Something upfront first, Audit is not threatened by the invasion of Artificial Intelligence (AI), simply because audit is an act of intellect, practiced by people possessing intelligence. As a matter of fact, save for our existence, AI isn’t a threat!
I won’t however be using this space to write once again what has already been written many times over; how AI could change the way we work, how AI could threaten our skillset, or may even substitute us. Instead, I aim to use this space to discuss why we the auditors are still around and go some steps ahead to identify how best to harness the AI’s prowess and get on to my usual, External or Internal Auditing versus AI.
But let’s first identify and understand the types or forms of AI impacting the auditing profession.
The core subset of AI that continues to impact most professions in general and auditing too is the algorithm-based application of analytical AI: Machine Learning. It’s imperative to understand that Machine Learning (ML) sits under the overarching AI. ML doesn’t aim to mimic human intelligence as AI aims to do, instead it aims to assist while working autonomously.
COMPUTER AIDED/ASSISTED AUDIT TECHNQIUES
A precursor to ML deployment in auditing has been in use for decades now and it is attributable to the requirement for performing analytical procedures, especially with the adoption of accounting and management information systems.
Auditors and clients (who understand audit value) have always been eager to obtain assurance on testing as many transactions as humanly possible. Analytical procedures like reconciliations, predictive, variances, etc. helped identify patterns and relationships that in turn allowed for planning the volume and nature of other substantive procedures.
It was in this context that Computer Aided / Assisted Auditing Techniques (CAATs) were conceived and got much needed traction. CAATs comprise of Audit Software (applications for querying, sampling data and testing/analyzing controls), Test Data (dummy transactions-based testing of processing controls) and Integrated / Embedded Test Facilities (testing of live client data on a real time basis).
Thus, the automation offered by CAATs was wholeheartedly embraced by the auditing profession and led to the upskilling of the audit practitioners. Being equipped and capable of analyzing and testing large chunks of transactions / data was an enviable ability that meant good for business!
The use of CAATs was always a means to an end. It wasn’t an end since it automated the performance part of the audit, the part that was meant to be automated so that audit capabilities could be enhanced. And it’s important to understand, though it’s obvious, that the ideation and use of CAATs was brought about by external auditing.
CAATs helped the audit planners achieve engagement economies in terms of reduced time spent and decrease in number of resources deployed, but the resources that were axed were those that were not invested in audit planning, programs, reviews, change in audit approaches or strategizing, drawing inferences and reporting. The resources replaced were those who were given preset testing criteria and transactions to test! And in fact, the analytical procedures got a greater share of the audit effort due to the CAATs intervention.
MACHINE LEARNING
Machine Learning has stirred an evolution in CAATs. The CAATs as we knew have now morphed into a platform offering ideation, testing and perfection and that too on massive or more appropriately Big Data. The database / transactions of multiple types can now be queried in almost an endless combination of requirements, these could be tested against the verification objectives that also remain fluid as the auditor continues to go back to the drawing board to pick up a new set of rules to examine data while aiming for perfection when corroboration of findings is achieved.
And that’s still not it. Once inferences (like compliant, non-compliant, unusual, anomalous, etc.) are drawn on the verified data by the auditor, the ML based system could learn from those inferences and can be instantly put to work on multiple other data set(s) or transactions or programmed to work independently in real time as well, identifying compliances and non-compliances and anomalies as it has learnt based on its algorithm. In terms of its capabilities, data for ML means, the more the merrier!
The ML has thus encroached into another territory which was beyond the capabilities of CAATs; drawing inferences and being a catalyst for continually evolving auditing approach and strategizing. However, the inferences drawn by it are meant to be and should continue to be reviewed to gain assurance that the system is working as intended and the detection risk is managed.
That and the other audit areas that ML couldn’t penetrate is why we continue to be around and provide all sorts of values to the business in addition to our default nuisance value!!!
THE AI SNEAK PEEK
The AI however, while aiming for mimicking the human intellect promises further penetration through its shift towards generative AI; one that could generate content. This AI has the capabilities to plan specific audit engagements, create work programs, offer reviews and if coupled with ML capabilities might be able to offer a complete end to end solution.
So, this might mean that eventually we’re going to get replaced. However, in my opinion and with the limited hands-on experience I had with generative AI, it’s not going to be a replacement for auditors, simply because of the originality of human intellect which is not dependent on inputs (unlike AI) but can create these through unbridled imagination just like how it created and is developing AI!
AUDITING IN THE ERA OF AI
Let’s now delve into what audits and audit areas might be impacted by AI use, how that could happen including the best ways it could happen and those that remain relatively immune. Please note however that the areas listed below are all at the audit engagement level. The audit function planning like risk universe determination, audit universe alignment, audit charter, resources and budgeting are beyond the scope of AI and must remain as such for Audits to add value.
Areas | Could be replaced | Is Relatively Immune |
Audit Planning in terms of engagement objectives | In Assurance based engagements with standard objectives | In Advisory based engagements with continually dynamic objectives |
A relevant and all-encompassing Audit Program | In Assurance with preset procedures | In Advisory with continually evolving procedures |
Sample Selection | In Assurance & Advisory and for whole of population | |
Tests of Controls of core cycles through walkthroughs against criteria |
In Assurance with standard criteria In Advisory with once customized criteria |
|
Analytical Procedures; reconciliations, predictive, variances, etc. | In Assurance & In Advisory | |
Tests of Details; against Assertions Based criteria | In Assurance except for Existence (physical) testing for now | In Advisory with a fluid criteria |
Reviews of progress against the audit program and state of objectives accomplishment |
In Assurance since objectives and program remain static In Advisory if objectives and program remain static |
In Advisory since the objectives and program are continually evolving |
Tweaking the audit approaches and strategies | In Assurance & In Advisory | |
Drawing inferences | In Assurance since the criteria remains unchanged | In Advisory since criteria is under constant revision |
Concluding and Reporting (with or without opinions) | In Assurance where selection from amongst a standard set of opinions is required |
In Assurance where arrived opinion needs to be evaluated against other evidence that has not been or cannot be tested In Advisory where usually either no opinion applies, or there are several opinions to choose from |
Fraud Detection; analytically | In Assurance & In Advisory except for Physical (Asset) fraud | |
Risk Identification | In Assurance against standard objectives yielding generic risks | In Advisory against dynamic objectives yielding changing risk profile |
Risk Assessment | In Assurance & In Advisory | |
Risk Assessment Criteria & Heat Maps Formulation | In Assurance & In Advisory | |
Review of Risk Assessment to incorporate judgmental factors | In Assurance & In Advisory | |
Action Priorities Review against judgmental and budgetary factors | In Assurance & In Advisory | |
Action Recommendations | In Assurance against standard risks | In Assurance & In Advisory against business specific causation |
Review of Recommendations | In Assurance & In Advisory to ascertain if the action has other potential impacts or needs to be deferred or ignored / risk assumed |
As its all Assurance, External (financial statement) Audits are the best candidates for maximum (not complete) substitution by AI since its scope and objectives will remain fixated to the truthfulness and fairness of financial reporting. Advisory audit engagements scope is multifarious, and it might not be possible to substitute the audit effort therein owing to the diversity of their objectives, engagement scope, procedures, data sources and forms, sampling, inferences to be drawn and action advisory.
INTERNAL AUDIT TO CONTINUE ADDING VALUE
Since advisory is the major chunk of internal audit work and since internal audit demands original imagination, in my opinion there’s no contest between the AI and the internal auditors. What AI offers the internal auditors is an opportunity to upskill, which if not availed will surely render us irrelevant.
Internal audit must harness AI’s power for as low-key affair as a data review and analysis requirement and as strategic an objective as redefining the engagement objectives, but identifying which datasets to examine and deciding which objectives would add value have to come from the auditor’s mind. Boundless value that Internal Audit can add is when it is unbounded by any set of rules (algorithms) and mimicry of intellect (AI).
And what about the requirement for evaluating if AI or ML based systems are performing as intended or testing the algorithm? Indeed, the answer is Internal Auditor as the system analyst or the evaluator, even if it requires helping craft a new system or algorithm!