AI in Finance:
Governance Handbook
for the CFO

Compliance, External Auditors, and Decision Layer
before August 2026

Author: Bert Gogolin, Managing Director
Publisher: Gosign GmbH, Hamburg
Date: March 2026
Length: 28 pages

1 Why the CFO Must Lead AI Governance in Finance

2 Three types of financial decisions: Human, Rule-based, AI

3 EU AI Act: Requirements for the financial sector

4 External auditors as governance partners

5 4 Finance processes in the Decision Layer

6 Finance Readiness Assessment

7 Next steps

Revenue lost to fraud worldwide

ACFE 2024

42%

Invoices still processed manually

IFM 2024

88-95%

Zero-Touch rate in the Decision Layer

Gosign Projects

1 - Why the CFO Must Lead AI Governance in Finance

AI in finance is not an IT project. It is a governance project with a technical component.

Who defines the threshold above which an invoice is automatically approved? Who sets alert thresholds for fraud detection? Who decides whether an AI agent may process journal entries without human review?

The answer is not the CIO. It is the CFO.

According to ISACA (2024), 73% of organizations have no formal AI governance framework. In finance, this means critical processes such as accounts payable, month-end close, and fraud detection are running without defined control structures.

The Institute of Finance & Management (2024) reports that 42% of all invoices in accounts payable are still processed manually. The automation wave is coming. The question is not whether, but under whose governance.

Three governance levels

Level	Responsibility	Who
Decision matrix	Defines what the agent may do and what stays with humans	Finance + Legal
Audit trail	Every action logged, versioned, reproducible	IT (technical), Finance (review)
Role model	Who monitors, who approves, who escalates	Finance
Auditor interface	Documentation for external auditors and internal audit	Finance + Auditor
Escalation path	What happens when confidence is low or uncertain	Finance + IT

Checklist

Before the first agent goes live in the finance department:

What AI is already in use in finance? (Including informal use)
Who in Finance is responsible for AI governance?
Is the external auditor informed about planned AI deployments?
Are there defined thresholds and escalation paths?

According to Gartner (2024), 30-40% of all AI projects fail due to missing governance structures. Not technology. Not budget. Organization.

2 - Three Types of Financial Decisions

Every finance process consists of hundreds of micro-decisions. The Decision Framework classifies each one.

Type	Decides	Examples
Human (H)	Controller or CFO	Credit decision >100k, impairment, accounting policy
Rule-based (R)	GAAP, IFRS, tax law	VAT calculation, account assignment, payment terms, depreciation
AI-suitable (A)	Agent with Confidence Routing	Invoice classification, anomaly detection, duplicate check

The golden rule for Finance

AI classifies, it does not calculate. An agent recognizes that an invoice is a service invoice. But the cash discount calculation is handled by the rule engine.

Rules calculate, they do not decide. The rule engine applies the VAT rate. But whether an impairment is recognized is a human decision.

Humans decide where law or materiality requires it. Not because they are better at it - but because GAAP, IFRS, and audit obligations demand it.

Agent Readiness Score for Finance

Score = (R + A) / Total x 100

Finance process	Score	Meaning
Accounts Payable (AP)	85-95%	Highly automatable (rule-dominated)
Travel Expense Management	80-90%	Highly automatable
Financial Close	65-75%	Well automatable (many review steps)
Fraud Detection	55-70%	Partially automatable (extensive Human-in-the-Loop)
Credit Decisions	30-45%	Primarily human (high-risk)

The lower the score, the more Human-in-the-Loop. That is not a deficiency - it is by design.

3 - EU AI Act: Requirements for Finance

The EU AI Act classifies AI systems for creditworthiness assessment as high-risk (Annex III No. 5b).

AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud.

From August 2026, six mandatory requirements apply (subject to the Digital Omnibus Package - potential postponement to December 2027):

Requirement	Art.	Decision Layer
Risk management	9	Confidence Routing - confidence score per decision, configurable threshold
Data governance	10	Versioned rule sets - every change traceable
Record-keeping	12	Audit trail - input, rule, confidence, result logged
Transparency	13	Decision Layer documentation - every posting traceable
Human oversight	14	Enforced Human-in-the-Loop - architectural, not optional
Accuracy/Robustness	15	Anomaly monitoring - integration with ICS

Important delineation

Not every AI in finance is high-risk. Accounts payable (invoice processing) does not fall under Annex III. But once an AI system influences credit decisions about natural persons, the high-risk requirements apply. Fraud detection for legal entities is explicitly excluded.

Compliance checklist

Risk management documented (Art. 9)
Data governance implemented (Art. 10)
Audit trail active (Art. 12)
Transparency documentation available (Art. 13)
Human-in-the-Loop architecturally enforced (Art. 14)
Anomaly monitoring set up (Art. 15)

Penalties: Up to EUR 15 million or 3% of global annual turnover.

4 - External Auditors as Governance Partners

External auditors do not object to AI. They object to poorly documented systems.

According to PwC (2024), 78% of external auditors see AI as an opportunity to improve audit processes - provided the documentation is in place. EY (2024) reports that companies with end-to-end audit trails complete the annual audit 3-4 weeks faster.

Audit-relevant requirements (ISA 315)

Audit area	Requirement	Decision Layer
Completeness	Every transaction recorded	Gapless logging
Accuracy	Amounts and account assignments correct	Versioned rule sets with test protocols
Timeliness	Recording in correct period	Timestamp in every audit log entry
Traceability	From source document to posting and back	Document linkage in the Decision Layer
Authorization	Authorized approval	Role model with approval chain

The Auditor Portal

In the Decision Layer, the external auditor is not an outside observer drawing samples at year-end. The Auditor Portal gives the auditor continuous access to:

Which decisions were automated (Zero-Touch vs. Human-in-the-Loop)
Which rules were applied per posting
How often escalation occurred and why
Statistical analyses (error rates, anomaly reports)
Configuration history (which threshold was active when)

AI Literacy obligation (since February 2025)

Art. 4 EU AI Act: All persons who operate or oversee AI systems must have sufficient AI competence. According to BCG (2024): allocate 12-22% of the AI budget for training.

Role	Training content	Refresher
Accountant/Controller	System understanding, escalation, result interpretation	Annual
External Auditor	Audit functions, audit approach for AI	Annual
CFO/Finance Leadership	Governance framework, compliance, strategy	Semi-annual
IT Operations	Technical operations, monitoring, incident response	Quarterly

5 - 4 Finance Processes in the Decision Layer

Accounts Payable (AP) - Automating invoice processing

According to the Institute of Finance & Management (2024), 42% of all incoming invoices are still processed manually. Average cost: EUR 8-12 per invoice (Ardent Partners 2024).

Decision	Type	Example
Invoice classification	AI	Materials, services, capital expenditure
Vendor matching	AI + Rule	Vendor recognition, master data matching
VAT calculation	Rule	Standard rate, reduced rate, reverse charge, intra-community
Account assignment	Rule	Cost center, GL account, project
Duplicate check	AI	Invoice number, amount, date
Three-way match	Rule	Purchase order, goods receipt, invoice
Approval >10k	Human	Department head confirms
Payment proposal	Rule	Discount-optimized, liquidity planning

Result: 88-95% Zero-Touch. Cost per invoice from EUR 8-12 to EUR 1-2. Processing time from 5-7 days to 1-2 days.

Travel Expense Management - 40-120 micro-decisions

According to GBTA Foundation: USD 58 per case, 19% error rate, USD 52 per correction. Additionally: travel expenses are the most frequent area in tax audits.

Decision	Type	Example
Receipt classification	AI	Hotel, meals, taxi, flight, rail
Per diem calculation	Rule	Country, duration, deductions per local tax rules
Meal entertainment 70/30	Rule	70% deductible, 30% non-deductible
VAT recovery	Rule	Invoice formally correct, VAT stated
Anomaly detection	AI	Unusually high, clustering, weekend activity
Approval on deviation	Human	Policy violation - manager confirms

Result: 85-92% Zero-Touch. Cost per case from USD 58 to USD 8-12.

Financial Close - Accelerating month-end close

According to Hackett Group (2024): average 6.4 days for the month-end close. Best-in-class: 4.8 days.

Phase	Decision	Type
Account reconciliation	Actual vs. expected comparison	Rule
Accruals	Period-end accruals	Rule
Provisions	Known provisions	Rule
Intercompany	IC reconciliation	Rule + AI
Impairments	Receivables valuation	Human
Balance sheet review	Plausibility check	AI + Human
Sign-off	Final approval	Human

Result: Month-end close from 6-7 days to 3-4 days. 70-80% of reconciliations automated.

Fraud Detection

According to ACFE (2024): 5% revenue loss due to fraud, average 12 months to discovery.

Check	Type	Example
Duplicate invoices	Rule + AI	Same amount, similar number, same period
Phantom vendors	AI	New vendor, no web presence
Amount anomalies	AI	Significant deviation from purchase order value
Segregation of Duties	Rule	Four-eyes principle violated
Unusual patterns	AI	Clustering just below approval threshold
Suspected case	Human	Escalation to compliance

Result: Detection time from 12 months to real-time. False positive rate below 5%.

6 - Finance Readiness Assessment

10 questions for the CFO. Rate each with 0 (no), 1 (partially), or 2 (yes).

#	Question	0	1	2
1	We have an overview of all AI systems in finance (including shadow AI).	☐	☐	☐
2	There is a person responsible for AI governance in finance.	☐	☐	☐
3	The external auditor is informed about AI usage.	☐	☐	☐
4	For each automated financial decision, the type is defined: H, R, or A.	☐	☐	☐
5	An audit trail exists for AI-assisted postings.	☐	☐	☐
6	Escalation paths and amount thresholds are documented.	☐	☐	☐
7	Finance employees have completed AI training (Art. 4).	☐	☐	☐
8	Internal audit has AI processes in the audit plan.	☐	☐	☐
9	Our internal control system covers AI-assisted processes.	☐	☐	☐
10	We have a plan for August 2026.	☐	☐	☐

Score	Rating	Recommendation
16-20	Ready	Select a pilot process and build the Decision Layer.
10-15	Foundation in place	Formalize governance. Involve the external auditor.
5-9	Catching up needed	Prioritize AI Literacy and inventory.
0-4	Action required	Start immediately. EU AI Act deadlines are running.

Investment rule (McKinsey 2024)

1 EUR technology = 4-5 EUR processes, governance, change management.

Technology	15-20%
Process design	30-35%
Governance	20-25%
Change management	20-25%

7 - Next Steps

The 90-day plan

Month	Focus	Result
1	Inventory	AI overview, governance ownership, auditor informed, pilot process identified
2	Design	Workflow audit, H/R/A classification, thresholds, ICS documentation
3	Pilot	Decision Layer built, parallel operation, measurement after 4-6 weeks

Consultation

We will show you the Decision Layer applied to your own finance processes.

30 minutes, free of charge, no obligation.

Bert Gogolin - Managing Director, Gosign GmbH

Contact: www.gosign.de/en/contact

Web: www.gosign.de