Section 11Governance & Risk

Finance AI Adoption Framework

Governance models, risk frameworks, control structures, and audit-friendly AI approaches for finance and tax functions.

The Finance AI Paradox

Finance professionals need AI the most (high-volume, complex, rule-based work) but trust it the least (audit requirements, regulatory scrutiny, personal liability). This framework bridges that gap.

Key Finance Requirements for AI

Requirement Why It Matters How AI Must Adapt
Audit trail External auditors need to trace any number AI outputs must be reproducible and logged
Explainability Regulators require reasoning, not just answers AI must show its working, not just conclusions
Accuracy Financial misstatement has legal consequences AI must be verified before reliance
Consistency Same facts should produce same treatment AI should follow documented policies
Timeliness Reporting deadlines are non-negotiable AI must be reliable and available
Confidentiality Market-sensitive information AI processing must respect data boundaries
Professional skepticism Auditor mindset — question everything AI outputs must be critically reviewed

Governance Model

Three Lines of Defense for AI

Line Role AI Governance Responsibility
1st Line: Operations Finance/Tax teams using AI Follow AI usage policies, verify outputs, document use
2nd Line: Risk & Compliance AI governance function Set policies, monitor compliance, assess risks
3rd Line: Internal Audit Independent assurance Test controls, verify governance effectiveness

AI Usage Policy Framework

Tier 1: Unrestricted Use

  • Research and information gathering
  • Drafting internal communications
  • Brainstorming and ideation
  • Personal productivity (meeting notes, email drafting)
  • Training and learning

Tier 2: Supervised Use (Output must be reviewed before use)

  • Tax advisory memos (requires expert review)
  • Financial analysis and commentary
  • Compliance documentation
  • Stakeholder presentations
  • Process documentation

Tier 3: Restricted Use (Requires approval and enhanced controls)

  • Data feeding into financial reporting
  • Communications to tax authorities
  • External-facing documents
  • Calculations used in returns or provisions
  • Anything affecting published financial statements

Tier 4: Prohibited

  • Autonomous financial transactions
  • Unsupervised regulatory filings
  • Replacement of professional judgment on material matters
  • Processing of inside information
  • Decisions affecting employee compensation or employment

Risk Framework

AI Risk Register for Finance

Risk Likelihood Impact Mitigation Residual Risk
Incorrect tax advice adopted without review Medium High Mandatory expert review for Tier 2+ Low
Confidential data exposed via AI processing Low High Enterprise-only AI tools, data classification Low
Overreliance reducing professional competence Medium Medium Skills maintenance requirements, rotation Low-Medium
AI hallucination in financial context Medium High Source verification requirement, dual-check Low
Audit trail gaps from AI-assisted processes Medium Medium Logging requirements, documentation standards Low
Regulatory non-compliance with AI governance Low High Policy framework, monitoring, training Low
Vendor lock-in to specific AI platform Medium Medium Multi-provider strategy, portable content Low-Medium

Risk Assessment Matrix for New AI Use Cases

Before deploying AI for any finance process, assess:

Criterion Score 1 (Low) Score 3 (Medium) Score 5 (High)
Financial materiality <€10K impact €10K-€500K >€500K
Regulatory sensitivity Internal only May affect filings Directly in regulatory scope
Reversibility Easily corrected Correctable with effort Difficult/impossible to reverse
Professional judgment required Rules-based, mechanical Some judgment needed Significant judgment/interpretation
Data sensitivity Public/internal Confidential Highly restricted

Scoring: Total < 8 → Tier 1/2 use appropriate. Total 8-15 → Tier 2 with enhanced review. Total > 15 → Tier 3 or Prohibited.

Control Framework

Controls for AI-Assisted Processes

Control Type Control Description Frequency Evidence
Preventive AI usage training completion required Before first use Training records
Preventive Data classification before AI input Each use User attestation
Detective Output review by qualified professional Each Tier 2+ output Review sign-off
Detective Periodic sample testing of AI outputs Monthly Testing workpapers
Detective Source verification for factual claims Each advisory use Source documentation
Corrective Error reporting and correction process As identified Incident log
Monitoring Usage analytics and pattern monitoring Weekly Dashboard review
Monitoring Quality scoring of AI outputs Monthly Quality metrics

AI Output Documentation Standard

For any AI-generated content used in a formal capacity, document:

  1. Input: What was provided to the AI (prompt text, reference data)
  2. Output: What the AI generated (raw output preserved)
  3. Review: Who reviewed, when, and what changes were made
  4. Verification: What sources were checked to validate factual claims
  5. Decision: How the AI output was used in the final deliverable
  6. Classification: What tier this use falls under

Human-in-the-Loop Models

Model 1: AI Drafts, Human Finalizes (Most Common)

Task Identified → AI Generates Draft → Human Expert Reviews → Human Finalizes → Deliverable
                                              ↓
                                    Reject (back to AI with feedback)
                                    OR
                                    Accept with modifications

Best for: Advisory memos, research summaries, email drafts, report narratives

Model 2: Human Leads, AI Assists (High Judgment)

Human Designs Approach → Human Performs Core Analysis → AI Validates/Extends → Human Confirms
                                                              ↓
                                                    AI checks calculations
                                                    AI identifies missed issues
                                                    AI suggests improvements

Best for: Tax provisions, complex advisory, regulatory filings

Model 3: AI Monitors, Human Decides (Continuous)

Data Stream → AI Monitors Continuously → AI Flags Anomalies → Human Investigates → Action
                                                ↓
                                    Normal → No action (logged)
                                    Anomaly → Alert to human reviewer

Best for: Transaction monitoring, compliance tracking, threshold alerts

Model 4: AI Executes, Human Audits (Low Risk, High Volume)

Routine Task → AI Performs → Results Logged → Periodic Human Audit of Sample → Confirm/Correct

Best for: Meeting note generation, email categorization, data extraction from standard documents

Audit-Friendly AI Approaches

What Auditors Will Ask

Question Your Prepared Answer
"How do you ensure AI outputs are reliable?" "Mandatory human review for anything in Tier 2+, source verification policy, quality sampling."
"Can you reproduce this analysis?" "Yes — prompts are logged, AI inputs documented, and outputs preserved in our documentation system."
"What controls prevent AI errors in financial reporting?" "Multi-level framework: data classification prevents sensitive data input, review controls prevent unvalidated outputs, and monitoring detects patterns of concern."
"How do you maintain professional competence?" "AI augments but does not replace. Team members must demonstrate competence independent of AI through training requirements and rotation."
"What is your AI governance structure?" "Three lines model with clear policies, documented controls, and independent monitoring."

Documentation Requirements for Audit

Process Documentation Needed Storage Location
Tax research using AI Prompt + output + review notes + sources verified SharePoint - Advisory Archive
Financial analysis Input data + AI analysis + human adjustments + sign-off Working paper files
Report generation Template + AI draft + reviewer changes + final version Reporting documentation
Compliance checking Checklist + AI assessment + human verification + conclusion Compliance files

Change Management for AI Adoption

Addressing Resistance

Concern Response Strategy
"It will make my job redundant" Show how AI handles the tedious parts, freeing time for high-value judgment work
"I can't trust something I don't understand" Demonstrate with simple examples, show how to verify, build gradually
"What if it makes a mistake I don't catch?" That's why we have tiered controls. Same risk exists with human colleagues — we mitigate with review.
"My professional qualification requires personal responsibility" Absolutely — AI is a tool like a calculator or research database. Your judgment remains yours.
"The regulator won't accept AI-prepared work" Regulators accept Excel-prepared work. AI is the next tool. The key is documentation and oversight.

Maturity Model: Finance AI Governance

Level Name Description Key Indicators
1 Ad Hoc Individual experimentation, no governance No policy, no monitoring, no controls
2 Awareness Policy exists, basic training deployed Written policy, training records, basic classification
3 Managed Controls operating, monitoring active Review sign-offs, usage tracking, quality sampling
4 Optimized Data-driven improvement, embedded in processes Quality metrics trending positive, continuous improvement
5 Strategic AI governance enables competitive advantage Governance enables faster AI adoption, trusted by auditors

Current estimated level: 1-2 12-month target: 3 36-month target: 4