Before emergence of AI, auditors often spent hours on google to research on topic such as new regulatory frameworks and their implications on organisations or transactions under audit. Today, with the advancement of AI, accessing, analyzing, and synthesizing information on virtually any global topic can be accomplished in a matter of minutes – significantly enhancing efficiency and supporting auditors to exercise more informed, timely, and sound professional judgement.

This topic aims to explore how AI can be leveraged across various phases of the internal audit process. By automating routine tasks and streamlining analysis, it significantly reduces time spent on repetitive activities and minimizes monotony in certain areas of the audit function.

Importantly, AI is not a replacement for internal auditors; rather, it serves as a powerful tool that enhances their effectiveness.

Use of AI at entity level risk-based audit plan

The Auditor’s risk assessment involves evaluating the risk assessment performed by the entity’s management, supplemented by the auditor’s independent professional judgment. The AI can be helpful in this phase by identifying the potential risk for the audit unit which may have been overlooked by the management.  By providing broader analytical insights, AI can enhance the robustness of the auditor’s judgment and support a more precise assessment of risk, including its likelihood and potential impact within the process under review.   

Use of AI at engagement level

Risk identification and risk assessment: The AI can provide comprehensive list of potential risks associated with a process at the engagement level. It can also support the analysis of impact and likelihood of risk, thereby streamlining the overall risk assessment process. As a result, risk ranking (High, Medium, or Low) process becomes more structured, efficient, and less time-consuming. AI can also assist in generating a list of expected controls corresponding to each identified risk. This enables internal auditors to more effectively identify control gaps and report them with greater accuracy and efficiency.

Substantive audit procedure: Substantive audit procedures are performed to evaluate Internal Control over Financial Reporting (IFCR), to support the statutory review of financial statements, and in the context of SOX audits. These procedures are designed to detect material misstatements at the relevant assertion level of the financial statements. They generally include tests of details and substantive analytical procedures.

AI can add significant value to both components of substantive audit procedure.

In relation to tests of details, AI bots can be developed to evaluate recurring transactions against predefined audit criteria. For example, in the case of recurring payments, the bot can verify whether approvals were obtained from designated authorities, confirm proper segregation of duties in the payment process, check compliance with prescribed monetary thresholds, and identify any deviations from established policies. This enhances coverage and reduces the risk of oversight.

For substantive analytical procedures, AI-driven tools can be designed to analyse relationships and variations between financial and non-financial data more effectively. These tools can perform trend analysis, ratio analysis, and multiple regression analysis to identify unusual fluctuations, inconsistencies, or patterns that may indicate potential misstatements. By strengthening analytical capabilities, AI supports a more robust and data-driven audit approach while allowing auditors to focus on interpretation and professional judgment.

Audit fieldwork & control testing: An AI-enabled audit bot can significantly enhance the efficiency, depth, and reliability of internal audit procedures, particularly in data-driven engagements.

Data validation – In internal audits, the reliability of conclusions depends heavily on the integrity of underlying data. An AI bot can be configured to:

• Identify duplicate, incomplete, or inconsistent records
• Detect anomalies or outliers in large datasets
• Reconcile data across multiple systems (e.g., ERP, sub-ledgers, third-party platforms)
• Flag unusual patterns in dates, amounts, vendor codes, or approval hierarchies

By automating data validation at scale, the auditor can gain greater assurance over data completeness and accuracy before commencing detailed testing.

Sample selection – Traditional sampling techniques often rely on random or judgmental selection. AI can enhance this process by:

• Applying risk-based sampling models
• Prioritizing high-value, high-risk, or unusual transactions
• Incorporating historical audit findings into sample selection logic
• Adjusting sampling dynamically based on emerging patterns

This ensures that audit effort is directed toward transactions with a higher probability of control failure or misstatement, thereby improving audit effectiveness.

100% population testing– One of the most transformative applications of AI in internal audit is the ability to move beyond sampling and test entire populations of transactions. For recurring processes such as procure-to-pay, order-to-cash, payroll, or expense reimbursements, AI can:

• Verify compliance with predefined control rules across all transactions
• Identify exceptions to authorization limits or segregation of duties
• Detect duplicate payments, pricing deviations, or policy breaches
• Highlight transactions processed outside standard workflows

This approach enhances coverage, reduces detection risk, and provides stronger assurance compared to limited sample-based testing.

Automated control testing for recurring transactions– For repetitive and rule-based controls, AI bots can be programmed to perform continuous or periodic testing by:

• Checking whether approvals were obtained as per delegated authority
• Validating three-way matching (PO, GRN, invoice) in procurement cycles
• Ensuring payroll changes were properly authorized
• Confirming system-enforced controls were not overridden

Over time, this can evolve into continuous auditing or continuous monitoring, where control effectiveness is assessed in near real time rather than retrospectively.

Use of AI in reporting and communication phase: The effectiveness of an internal audit ultimately depends on how clearly and accurately its findings are communicated to management and the Audit Committee. In this phase, AI can enhance the quality, consistency, and efficiency of audit reporting while reducing drafting time and improving clarity. AI can assist in:

• Drafting structured audit observations
• Providing root cause analysis support
• Performing risk rating consistency checks
• Bench marking observations with prior audits
• Improving clarity and tone of audit reports
• Generating executive summaries for the Audit Committee

Fraud detection & forensic analytics

Fraud risk remains a critical area of focus for internal audit, particularly in complex and high-volume transactional environments. AI-driven analytics can significantly enhance the auditor’s ability to detect unusual patterns, behavioral anomalies, and potential red flags that may indicate fraudulent activity. AI can assist in:

• Pattern recognition for fraud scheme
• Benford’s Law analysis
• Vendor collusion indicators
• Conflict of interest detection

Governance & Limitations of AI

While AI offers significant benefits to the internal audit function, its use must be guided by strong governance and professional skepticism. Appropriate safeguards, human oversight, and regulatory compliance are essential to ensure that AI-driven insights remain reliable, ethical, and defensible. The major limitations of IA are:

• Data privacy and confidentiality risks
• Model bias
• Over-reliance risk
• Need for human validation
• Audit documentation requirements
• Regulatory concerns

Responsible use of AI

AI does not replace professional judgment. Instead, it enhances the auditor’s ability to analyse large volumes of data, improves audit coverage, reduces manual effort, and allows auditors to focus more on interpreting results, assessing root causes, and providing strategic insights to management and the Audit Committee.

AI outputs must be subject to appropriate human validation, documentation standards, and data governance controls. Internal auditors remain responsible for conclusions drawn, ensuring that AI-driven insights are reliable, unbiased, and aligned with regulatory and ethical requirements.

– Thank you –