The SEC's Real Position: Principles-Based Guidance Means Existing Rules Apply Now
The SEC chief accountant said AI is the most significant issue in financial reporting right now. Then his office said something that many CPAs misread as good news: we won't write prescriptive rules for it.
Here is what actually happened. The SEC's deputy chief accountant, speaking at a June 2026 staff conference, made clear that "it would be hard to create something prescriptive or definitive" given how fast AI changes. But then came the critical part: the SEC's existing frameworks already cover AI use. According to the SEC, "COSO's principles-based frameworks as well as the SEC's guidance regarding management's reporting of internal control over financial reporting (ICFR) are helpful resources for practitioners." No new rulebook is coming. Your clients must apply the rules already on the books—right now, to every AI touchpoint in their financial statements.
This distinction matters. CPAs who heard "no new rules" heard "we can wait for clarification." What they should have heard: existing standards are already in force, and the SEC is watching to see if your firm knows how to apply them.
Does the SEC Have Specific Rules for AI in Accounting Yet?
No. But that does not mean your clients have a grace period. Instead of new rules, the SEC plans to issue reminders and raise important questions about AI-specific risks—hallucinations, model drift, biases and data quality. These reminders will not create new obligations. They will simply highlight how existing ICFR and COSO frameworks already require your clients to address these risks.
Think of it this way. COSO internal control framework already requires organizations to identify business processes, design controls around them, and monitor them for effectiveness. If your client runs revenue recognition through an AI model without a human validator checking the output, that is not a new rule violation. It is a COSO control gap that should have been closed under rules that existed before AI was mainstream.
| Questions Your Engagement Letter Should Ask | What This Signals | Your Client's Answer Should Include |
|---|---|---|
| "What AI tools touch your financial statements?" | COSO control identification | Specific tool name, process it supports, frequency of use |
| "Who validates the output before you record it?" | Human oversight requirement | Role of reviewer, sampling rate, documentation of spot-checks |
| "How do you know the model is still accurate?" | Monitoring and model drift detection | Revalidation schedule, threshold for remediation, escalation path |
| "What happens if the AI output is wrong?" | Override protocol and correction process | Who can override, who reviews overrides, documentation trail |
Three Questions Your Audit Clients Should Answer Before Their Next Engagement
Here is how this scenario typically unfolds. A finance team at a mid-market company uses AI to model revenue recognition. The auditor's engagement letter asks a new question: "Please describe all AI tools used in financial reporting, including validation and oversight." The finance team has no written answer. They use the tool. They spot-check results sometimes. Nothing else is documented. The auditor flags this as a control gap. It goes to the audit committee. Now the company is scrambling to document a process that should have been designed before AI was deployed.
This cycle is happening faster than you might think. The SEC's principles-based stance means your clients cannot wait for new rules. They need to answer three questions before their next audit cycle begins. Firms should map every AI touchpoint in financial reporting this quarter and be ready with documented answers.
Why This Matters Now
The SEC chief accountant has made clear that FASB and the SEC are coordinating closely on AI disclosure standards. Hohl's office meets very frequently with FASB to share emerging accounting issues. What this signals: new guidance may arrive sooner than you expect. Firms that wait for prescriptive rules to appear may find themselves behind when standards accelerate. The window to audit clients about AI use in financial reporting is now—this quarter, before year-end planning starts.
Free CPA AI Policy Checklist
Before staff paste client data into AI, check the rules your firm is missing.
Get the free checklist and join the Dispatch for practical AI controls, vendor questions, and client-data safeguards for accounting teams.
Free. No spam. You will also get the Nexairi Dispatch.
What Your Engagement Letter Should Ask About AI
Your current engagement letter template likely does not ask about AI. If you send the same template you used in 2023, it will not survive the next audit planning cycle. Peers are already adding AI questions. Here is what to include: identify all AI tools used in financial reporting, describe the human validation process at each stage, specify frequency of revalidation, explain how the firm detects and corrects model drift, and confirm that data used to train or operate the tool is secure and confidential. These questions are not new requirements under a new rule. They are existing ICFR and COSO control questions applied to AI use. For example, if a client uses an AI tool to reconcile revenue accounts—something Deloitte, EY and Grant Thornton audit teams are increasingly asking about—the engagement letter needs to ask whether the client validates the reconciliation output before relying on it for financial reporting.
What This Means for Your Firm This Quarter
Do not wait for the SEC to issue reminders. Your audit clients are using AI in financial reporting right now. Here is what to do.
1. Map every AI touchpoint in your clients' financial reporting. Revenue modeling, impairment calculations, reserve estimation, forecasting—walk your clients through their month-end close and year-end process. Ask where AI is used. For each tool, note the person who operates it, what the output is used for, and whether a human reviews it before it goes into the financial statements.
2. For each touchpoint, confirm there is a documented human validation checkpoint. If your client runs a model and uses the output without review, that is a COSO control gap. It is not a violation of a future rule. It is a violation of frameworks that exist today. Review the documentation. Ask: Is the reviewer competent? Is the review timely? Is there a sampling plan or is every output reviewed? Is the review documented?
3. Update your engagement letter template before the next audit cycle. Draft language asking clients to describe AI tools used in financial reporting, the validation process, the frequency of model revalidation, and the process for detecting errors. Make it standard. Send it with every engagement letter starting next quarter. Start with a simple checklist: Is the AI tool used for revenue recognition, reserves, impairment testing, or forecasting? Who validates the output? Is that validation documented? If clients answer "no" to documentation, add it as an audit follow-up.
4. Brief your audit committee clients now. If you audit public companies or large private companies with audit committees, schedule a conversation about how AI affects financial reporting control and disclosure. Position your firm as the expert. This conversation builds trust and deepens your advisory relationship. It also signals that you take the risk seriously before questions become audit findings.
Sources
- Thomson Reuters: SEC Staff Eye AI Reminders, Not Prescriptive Rules for Financial Reporting
- KPMG: Q&A with Kurt Hohl, SEC Chief Accountant
- COSO Internal Control Framework (2013 update)
- SEC Office of Chief Accountant: Guidance on Management's Assessment of Internal Control over Financial Reporting
Related Articles on Nexairi
Free Assessment
Is your firm ready for AI?
A 5-minute governance check for CPA firms using ChatGPT, Copilot or AI accounting software. Get your score and your top gaps — free.
The Nexairi Accounting Desk covers AI's impact on accounting, tax, financial advisory, and practice management — translated into plain language for CPAs, CFOs, and accounting professionals. All content published under this byline is reviewed by Sydney Smart, CPA, CFO, Principal of Simply Smart Consulting.
More from this desk
