. Document it as the template for the rest. Share with internal audit.
Months 7-9: Lead the auditor conversation. Schedule the proactive disclosure briefing with your external audit team. Document their feedback. Update your framework based on their input. Report back to your CFO with the auditor's view captured in writing.
Months 10-12: Brief the audit committee. Develop and deliver the formal AC briefing on AI in financial reporting. Document the AC's questions, the management commitments, and the path forward. This visible governance leadership is what positions you as the system designer rather than the system operator.
None of this requires resources you don't have. None requires permission you can't get. All of it produces visible deliverables that compound your professional positioning.
For finance leaders trying to identify the people who will succeed in the designer-tier role — whether they're internal candidates for promotion or external hires — the assessment is different from traditional senior controller evaluation.
Traditional senior controller assessment looks at: Technical accounting depth, close cycle execution, audit defense skill, team management, business partnership.
Designer-tier assessment adds:
None of these are common in current senior controller evaluation rubrics. They will be by 2028. The finance leaders who incorporate them earlier will identify the designer-tier candidates earlier — and the controllers who develop these skills earlier will be the ones identified.
The producer-to-designer transition has parallel precedent in how the controller role evolved through prior technology shifts — the move from manual close to ERP-enabled close in the 2000s required a similar skill repositioning toward systems thinking. The frameworks that emerged then (COSO 2013, the original COBIT principles applied to ICFR) became the foundation for modern controllership. The frameworks that will emerge for AI-era controllership are likely to draw similarly on existing structures — including PCAOB AS 2201 for ICFR, SR 11-7 for model risk principles (covered in Article 07), and emerging SEC and FASB guidance on technology in financial reporting. The transition is new in form. The framework lineage is not.
Most audit committees haven't been substantively briefed on AI use in financial reporting. The controllers who get ahead of this with a structured AC briefing — proactive, documented, and substantive — will be in a fundamentally different position than those who get pulled into it reactively.
Most audit committees have not yet had a structured briefing on AI use in financial reporting. The reasons are predictable: the controllers haven't asked for the agenda slot, the audit firms haven't formally raised the topic, and the AC chairs are waiting for the issue to surface organically. The result is that AI is being deployed across the industry while the governance body responsible for oversight of financial reporting integrity has limited visibility into it.
This is not a sustainable position. Within the next 12-18 months, three things will happen approximately concurrently: external auditors will start asking pointed questions during fieldwork; the SEC and PCAOB will issue staff guidance that explicitly addresses AI use; and the first material AI-related restatement or disclosure failure will create the case study every audit committee chair refers to in subsequent meetings.
The controllers who get ahead of this with a structured AC briefing — proactive, documented, and substantive — will be in a fundamentally different position than those who get pulled into it reactively after a finding.
A useful audit committee briefing on AI in financial reporting addresses six things, in order:
What AI is being used for. Not vendor names. Specific workflows: flux commentary drafting, technical accounting research, reconciliation exception classification, project status synthesis, policy redline support. The AC needs to understand the surface area, not the toolchain.
Where the human accountability sits. For each workflow, who reviews the AI output, what the review specifically checks, and who signs the final deliverable. The AC's mental model should be: AI produces drafts, humans own outputs.
What controls exist. Process documentation, prompt versioning, review protocols, change management, audit evidence retention. Plain language description of each, not control numbers.
What gaps you've identified. Honest assessment of where the framework is incomplete. AC members respect candor about gaps far more than they respect a presentation that suggests everything is handled.
How you're engaging external auditors. Have they been briefed? Have they raised concerns? Where do their views align with or differ from management's? This signals to the AC that the conversation is happening.
What you're committing to before year-end. Specific, dated commitments to close identified gaps. This is the most important slide in the briefing — it transforms the conversation from "informational update" to "documented commitment."
Don't lead with technology. AC members are not interested in the model architecture. They want to understand the risk surface and how it's being managed. Open with the workflows and the controls; the technology is supporting context.
Don't oversell. Statements like "AI has dramatically improved our close" or "we've achieved [X]% efficiency gains" come across as marketing language at the AC level. The audience is sophisticated and will discount confident claims about benefits while paying close attention to claims about controls.
Don't pretend the framework is complete. If your maturity is at "partial coverage" — and most companies are — say so. Acknowledge that this is an evolving area where the standards have not yet caught up to the practice. AC members will respect this; they are accustomed to evaluating uncertainty.
Don't bring this as the last item on the agenda. If AI in financial reporting is worth briefing the AC on, it deserves real time and structured discussion. Don't squeeze it into the closing 10 minutes after auditor matters and risk register updates.
A reasonable cadence for AC AI updates is once per audit cycle initially — typically the AC meeting before fieldwork begins. This positions the AC to engage on the topic before the auditors raise it independently and creates the structured documentation that becomes part of the audit evidence. Quarterly updates may be appropriate as the deployment scales.
The briefing itself is one artifact. The artifacts it should produce — and that should live in the AC's permanent record — matter as much:
Pre-read memo. A 2-3 page document distributed before the meeting that walks through the same six topics in writing. AC members read this before the meeting; it becomes part of the meeting materials and the documented record.
Meeting minutes addendum. The minutes should reflect that the AI briefing occurred, the topics covered, the questions raised by AC members, and the management commitments made. This is the documentation auditors will reference if AI use becomes a formal audit topic.
Commitment tracker. The specific commitments made in the meeting — gap closures, process improvements, auditor engagement actions — should be tracked through to completion in subsequent AC updates. This creates the demonstrated governance posture that matters most.
The audit committee briefing on AI in financial reporting is not just a governance exercise. It is the documented evidence that financial reporting management has taken active oversight of an evolving risk area. When the regulatory environment catches up — and it will — the companies whose ACs have been actively engaged on AI governance will be in a structurally better position than those whose ACs were not.
This is also a defining moment for how the AC views the controller's role. A controller who proactively schedules this briefing, prepares it substantively, and leads the discussion with appropriate candor demonstrates strategic positioning that elevates the role. A controller who is reactive on this topic — who briefs the AC only after the auditors raise it — has lost the framing.
The briefing itself is a 30-minute agenda slot. The positioning it creates is permanent.
This piece is itself a structured template — the kind of preparation document that supports the actual briefing. Practitioners working through their own AC briefings can use this as scaffolding, adapting the specifics to their own facts. The framework is generic enough to apply across industries; the specific gaps, commitments, and auditor positions are necessarily company-specific.
If you are scheduled to brief your audit committee on AI in financial reporting in the next two quarters, two suggestions: (1) start with the documentation now — not the slides — so the substance is anchored before the visual layer; and (2) have a working session with your external audit lead beforehand, not as a courtesy but as substantive preparation. The AC's confidence in the briefing will track closely with the alignment between management's view and the auditor's view of the gaps.
The framework already exists. SR 11-7 was written for banks but transfers more directly to corporate finance AI deployments than most controllers realize. A complete, well-tested governance framework for the exact problem the accounting profession hasn't yet addressed.
Corporate finance functions deploying AI face a governance question that has no specific authoritative guidance: how do you treat a probabilistic system whose outputs influence financial reporting in a way that's defensible under audit and regulatory scrutiny? The accounting profession has not yet answered this. The technology vendors have not answered it either. But there is a complete, well-tested framework already in production for exactly this kind of system — it just lives in banking.
The Federal Reserve's SR 11-7 supervisory guidance on Model Risk Management has been the operational standard for how regulated banks govern quantitative models for over a decade. It addresses model development, validation, monitoring, change management, and governance with a level of specificity that the corporate finance world is going to need — and it transfers more directly than most controllers realize.
This piece walks through how to adapt the SR 11-7 framework to corporate finance AI deployments. Not as a regulatory requirement (it isn't one for non-banks), but as a practitioner-grade governance framework that solves a problem the accounting profession has not yet addressed.
SR 11-7 organizes model risk management around three layers of defense and four operational dimensions. The three lines of defense are familiar: model owners (front line), independent validation (second line), and internal audit (third line). The four operational dimensions are where the framework gets specific:
Model development standards. What documentation must accompany a model — purpose, theory, data, assumptions, limitations, testing. The bank version is rigorous; the corporate finance equivalent for an AI workflow needs to address: what the workflow is for, what data feeds it, what assumptions are embedded in the prompt, what testing demonstrates it works, and where it fails.
Validation. Independent assessment of whether the model performs as intended. For banks this is a dedicated function; for corporate finance, it can be a controller from a different team, a senior accountant outside the deployment workflow, or an internal audit reviewer. The principle is independence from the development.
Ongoing monitoring. Continuous evaluation of model performance — does it still produce reliable output? Has the input data shifted? Has the underlying technology changed in ways that affect performance? For AI workflows this is non-trivial because the model itself can change without you initiating it.
Governance and oversight. Who approves models, who reviews validation findings, what reporting flows to senior management and the board. Banks have model risk committees; corporate finance functions can use existing governance committees but need to ensure AI deployments are explicitly on the agenda.
Adapting SR 11-7 to corporate finance AI use requires translation, not adoption. Three concepts need rethinking:
"Model" becomes "AI-assisted workflow." Banks have discrete quantitative models with documented mathematical formulations. Corporate finance AI deployments are workflows that combine: a base model, a prompt, context loading, human review, and output integration. The unit of governance is the workflow, not the model — but the same dimensions apply.
"Validation" becomes "review protocol design." Banks validate models by testing outputs against known data and theoretical expectations. Corporate finance AI workflows are validated by designing review protocols that reliably catch the errors AI produces — citation drift, mischaracterization, missed nuance. The review protocol is the validation framework.
"Ongoing monitoring" becomes "drift detection." When the underlying language model is updated by the vendor (a new release of the same model name, or a deprecation of an older version), your workflow's outputs may shift without you initiating any change. Monitoring needs to detect output drift across model updates — which means establishing baseline outputs and periodically re-running them to check for regression.
SR 11-7 was written for models that were stable between human-initiated changes. The frontier challenge for AI in financial reporting is that the underlying technology can change without notice — a vendor model update can shift outputs across hundreds of workflows simultaneously. The governance framework needs to address this in a way that bank model risk management was never designed for.
A practical corporate finance Model Risk Management framework, adapted from SR 11-7 principles, includes five components:
1. AI workflow inventory. A documented register of every AI-assisted workflow that influences financial reporting. For each: workflow name, purpose, controls owner, data inputs, prompt version, output, review protocol, and risk classification.
2. Workflow development standards. Required documentation for any new AI-assisted workflow before it goes into production: purpose, design rationale, intended output, identified failure modes, review protocol, evidence retention plan, and approval record.
3. Independent review function. A defined process for someone outside the workflow to assess design adequacy. For most companies this is a controller from another team or an internal audit reviewer. Quarterly cadence is reasonable for routine workflows; new deployments should be reviewed before going into production.
4. Continuous monitoring program. A defined process for detecting output drift, including: baseline output samples for key workflows, periodic re-execution to compare against baseline, monitoring of vendor release notes for model changes, and incident response when material drift is detected.
5. Governance and reporting. Defined reporting cadence to the controller, CFO, and audit committee on framework operation, identified issues, and remediation status. This is the layer that demonstrates oversight to external auditors and the board.
SR 11-7's three-lines-of-defense structure adapts directly to corporate finance AI deployments. The principle of independence between workflow operation and workflow validation is the framework's most important contribution.
The framework does three things that the current ad-hoc AI governance most companies have does not:
It creates an inventory. Most companies cannot today produce a list of every AI-assisted workflow that touches financial reporting. The first deliverable of this framework is exactly that document — and producing it surfaces deployments the controller didn't know were happening.
It separates development from validation. The single biggest weakness in current corporate AI governance is that the same person who builds the workflow also reviews it. SR 11-7 specifically addresses this with mandated independence; corporate finance MRM should adopt the same principle.
It addresses model drift explicitly. The vendor-model-update problem is the single most under-addressed issue in current AI governance. The framework treats it as a continuous monitoring requirement rather than as a category of incident.
Within 18-24 months, three forces will converge to make some version of this framework the de facto standard for corporate finance AI deployments. External auditors will start asking for documentation that looks remarkably like SR 11-7 elements. Audit committees, learning from the bank governance examples on their boards, will start expecting framework-level oversight. And the SEC's eventual guidance on AI in financial reporting will draw substantially from existing federal regulatory frameworks — including SR 11-7.
The controllers who have started building this framework now will not be doing anything different from what they're doing in 2027. They'll just be 24 months ahead of the controllers who waited for the formal guidance to land. That timing window — the cost of being early vs. the cost of being late — is the practical reason to adopt this framework before it's required.
The framework is publicly documented in SR 11-7 and the supporting Federal Reserve materials. The translation layer to corporate finance is straightforward. The implementation work is real but not exotic. The only question is whether you start it before or after the auditor asks.
The first deliverable of the framework is the AI workflow inventory. Here's what one entry looks like in practice — using the flux commentary workflow as the example:
Producing one of these entries takes 30-45 minutes per workflow once the template is established. The first deployment will surface workflows that don't yet have documentation. That gap-discovery is itself part of the framework's value.
The Line 2 review function — independent assessment of workflow design — produces a documented validation memo. Here's the structure:
The memo is typically 3-5 pages for a moderate-complexity workflow. It becomes the audit evidence of independent validation — the artifact an external auditor will eventually request when assessing whether the framework operates as designed.
The continuous monitoring requirement is where corporate finance MRM diverges most from bank MRM. The challenge: when the underlying language model is updated by the vendor, your workflow's outputs may shift without anyone on your team initiating a change. The framework needs to detect this.
A practical drift detection procedure has four components:
1. Baseline output capture. For each high-importance workflow, capture 3-5 representative output samples at a known model and prompt version. These are the baseline.
2. Periodic re-execution. Quarterly (or after any vendor model update notification), re-run the same inputs through the current model and prompt version. Compare outputs against baseline.
3. Drift assessment. Outputs that differ materially from baseline trigger investigation. Material drift is judgment-based but typically means: characterizations that materially differ, citations that materially differ, or formatting changes that affect downstream use.
4. Documentation and response. Material drift events are logged with: detection date, drift description, suspected cause (vendor model update, prompt change, input change), remediation action, and updated baseline. The log becomes part of the framework evidence trail.
Most controllers using AI in production today receive no formal notification when their vendor (Anthropic, OpenAI, Google, Microsoft) updates the underlying model. The model version "claude-3-5-sonnet" used in February may behave subtly differently from "claude-3-5-sonnet" used in May, even though the version label looks the same. This is the gap the drift detection procedure exists to address — and it's the most under-recognized control issue in current corporate AI governance.
For finance leaders considering whether and how to implement this framework, here is a recommended sequence over a typical 6-month rollout:
Month 1. Complete the AI workflow inventory. This is the highest-leverage single deliverable — it surfaces the actual AI footprint and creates the foundation for everything else.
Month 2. Document the highest-risk workflow end-to-end using the framework. Use it as the template. Get internal audit's input on the documentation quality.
Month 3. Establish the independent validation function — designate the reviewer, define the cadence, run the first validation on the documented workflow.
Month 4. Brief external audit on the framework. Document their feedback. Refine based on their input.
Month 5. Roll the documentation template across remaining material workflows. Establish the prompt library and change log.
Month 6. Deliver the framework briefing to audit committee. Establish the ongoing reporting cadence.
By month 6, you have a documented framework, an inventory, validated workflows, an active independent review function, an engaged external auditor, and an informed audit committee. That's the operating posture that lets you say — to whoever asks — that AI in financial reporting is governed at your function. Most companies in 2026 cannot say this. By 2028, the ones that can will be a meaningful fraction of public companies. The framework is how you join that fraction earlier.
The Public Company Accounting Oversight Board has been notably quiet on AI in audited financial statements relative to the pace of adoption. That silence is ending. The window between regulatory signaling and audit-firm playbooks is the next 18 months — and it's preparation time, not a pause.
The Public Company Accounting Oversight Board has been notably quiet on AI in audited financial statements relative to the pace of adoption in finance functions. That silence is ending. Recent PCAOB inspection findings, staff statements, and the agency's stated priorities for the next inspection cycle indicate that AI use in financial reporting — both by audit firms and by their audit clients — is moving from a watchlist topic to an active inspection focus.
For controllers at public companies, this matters because PCAOB inspection findings have a predictable downstream effect: when the PCAOB criticizes how an audit firm assessed a topic, that firm's audit teams begin asking pointed questions on that topic across their entire client base within 6-12 months. The companies whose finance functions are unprepared get pulled into reactive responses; the companies that have anticipated the questions get to lead the conversation.
This piece walks through what the PCAOB is signaling, what audit firms are likely to do in response, and what controllers should have ready before the questions land.
The PCAOB has not yet issued formal staff guidance specifically on AI in audited financial statements. What it has issued is more telling: inspection-cycle priorities that mention "the use of technology by registered public accounting firms," staff publications on the use of automated tools in audits, and informal commentary by board members at industry conferences acknowledging that the inspection focus is broadening.
The pattern matches the regulator's historical playbook. The PCAOB tends to: (a) signal a topic of interest through staff statements and inspection priorities, (b) develop inspection findings as audit firms encounter the topic in client engagements, (c) issue formal staff guidance once a critical mass of findings has accumulated, and (d) eventually update audit standards if findings persist.
We are currently in step (a)-(b). The first wave of formal PCAOB findings on AI use is likely 12-18 months away based on the typical cadence. Staff guidance follows another 6-12 months after that. Audit standard updates, if they come, are 3-5 years out.
The window between "PCAOB has signaled interest" and "audit firms have detailed playbooks for assessing client AI use" is roughly the next 18 months. Controllers who treat this window as preparation time — building the documentation, controls, and auditor positioning before the formal inspection regime hardens — will be in materially different positions than those who treat the silence as the absence of urgency.
Inside major audit firms, internal working groups have been developing AI audit assessment frameworks for the better part of two years. These frameworks are not yet publicly issued — and in many cases not yet finalized internally — but they share common elements that audit teams will eventually deploy:
Inquiry protocols. Standard questions audit teams will ask of every audit client about AI use, regardless of whether the client volunteers the information. Examples: "Does the company use AI tools in any process that produces financial reporting outputs?" "Are these uses documented in process narratives?" "What controls exist over AI tool changes?"
Risk assessment additions. AI use will become a standard component of audit risk assessment for in-scope clients, with specific risk factors flagged when AI is used in areas with high audit attention (estimates, complex revenue, reserves, disclosures).
Walkthrough modifications. Audit walkthroughs of AI-assisted controls will require additional procedures: review of AI tool documentation, evaluation of review protocols, assessment of change management, and testing of human override or correction mechanisms.
ITGC scope expansion. AI tools used in financial reporting will be added to ITGC scope assessments. The challenge: most existing ITGC frameworks were not designed for the specific risks AI tools introduce (model updates, prompt changes, output drift).
None of these are speculation. These are the categories of work currently underway inside major audit firms, and they will surface as audit team behaviors within the next 12 months — earlier at the firms that get there first, slightly later at firms that follow.
The preparation isn't exotic. It's the same governance work the rest of this site has been describing — but framed specifically for the inspection conversation that will eventually happen.
The AI use inventory. A current document listing every AI-assisted workflow that touches financial reporting, with: workflow purpose, AI tool used, controls applied, evidence retained. When the auditor inquiry happens, you produce this document. The document itself signals operational maturity.
The control documentation. Process narratives that explicitly address AI use. Control descriptions that name the AI involvement and the human review. Evidence retention practices that capture model versions, prompt versions, and output review documentation.
The auditor briefing record. Documentation that you have proactively engaged your external auditors on this topic. Date of the briefing, topics covered, auditor views captured, follow-up commitments tracked. This becomes the audit evidence that demonstrates ongoing dialogue rather than reactive response.
The audit committee documentation. Minutes reflecting that AI in financial reporting has been substantively briefed at the AC level, with management commitments tracked through to completion.
The incident response. A documented procedure for what happens if an AI output error is discovered after publication of financial statements. This is the question that, when asked, separates the prepared from the unprepared most cleanly.
When the inquiry happens — and it will — the framing of the response matters as much as the substance. Three suggestions for how to position the conversation:
Lead with the framework, not the technology. The audit team's concern is risk to financial reporting, not the elegance of your AI deployment. Open with the governance framework: how AI use is documented, controlled, reviewed, monitored. The technology details are supporting evidence.
Acknowledge the gaps that exist. No company's AI governance framework is complete. The auditor's job is to assess risk, not to grade your maturity. Honest acknowledgment of where your framework is still being built is a more credible posture than a defensive presentation that suggests everything is handled.
Frame the framework as an evolving response to evolving risk. AI in financial reporting is a domain where authoritative guidance has not yet been issued. Sophisticated audit teams will recognize this. The defensible posture is one that demonstrates the framework is a thoughtful response to identified risks, refined as the regulatory and technical environments evolve.
PCAOB inspection findings are lagging indicators of regulatory attention. The attention has already arrived. The findings will follow within 18 months. The audit firm responses will follow within 6 months of the findings. The questions on your audit will follow within 6 months of the firm responses.
The math is straightforward: companies that build the documentation now have approximately 24 months before the first significant audit conversation on AI happens. Companies that wait until the audit team raises it have 0 months.
The work is the same either way. Only the framing of the conversation changes — proactive demonstration of governance versus reactive response to inquiry. Most controllers, given the choice, will recognize which framing they want to be in.
FedNow is in production. Stablecoin networks settle 24/7 globally. Real-time payment rails are reshaping the operational reality the close cycle was designed for. The accounting profession hasn't formally addressed the disconnect — but practitioners are already running into it.
The accounting profession has organized itself around a periodic close model since GAAP was codified. Month-end. Quarter-end. Year-end. The close cycle is the heartbeat of the controller's calendar — every workflow, every reconciliation, every reporting deadline is anchored to a defined cutoff. The model assumes that financial activity has discrete temporal boundaries that align with the calendar.
Real-time settlement rails break this assumption. FedNow is in production. Stablecoin settlement runs 24/7 with no scheduled downtime. Real-time gross settlement systems are being adopted across global banking infrastructure. The B2B payments and treasury management systems built on these rails do not stop at month-end. They do not pause for cutoff. They settle continuously.
This creates an accounting model problem that the profession has not yet confronted directly: when transaction settlement is continuous, what does "month-end" actually mean? When the rails operate 24/7 across multiple time zones with no synchronized close, how do you define the period that financial statements report on?
The term covers several distinct technological developments with different accounting implications:
FedNow. The Federal Reserve's instant payment system, launched in July 2023, allows U.S. financial institutions to send and receive payments in real time, 24/7. As adoption scales over the next 24-36 months, B2B payments that historically settled via ACH on a 1-3 day delay will increasingly settle in seconds, including on weekends and holidays.
Stablecoin settlement networks. USDC, USDT, PYUSD, and increasingly tokenized deposit networks settle 24/7 globally with no scheduled downtime. Cross-border B2B payments using these rails settle in minutes regardless of correspondent bank operating hours.
RTP (Real-Time Payments) Networks. The Clearing House operates RTP, similar to FedNow but bank-driven. Adoption among large corporates is accelerating.
The common thread: financial activity that historically occurred during defined banking hours and settled on T+1 or T+3 schedules is increasingly occurring continuously and settling in real time. The accounting period boundary that worked for slower rails — define a cutoff time, capture transactions as of that moment — becomes harder to apply.
The cutoff question. If your company sends and receives payments via FedNow at 11:59:58 PM and 12:00:02 AM on the last day of the month, both transactions are economically part of the month-end activity for the counterparty on the other side. But your reporting cutoff is 11:59:59 PM. The 12:00:02 transaction belongs to the next period in your books. This is a small problem at low volume; it becomes a control and reconciliation problem at scale.
The cross-border timing question. If you settle a payment via stablecoin to a counterparty in Singapore, the settlement occurs at the same moment in absolute time but at different "calendar dates" depending on functional currency and time zone. For period-end financial reporting purposes, which date governs?
The weekend close question. Traditional close timelines assume that financial activity pauses on weekends. As 24/7 settlement scales, weekend activity becomes a meaningful portion of total volume — and the close process that was designed around a Friday-evening cutoff has to accommodate Saturday and Sunday transactions that weren't part of the model.
The reconciliation cadence question. Daily bank reconciliations were designed for systems that posted in batch overnight. With continuous settlement, the bank balance changes continuously. Daily reconciliation becomes a moving-target exercise unless the cadence shifts to either real-time monitoring or end-of-day point-in-time captures.
The accounting framework still requires periodic financial statements. The underlying systems are increasingly continuous. The reconciliation work between the two — defining cutoffs, applying them consistently, documenting the choices, ensuring controls operate at the right cadence — is the new operational burden the profession is starting to recognize but has not yet structurally addressed.
The term "continuous accounting" has been used loosely in software marketing for years, often referring to faster month-end closes. The forward-looking version — actual continuous accounting that responds to real-time settlement infrastructure — has different operational characteristics:
Continuous reconciliation. Rather than reconciling balances at month-end, the system reconciles continuously, with discrepancies flagged and routed for resolution as they occur. The month-end activity becomes review of cumulative reconciliation status rather than execution of the reconciliation itself.
Always-on cutoff procedures. Period boundaries are defined in advance and applied automatically as transactions occur. A transaction settled at 11:59:58 PM on the last day of the month is captured in the closing period; a transaction at 12:00:02 AM is captured in the new period. The judgment about "which period this belongs to" is made before the transaction occurs, not after.
Continuous controls operation. Controls that previously operated on a periodic basis (monthly review of certain accounts, quarterly assessment of estimates) shift to continuous monitoring with periodic certification. The control evidence is generated continuously; the controller's review confirms operation rather than executes the review itself.
Real-time exception management. Exceptions that historically aged for days or weeks before identification are flagged immediately. The senior controller's role shifts from "find the exceptions at month-end" to "respond to exceptions as they emerge and ensure they don't accumulate."
Companies that operate substantially on real-time rails — payments-heavy businesses, fintechs, treasury operations of multinationals — are already encountering these issues operationally even where the accounting framework hasn't formally caught up. The practical responses converging across these operations:
Defined and documented cutoff policies. The "month-end is 11:59:59 PM EST" assumption is being formalized into written policy that addresses cross-border timing, weekend activity, and continuous-settlement-system specifics.
Continuous reconciliation infrastructure. Reconciliation tools that operate continuously rather than in nightly batches, with exception aging and routing built in.
Controller staffing model changes. The traditional close-cycle staffing pattern (heavy load at month-end, lower load mid-month) doesn't fit continuous operations. Continuous accounting requires more even staffing across the month with focused review at period-end rather than execution-heavy month-end cycles.
Control framework adaptation. Controls designed for periodic execution (monthly reconciliation, quarterly review) are being redesigned for continuous operation with periodic certification — a different control architecture entirely.
The professional bodies — FASB, AICPA, IFRS — have not yet issued specific guidance on continuous accounting in real-time settlement environments. They will eventually have to, because the disconnect between "financial reporting period" and "settlement reality" is going to surface as a recognition, measurement, or disclosure issue at some companies before it gets addressed at the standards level.
For controllers in payment-heavy or treasury-intensive businesses: this is a planning horizon issue right now, not a current-period issue. The companies whose finance functions start adapting to continuous-accounting principles before the rails reach critical mass will operate from a meaningfully better position than companies that wait for the standards to catch up.
For controllers in less rail-exposed businesses: the planning horizon is longer, but not infinite. Within 5 years, real-time settlement will be the default for most B2B payment activity. The accounting framework will adapt. The controllers who understand the operational implications now will be the ones designing the systems that operate within the new framework.
The close doesn't end anymore. The accounting profession has not yet figured out what that means in practice. The practitioners who are working through it now will be the ones who define how it gets answered.
A Working Reference for Controllers Deploying Agentic AI
Not a course. Not a PDF. A continuously updated reference covering the frameworks, tools, templates, and protocols relevant to controllers thinking through agentic AI deployment. Built and maintained by a practitioner. Free to use. Updated as the practice evolves.
How to think about agentic AI in the finance function
The framework starts with a single question: does a human need to sign their name to this output and defend it under audit, board, or regulator scrutiny?
That question divides every finance workflow into one of three categories — agent-led, human-gates, or human-only — and the categorization determines everything else: how you deploy, how you govern, what controls you need, and what review discipline applies.
Diagnose your current state across four dimensions
Where are you on the agentic AI adoption curve? Twelve questions across Workflow Awareness, AI Fluency, Control Framework, and Strategic Positioning. Scored 0–100 with personalized gap analysis and a tailored 30/90/180-day action plan.
Classify every finance workflow into the right deployment category
Not every workflow belongs in the same automation tier. The taxonomy applies the framework to specific use cases — flux commentary, technical research, reserve methodology, audit defense — and tells you for each one: what the agent should do, what you must own, and where it predictably breaks.
Production-grade prompts by workflow type
Eight workflow categories — Technical Accounting, Close & Reporting, Memo & Policy Writing, SOX & Controls, Reserve & Estimates, Finance Projects, Digital Assets, Stakeholder Communication — each with three prompt variants tuned to the level of rigor the work requires. Quick, Research-grade, and Audit-defensible Deep Dive.
What audit-grade documentation looks like for AI-assisted work
The unwritten work for every controller using AI in production: documenting the use, defining the review protocol, version-controlling prompts, and producing audit evidence that survives PCAOB AS 2201 inspection. Five practical artifacts every finance function will need:
Scripts and protocols for the conversation you need to have
Most controllers using AI in production have not yet had the structured conversation with their external auditors. The longer they wait, the more reactive that conversation becomes. The OS provides three structured artifacts:
What to study, in order, to operate at the frontier of this work
The questions land faster than the published answers. The reading list is curated to put you ahead of where the formal guidance currently is — drawing on standards, regulator commentary, peer disclosures, and adjacent-field practitioner work that informs the controller's job.
This is a living reference. Material changes are logged here so you can track what's evolved.
Audit-readiness diagnostic across five control dimensions. Built for controllers and CFOs who need to know — before the audit team asks — where their AI governance gaps are.
Output: a printable maturity heatmap with severity-rated findings and 30/90/180-day action items. Suitable to share with your CFO or audit committee.
Describe a finance workflow step by step. Get back a deployment recommendation per step — Agent-Led, Human Gates, or Human Only — with reasoning grounded in the framework.
A consolidated reference of standards, guidance, and primary sources cited across this site, plus the author's full attestation regarding the nature of the content. Material on this site cites named authoritative sources where relevant; this page brings them together in one place.
Authorship. All content on this site is authored by Nico Rivera in a personal capacity. Articles, frameworks, prompt templates, and interactive tools represent the author's professional judgment and personal exploration of agentic AI in the controller function.
Independence from employer. No content on this site is derived from, based on, or shared based on any non-public information from any current or former employer, client, partner, or affiliate. The site does not represent the views, policies, or practices of any organization with which the author is or has been associated.
Source basis. Articles cite authoritative sources — including PCAOB standards, FASB pronouncements, SEC staff statements, Federal Reserve guidance, NIST frameworks, and other publicly available materials — where positions or analysis is offered. Where the author offers a personal interpretation or framework, this is identified as such.
Currency. The author maintains this site as a living reference. Articles are dated, the Operating System is versioned, and material updates are logged on the OS page. Readers should evaluate currency relative to the date noted on each piece.
Limitations. The author is not the reader's accountant, lawyer, auditor, or financial advisor. No content on this site constitutes professional advice. Use is governed by the full Educational Disclaimer in the site footer.
The following authoritative sources are cited across articles on this site. Each article includes its own "Sources & Further Reading" block at the bottom for piece-specific references; this index aggregates them.
Inline citations. Where an article makes a claim that depends on a specific authoritative source, the source is named inline (e.g., "PCAOB AS 2201" or "ASU 2023-08"). This allows readers to verify the basis for the claim against the underlying authoritative material.
Per-article references. Each article includes a "Sources & Further Reading" block at its conclusion listing the named authoritative sources, primary materials, and adjacent professional publications relevant to the piece. These are starting points for further reading, not exhaustive bibliographies.
Author interpretation. Where the author offers a framework, position, or interpretation that goes beyond what is explicitly stated in authoritative sources, this is the author's professional judgment exercised in a personal capacity. The author's view is not authoritative guidance and should be evaluated alongside, not in place of, the underlying standards.
Currency. Standards and guidance evolve. References on this site are believed accurate as of the publication or update date noted on each article. Readers should verify current status against primary sources before relying on any information for decision-making.
Prompt Tool
Optimized, copy-ready prompts by workflow type. Pick a category, add context, get three variants — Quick, Research, and Deep Dive. No API needed.