Learn
Upholding professional standards
The integration of artificial intelligence into the audit process brings unprecedented capabilities, but also commensurate professional responsibilities. Using these tools does not suspend professional standards; it amplifies their importance. This section provides a framework for using AI responsibly, ethically, and defensibly.
Professional skepticism in the age of AI
An LLM's output is not audit evidenceβit is a hypothesis to be tested. Models can generate "hallucinations" (plausible but factually incorrect information) and make logical errors. Your duty is to maintain professional skepticism by corroborating every material AI output with independent evidence. The prompt itself becomes an audit procedure that must be designed to challenge assumptions, not merely confirm them.
Compare these approaches to reviewing board minutes:
β POOR - Leading prompt that compromises skepticism:
Summarize the attached meeting minutes to confirm the board approved the new compensation plan.β
BETTER - Skeptical, objective prompt:
Analyze the attached meeting minutes from August 2, 2025. Identify all agenda items discussed, the decisions made for each, and list the voting members present. Extract any specific discussions or dissenting opinions related to the new compensation plan.β
BEST - Multi-step verification approach:
Step 1: Extract all compensation-related discussions from the August 2, 2025 board minutes, including exact quotes and page references.
Step 2: Create a table showing:
- Each compensation topic discussed
- Who raised it
- Arguments for and against
- Final vote count (for/against/abstain)
- Any conditions or contingencies mentioned
Step 3: Identify any references to external documents, legal opinions, or prior discussions that would require additional review.
Step 4: Flag any ambiguous language or unresolved items for follow-up.Confidentiality and data security
This is a bright-line ethical requirement with zero tolerance for compromise. The risk matrix below clarifies acceptable and unacceptable practices:
| Practice | Risk Level | Acceptability | Alternative Approach |
|---|---|---|---|
| Pasting client financials into ChatGPT | π΄ Critical | Never Acceptable | Use enterprise AI with BAA/DPA |
| Using client names in public AI tools | π΄ Critical | Never Acceptable | Anonymize all data first |
| Testing prompts with sanitized data | π‘ Medium | Acceptable with caution | Ensure complete sanitization |
| Using AI for methodology questions | π’ Low | Generally Acceptable | No client data involved |
Before using any data with AI tools, verify:
- All company names replaced with generic identifiers (Company A, Client X)
- All personal names removed or replaced
- Specific dates shifted or generalized (Q2 2024 instead of June 15, 2024)
- Dollar amounts rounded or scaled (e.g., multiply all by a constant)
- Account numbers, IDs, and codes randomized
- Industry-specific details generalized
Objectivity and mitigating AI bias
All LLMs inherit biases from their training data. Your professional judgment must critically evaluate AI outputs to identify whether the AI is detecting true anomalies or reflecting irrelevant statistical patterns. Here's how to design prompts that minimize bias:
Bias-prone prompt:
Review these expenses and identify any that seem unusual for a tech startup.
Bias-mitigating prompt:
Analyze the attached expense data using these objective criteria:
1. Expenses exceeding $10,000 without approval documentation
2. Transactions occurring outside business hours (11pm-6am local time)
3. Vendors appearing only once in the dataset
4. Expenses coded to accounts different from historical patterns
5. Round dollar amounts over $1,000
For each identified item, provide:
- The specific criterion met
- The data supporting the identification
- Any additional context from the transaction description
Do not make assumptions about what is "normal" for any industry. Base your analysis solely on the objective criteria provided.Documentation and the defensible audit trail
When AI assists in audit procedures, documentation must be comprehensive enough for an experienced reviewer to understand and replicate the work. Here's a practical template:
AI-Assisted Procedure Documentation Template
Section A: Audit Objective
Procedure ID: INV-2025-03
Objective: Test inventory obsolescence reserve calculation
Assertion tested: Valuation and allocation
Section B: AI Tool Details
Model: GPT-4 Enterprise
Version: 0613
Query date: March 15, 2025
Session ID: [Include for traceability]
Section C: Input Data
Source: Inventory aging report (INV_AGE_20250315.xlsx)
Records analyzed: 4,847 SKUs
Data validation performed: Reconciled to GL balance of $23.4M
Section D: Prompt Used
[Exact prompt with all parameters and instructions]
Section E: AI Output
Summary: Model identified 127 SKUs with indicators of obsolescence
Key findings: [List specific items and rationale]
Full output saved: WP_REF_2025_03_15_AI_Output.json
Section F: Validation Procedures
1. Traced 25 highest-value identified items to physical inventory counts
2. Compared AI recommendations to prior year write-offs (87% correlation)
3. Reviewed recent sales data for all flagged items
4. Consulted with warehouse manager on slow-moving items
Section G: Conclusion
AI analysis provided valid starting point. After validation, adjusted 43 items.
Final proposed adjustment: $1.2M increase to obsolescence reserve
Reviewer sign-off: John Doe August 7, 2025As of 2025, regulatory bodies are developing AI-specific audit guidance. Stay current with:
- PCAOB: Monitoring AI use in audits of public companies
- AICPA: Developing standards for AI documentation and testing
- IIA: Issued guidance on AI governance in internal audit
- SEC: Focusing on AI-related risk disclosures
Document your AI governance framework, including model selection criteria, testing protocols, and human oversight mechanisms. This proactive approach demonstrates due professional care.
Quality control in AI-assisted audits
Implement a three-lines-of-defense model for AI use in audits:
- First line (Audit team): Direct validation of all AI outputs, maintaining skepticism
- Second line (Review/QC): Independent testing of AI-assisted procedures, prompt review
- Third line (Firm level): Periodic assessment of AI tool effectiveness, bias testing, and policy compliance
Example QC Checklist for AI-Assisted Procedures:
β Is the AI tool approved by firm's technology committee?
β Was client data properly protected throughout the process?
β Does the prompt avoid leading questions or confirmation bias?
β Were AI outputs independently validated with evidence?
β Is the validation sample size statistically appropriate?
β Are limitations of AI analysis clearly documented?
β Would another auditor reach the same conclusion from the documentation?
β Has the reviewer tested the prompt with different inputs?
β Are any AI-identified risks properly elevated in the audit plan?Remember: AI augments human judgment; it does not replace it. The auditor remains fully responsible for:
- Determining the sufficiency and appropriateness of audit evidence
- Exercising professional skepticism
- Reaching audit conclusions
- Maintaining independence and objectivity
AI outputs are inputs to your professional judgment, not substitutes for it. When in doubt, err on the side of additional validation and conservative conclusions.