Risk & regulatory context
Materiality, internal controls, and auditor expectations — the finance-specific rules of the road that decide what AI may touch and what evidence must exist.
Other functions adopt AI under general company policy. Finance adopts it inside a lattice of obligations that predate and outrank any AI policy — and the good news is that the lattice, understood properly, tells you exactly how to deploy AI safely. Three concepts do most of the work:
- Materiality — errors large enough to change a reader's view of the financials. It calibrates everything: AI drafting commentary on an immaterial expense line is a different risk universe than AI touching revenue recognition. Map every proposed use case to what it could misstate and by how much — that one habit sorts ambitious ideas into safe/gated/forbidden faster than any framework.
- Internal controls over financial reporting (ICFR) — the formal system (SOX-style for public companies; good practice everywhere) of preventive and detective controls with named owners and testable evidence. The AI implication is symmetric and crucial: AI inserted into a controlled process either preserves the control or becomes a control deficiency — and a deficiency severe enough to matter escalates, in audit-standard terms, to a significant deficiency or a material weakness. AI can also strengthen controls (checking 100% of invoices where humans sampled 5%). Deficiency or upgrade is a design choice, made in Module 5.
- Auditability — for any AI-touched number, you (not the vendor) must be able to show: the input, the tool and version, the output, the human review, and any changes. Auditors are converging on exactly these expectations. Build the trail from day one (it's two extra columns in a log, as the labs show) and audit season is boring; retrofit it in Q4 and it's archaeology under deadline.
The bright lines (write these into your policy verbatim if you like)
- AI never posts to the ledger unreviewed. Draft entries, suggested codings, proposed matches — all of it lands in a review queue with a human approver whose name goes in the log.
- AI never approves its own extraction. The system that reads the invoice can't be the check on the invoice; three-way match logic (Module 2) keeps its independence.
- Confidential stays classed. Vendor banking details, payroll, unreleased results — each has a data class, each class has approved tools, no exceptions at month-end when everyone's tired. (Your company's classification scheme applies; the labs model masking.)
- Model changes are control changes. When a vendor swaps its underlying model or you edit a production prompt, a controlled process noticed, tested, and logged it. This one surprises IT and delights auditors — get ahead of it.
These are the finance-floor instances of company-wide machinery: the risk-appetite statements and governance charters of Enterprise AI Strategy & Governance, and the control matrices and audit-evidence discipline of AI Governance, Risk & Compliance. If your company has those structures, this course plugs your workflows into them; if it doesn't, your Module 5 artifacts become the finance function's local version — which is historically how governance starts anyway.