The MD&A flux commentary process is one of the most time-consuming recurring tasks in the SEC reporting cycle, and one of the most poorly systematised. Every quarter, Controllers and FP&A teams manually translate P&L bridges into narrative explanations of period-over-period changes, classify drivers, assign approximate attributions, and produce first-draft commentary that then travels through a review cycle before entering the 10-Q or 10-K.
The process is repeated identically each quarter. The inputs are structured. The output format is defined by the filing requirements of Item 303. The analytical framework — identify the change, identify the drivers, quantify each driver, address offsetting factors — does not change from period to period.
This is precisely the profile of a workflow where automation delivers measurable return. The MIT Project NANDA study of 300 enterprise AI deployments identified back-office automation with structured inputs and defined output formats as the category producing the highest returns. MD&A flux commentary meets both criteria. The question is not whether automation applies here. The question is how to structure it so the output is Item 303-compliant, auditable, and defensible under the COSO framework for AI in financial reporting.
What Is MD&A Flux Commentary and What Does Item 303 Require It to Contain?
Flux commentary is the narrative explanation of material period-over-period changes in financial results that Item 303 of Regulation S-K requires in the results of operations section of the MD&A. The word "flux" is a practitioner term for the change analysis. The regulatory obligation is precise: the discussion must explain the reasons for material changes in each line item, quantify the contribution of each material driver to the extent reasonably available, and address any significant offsetting factors.
The core analytical output of flux commentary has three required components that must appear for every material line item change.
The direction and magnitude of the change. Revenue increased $6.8 million, or 11.2%, compared to the prior year quarter. This is the numerical foundation. It comes from the financial statements. It is not a judgment call.
The drivers and their individual contributions. Volume growth contributed $4.2 million of the increase, pricing improvements contributed $3.1 million, and payor mix shifts partially offset these increases by $0.5 million. This is the analytical layer. It requires management's revenue bridge or equivalent internal reporting to produce.
The forward-looking trends statement where known conditions apply. If the drivers are expected to continue, reverse, or intensify in future periods, Item 303(b)(2)(ii) requires disclosure of that known trend or uncertainty. This is the judgment layer. No automated system can produce this component without human input.
Understanding which of these three components is automatable and which is not is the prerequisite for designing an effective automation workflow. The first component is entirely automatable from structured financial data. The second is partially automatable if the internal management reporting bridges exist. The third is not automatable at all. Attempting to automate it introduces the category of AI risk COSO's February 2026 guidance specifically addresses: the plausible hallucination that is harder to catch than an obvious error.
What Does the Automation Workflow Actually Look Like?
An effective MD&A flux commentary automation workflow has four stages. Each stage has defined inputs, a defined output, and a defined human touchpoint.
Stage 1: Data extraction and bridge preparation.
The inputs are the current period P&L, the comparative period P&L, and the internal management reporting bridge that breaks down the change in each material line item by driver. The bridge is the critical input. If the bridge does not exist in a structured, queryable format, the automation cannot proceed at the driver level. It can only produce commentary at the net change level, which does not satisfy Item 303's quantification requirement.
For companies whose internal reporting already produces a structured revenue bridge, cost bridge, and margin bridge by driver category (volume, price, mix, FX, one-time items, and other), this stage is essentially data formatting: converting the bridge into a structured table that the automation layer can consume.
For companies whose bridges exist in unstructured Excel workbooks, this stage requires a data preparation step. The bridge must be extracted, standardised, and formatted before it can be used as an automation input. This is a one-time investment with recurring benefit: once the bridge is in a structured format, every subsequent period uses the same structure.
Stage 2: Draft commentary generation.
The automation layer takes the structured bridge as input and produces draft commentary for each material line item. The prompt structure that produces a usable, Item 303-compatible output has four required elements.
A materiality threshold that focuses output on material changes only. The dual threshold — a dollar floor and a percentage floor — applied simultaneously ensures the automation produces commentary only for changes large enough to be material. A $250,000 dollar floor and a 5% percentage floor, applied together, ensures that a $300,000 change on a $400,000 base (75%) generates commentary but a $300,000 change on a $10 million base (3%) does not, unless the dollar amount alone crosses the floor.
A driver classification requirement. For every line item commentary, the model classifies the primary driver using a defined taxonomy: volume, price, mix, FX, timing, one-time item, or "DRIVER UNCLEAR: analyst input required." The taxonomy must be defined in the prompt, not left to the model to infer. The DRIVER UNCLEAR escape hatch is the critical discipline: it prevents the model from attributing changes to drivers that the bridge does not support, which is the most common source of inaccurate flux commentary.
A source citation requirement. Every figure in the draft commentary must be traceable to a specific line in the bridge or the P&L. The prompt should require the model to cite the source line for each figure it uses. This makes the output verifiable in minutes rather than requiring a full re-check of every number.
An explicit prohibition on forward-looking language. The automation layer produces historical analysis only. The prompt must explicitly prohibit any language about expected future results, anticipated trends, or management's outlook. Forward-looking content belongs in the human-added trends paragraph, not in the automated draft. Including it in the automated output creates safe-harbor liability risk and produces language that is almost certainly not grounded in management's actual view.
Stage 3: Human review, driver validation, and trends addition.
The automated draft goes to the Controller or FP&A Manager with three specific review tasks.
Driver validation: confirm that every driver classification accurately reflects the business reality for the period. The automation classifies based on the bridge. The bridge classifies based on the system. The system may not capture everything. A $2 million favourable volume variance that is actually driven by the pull-forward of a specific customer order requires the human reviewer to override the volume classification and note the specific business context.
DRIVER UNCLEAR resolution: every item flagged as DRIVER UNCLEAR must be resolved before the draft proceeds. These are not suggestions. Under Item 303, if the company knows the driver and it is material, it must be disclosed. A DRIVER UNCLEAR flag that leaves the draft is an Item 303 deficiency.
Trends paragraph addition: for each line item where known conditions are likely to produce a material effect on future results, the human reviewer adds the forward-looking trends statement. This is the disclosure that the automation explicitly cannot produce. It requires management's actual knowledge of current conditions. No prompt instruction changes this.
Stage 4: Consistency check and disclosure committee preparation.
Before the automated and human-reviewed commentary enters the 10-Q or 10-K, a final consistency check confirms that every figure in the narrative matches the financial statements, that the drivers disclosed in the commentary are consistent with what management said in the earnings release and earnings call transcript, and that no relative modifiers (significant, meaningful, modest) remain unresolved with a specific figure. Each of these checks can be run as a separate automated pass against the draft, producing a flagged inconsistency list for the disclosure committee to resolve.
What Prompt Structure Produces Item 303-Compatible Output?
The prompt that produces reliably usable flux commentary has a specific structure that prevents the failure modes that generic prompts produce. The following maps each required element to the specific failure mode it prevents.
Opening: role and regulatory frame. The prompt opens by assigning the role of FP&A analyst drafting variance commentary for the MD&A results of operations section of a Form 10-Q under US GAAP. This constrains the model to the correct regulatory register and prevents it from producing commentary in the format of an internal management presentation or an investor relations document, both of which have different conventions from an SEC filing.
Data block: the structured bridge. The bridge data is pasted as a structured table with four columns: line item, current period amount, prior period amount, and variance by driver category. The table is the only source the model is permitted to use. The prompt explicitly instructs the model to use only the data provided and to write "NOT IN SOURCE" rather than infer any driver or figure not present in the table.
Task definition: materiality thresholds and output format. The task specifies the dual materiality threshold (dollar and percentage), the required output format (line item, variance dollar and percentage, drafted explanation, driver classification, confidence level), and the DRIVER UNCLEAR instruction. The output format mirrors the table structure that a disclosure committee expects to review, reducing the time from automated output to disclosure committee-ready document.
Rules: the four prohibitions. Four prohibitions reduce the most common failure modes. No forward-looking statements. No projections. No superlatives (significant, strong, robust) without a specific supporting figure. No attribution of a change to a driver not present in the source bridge. Each prohibition corresponds to a specific Item 303 or SEC comment risk. The prohibition on unsupported superlatives addresses the comment pattern that the SEC staff has flagged consistently in earnings release and MD&A reviews. The prohibition on forward-looking language addresses safe-harbor liability. The attribution prohibition addresses the plausible hallucination risk.
Output requirement: confidence level per line item. The model assigns a confidence level (High, Medium, Low) to each driver classification based on how clearly the bridge supports the attribution. Low confidence items surface to the human reviewer for validation. This is the mechanism that routes human attention to the items most likely to require judgment, rather than requiring the reviewer to re-examine every line item equally.
What Does COSO's February 2026 Guidance Require for Automated MD&A Commentary?
COSO's February 23, 2026 publication on generative AI and internal control applies directly to any AI-assisted workflow that produces output affecting a material financial statement disclosure. MD&A flux commentary qualifies on both counts: it is AI-assisted, and it directly produces content that appears in the results of operations section of a certified 10-Q or 10-K.
Under COSO's tiering methodology, an AI use case is HIGH tier if its output can affect a material amount or disclosure. MD&A flux commentary is HIGH tier by definition. The minimum controls for a HIGH-tier use case are human sign-off on the output, validation of the output against source data, and full logging of the prompt, model version, inputs, output, reviewer identity, and date.
Three specific COSO requirements translate directly into the flux commentary workflow.
Treat AI output as an assertion requiring validation, not a reliable fact. The automated draft is not the commentary. It is a proposed draft that must be validated by a named human reviewer before it enters the filing. The review is not a skim. It is a line-by-line confirmation that every driver classification is accurate, every figure is sourced, and every DRIVER UNCLEAR item is resolved. The reviewer's name and sign-off date must be logged.
Maintain a reconstructable audit trail. The final prompt version, the model name and version, the bridge table submitted as input, the raw automated output before human editing, every reviewer edit with the reviewer's name and the basis for the change, and the final commentary must all be retained. This retention set is what makes the commentary auditable. When the external auditor asks how the results of operations section was produced, the answer is the retention set, not an oral explanation.
Document the AI use case in the entity's use-case inventory. The flux commentary automation workflow must appear in the entity's COSO-required AI use-case inventory, classified as HIGH tier, with the minimum controls documented and any gaps flagged. If the entity does not yet have a use-case inventory, the flux commentary automation deployment is the occasion to create one.
The FINRA 2026 Regulatory Oversight Report reinforces the retention requirement: prompt and output logs must be maintained, and model versions must be tracked. For a public company filing periodic reports with the SEC, this is not an additional burden. It is a documentation standard that aligns with the controls already in place for the close process.
How Does This Interact With the External Audit?
PCAOB Auditing Standard AS 2301 requires external auditors to evaluate the reliability of technology-assisted processes when those processes affect financial reporting. When the Controller deploys an automated flux commentary workflow, the external auditor will ask the same three questions they ask about any technology-assisted accounting process: what was the automated procedure, what inputs were provided, and how did management validate the output.
The control wrapper designed for the COSO requirements simultaneously produces the documentation the external auditor needs. A workflow with a documented prompt, a retained bridge input, a logged reviewer sign-off for every DRIVER UNCLEAR resolution, and a retained copy of the final commentary before and after human review satisfies AS 2301's reliability inquiry for the MD&A automation workflow.
There is one additional consideration specific to MD&A. The SEC staff, when reviewing a 10-Q or 10-K, reviews the results of operations commentary against the earnings release and earnings call transcript. If the automated commentary uses different driver language or different attribution figures than what management said on the earnings call, the staff will ask about the inconsistency. The Stage 4 consistency check specifically addresses this: comparing the automated and reviewed commentary against the earnings materials before the 10-Q is filed is the control that prevents a comment letter generated by a mismatch between the automated output and the public communications that preceded the filing.
Frequently Asked Questions
What is MD&A flux commentary and why is automating it difficult?
MD&A flux commentary is the narrative explanation of material period-over-period changes in financial results required by Regulation S-K Item 303. Automating it is difficult because it requires three components with different automation profiles: the numerical change (fully automatable from structured data), the driver attribution (partially automatable if an internal management bridge exists), and the forward-looking trends statement (not automatable, requires management's actual knowledge of current conditions). Most automation attempts fail because they conflate all three components and produce output that either omits the driver attribution detail Item 303 requires or fabricates a forward-looking statement management did not authorise.
What is the DRIVER UNCLEAR instruction and why is it the most important element of the prompt?
The DRIVER UNCLEAR instruction tells the model to flag an attribution as unclear and request analyst input rather than fabricating a plausible-sounding driver classification not supported by the source bridge. It is the most important element because driver attribution is the specific failure mode where AI produces confident-sounding errors that are harder to catch than obvious mistakes. The DRIVER UNCLEAR flag routes human attention to the ambiguous items and ensures that every driver classification in the final commentary is either directly supported by the bridge or has been explicitly resolved by a named reviewer.
Can the automation produce the forward-looking trends paragraph?
No. The forward-looking trends obligation under Item 303(b)(2)(ii) requires disclosure of known trends and uncertainties that management believes are likely to have a material effect on future results. This requires management's actual current knowledge of business conditions. No prompt instruction makes a generative AI model capable of producing this disclosure reliably. The automation explicitly prohibits forward-looking language and the human reviewer adds the trends paragraphs as a required step after reviewing the automated draft.
What does COSO's February 2026 guidance require for automated MD&A commentary?
COSO classifies automated MD&A commentary as a HIGH-tier AI use case because its output directly affects a material financial statement disclosure. HIGH-tier requirements are: human sign-off on every output before it enters the filing, validation of the output against source data, and full logging of the prompt, model version, source inputs, raw output, reviewer identity, and date. The Commentary is treated as a proposed draft, not a reliable fact, until a named human reviewer has confirmed every driver classification and resolved every DRIVER UNCLEAR flag.
How does the automated workflow interact with the external audit?
PCAOB AS 2301 requires external auditors to evaluate the reliability of technology-assisted processes affecting financial reporting. The external auditor will ask what the automated procedure was, what inputs were provided, and how management validated the output. A workflow with a documented prompt, retained bridge inputs, logged reviewer sign-offs, and a retained copy of the commentary before and after human review satisfies the AS 2301 reliability inquiry. An additional control specific to MD&A is the Stage 4 consistency check comparing the commentary against earnings release and call transcript language before filing, which prevents comment letters generated by mismatches between the automated output and prior public communications.
Key Takeaways
- MD&A flux commentary has three components with different automation profiles: the numerical change is fully automatable, driver attribution is partially automatable if a structured management bridge exists, and the forward-looking trends statement is not automatable and must be human-authored.
- The automation workflow has four stages: bridge preparation (data formatting), draft generation (automated with prompt discipline), human review (driver validation, DRIVER UNCLEAR resolution, trends addition), and consistency check (commentary versus financial statements and earnings materials).
- The DRIVER UNCLEAR instruction is the most important element of the prompt. It prevents the model from fabricating driver attributions not supported by the bridge and routes human attention to the ambiguous items that require judgment.
- COSO's February 2026 guidance classifies automated MD&A commentary as HIGH tier, requiring human sign-off on every output, validation against source data, and full logging of the prompt, model version, inputs, raw output, reviewer identity, and date.
- The forward-looking prohibition in the prompt is not optional. Forward-looking language generated by the automation layer creates safe-harbor liability risk and produces disclosure that is not grounded in management's actual view of current conditions.
- The Stage 4 consistency check comparing automated commentary against the earnings release and call transcript is the control that prevents SEC comment letters generated by mismatches between the automated results section and prior public communications.
