14 Questions a Business Leader Should Be Able To Answer Before Relying on AI Outputs

AI is already working its way into finance, operations and reporting. In some cases, it’s already inside the systems you’re using every day.

The technology is more widely available every day. But can you rely on the outputs? What happens once AI starts feeding your reporting and decision-making?

Many teams are investing time into figuring out what AI can produce. Fewer focus on what needs to be in place before you should trust it. Ultimately, that depends on your organization’s risk appetite, governance, monitoring and how consistently AI outputs are validated over time.

For business leaders, that means answering disciplined questions early on.

Governance Has To Come First

AI should be no exception to the same governance principles leaders already know in risk, controls and reporting. You still need ownership. You still need clear reporting. You still need a way to make consistent decisions. AI changes the speed and scale of the issue, but it does not remove the need for structure.

Governance must be the start of everything. If organizations move straight to use cases, outputs, and efficiency gains without settling governance first, they create gaps that will only be harder to deal with later.

AI has the power to influence how decisions are made in your organization, how information is produced and how much confidence leadership can place in what it sees. Before teams start using it in finance, reporting or operations, someone needs to own the process, define expectations and decide how much risk the organization is actually willing to take on.

Questions To Answer

1. Who owns AI use across the organization?
2. Have AI expectations been clearly defined for your teams?
3. How has the organization defined its risk appetite around AI?
4. Where is AI already influencing reporting, analysis or operational decisions?

Monitoring Is The Control Most Organizations Miss

Organizations want AI because they want to see what it can produce. But because AI changes quickly, AI outputs can change quickly too.

That change may come from the underlying data. It may come from a change in the ERP system the model is using. It may come from the way the tool learns from activity over time. A use case may look fine on day one and begin drifting later.

Drift occurs when the output changes over time because something underneath it has changed. The prompt may be the same, but the data, systems or model behavior no longer are. You can put the exact same prompt into four different engines and end up with seven different responses.

This is the point where AI risk changes from theoretical to operational. When hallucinations go unchecked or drift is ignored, the issue shows up in reporting, decision-making and confidence in the information leaders are using.

Monitoring and validation are core parts of the control conversation. Establish a review process that is specific enough to catch unreliable output before it gets used and define criteria for what counts as acceptable variance. Create documentation around how the output is being checked, especially in areas tied to finance, reporting and operations.

Even once you’ve established a sound approach to monitoring AI outputs, it should be an active process, as opposed to a one-time setup step. Don’t assume that the system is still working just because it worked before. Establish checkpoints after major changes to data sources, system configurations or workflows, and look for evidence that someone is validating whether the output still makes sense.

AI’s hallucinations and drift are part of the risk leaders have to plan for. And practical concerns like these belong in implementation and monitoring discussions from the beginning.

Questions To Answer

5. How are AI outputs reviewed after deployment?
6. What triggers a reassessment of an AI output?
7. How does the organization know when a change in data or systems has affected reliability?
8. How are incorrect or fabricated outputs identified before they are used?
9. How does the organization watch for changes in output quality over time?
10. What validation steps are required before AI output affects reporting, analysis or decision-making?

Use a Framework You Already Understand

Most organizations already have a structure in place for internal controls and risk, even if it is not always called out directly (e.g., in SOX, in financial reporting or in how control issues are evaluated and reported). There is already a defined way to determine what a control is, whether it is working, how serious a deficiency is and how that information moves up to leadership or the Board.

When AI starts to be used inside those same processes, the easiest move is to treat it separately and build something new around it. Different functions approach it from their own perspective. IT looks at model behavior. Finance looks at how output ties to reporting. Compliance applies a regulatory lens.

Each perspective is valid, but if each group is using a different structure, the inputs do not line up. The terminology is different. The way risk is described and measured is different. The time gets spent interpreting what each group is saying rather than evaluating the issue itself.

Instead of introducing another framework, extend the one that already exists. (Most businesses are already relying on COSO’s Internal Control Integrated Framework in some capacity, whether through internal control frameworks, financial reporting or governance.) It keeps the same definitions, the same expectations and the same structure for evaluating and reporting issues.

Issues are described the same way as other control issues. Severity is assessed using the same criteria. Escalation follows the same path. Leadership can look at what is being presented and understand it within a system they already use.

Layering a separate framework on top of what is already there creates another set of definitions and another way of evaluating risk. Keeping AI within COSO avoids that added layer.

Questions To Answer

11. Are teams using a common approach to AI risk and controls?
12. Is AI being folded into an existing control framework or handled separately by each function?
13. Can leadership and the Board evaluate risk consistently across the organization?
14. Which controls should be tested first?

Taking a Practical Approach Matters Most When Teams Need To Act

Most organizations are already feeling some kind of pressure to move on AI. For many, that pressure turns into rushed decisions based on vague encouragement.

A practical approach keeps the conversation from stalling out at the strategy level. Knowing what to put in place first, what to monitor next and where to be careful helps leadership teams move from general interest in AI to actual control decisions.

If you’re already using AI in reporting or decision processes, the next step is understanding where the output is being relied on and how it’s being validated today.

To learn more, access COSO’s Generative AI Guidance, or contact your Warren Averett advisor.

Back to Resources