Does the IIA prohibit AI use in internal audit?

No. The IIA's Global Internal Audit Standards (2024) and the related Topical Requirements do not prohibit AI use. They require that the audit function maintain professional judgment, document methodology, and demonstrate that work product meets quality and evidential standards regardless of the tools used. AI use must be consistent with the standards, but it is not banned.

What will a QAR look for about AI use?

A 2026-era QAR will examine: (1) whether the function has a documented AI use policy, (2) whether AI involvement in workpapers is identifiable, (3) whether reviewers documented their review of AI-drafted content, (4) whether AI was used in judgment-loaded decisions (deficiency classification, risk ranking) and if so, what human review existed, (5) whether the audit committee was informed about AI use, and (6) whether evidence and conclusions trace back through the audit trail.

Do I need an AI use policy for internal audit?

Strongly recommended. The IIA's expectation under the 2024 Global Standards (specifically the conformance and documentation requirements) is that significant methodology choices be documented. AI use crosses that threshold for most functions. A typical AI use policy covers: permitted use cases, prohibited use cases, disclosure requirements in workpapers, reviewer responsibilities, data handling for AI prompts, and external auditor coordination.

What counts as 'AI use' that needs documentation?

Any AI-generated content that influences audit conclusions — drafted procedures, drafted risk assessments, drafted findings, automated evidence reviews, draft narratives — counts. Using AI to summarize a meeting note or correct typos generally does not. The threshold is whether the AI's output materially shapes work product or conclusions. When in doubt, document; the cost is low and the defensibility is high.

How should AI-drafted findings be reviewed?

AI-drafted findings should go through normal preparer/reviewer signoff with one addition: the workpaper should make AI involvement visible (a flag, a chip, an explicit note), and the reviewer's review should explicitly include verification that the AI-drafted content is accurate, supported by evidence, and free of fabricated facts. No-self-review enforcement applies — the AI cannot 'review' its own output, and the human who ran the AI cannot also be the reviewer.

What about confidentiality when using AI?

Standard practice: never paste raw client data, employee data, regulated data (PII, PHI, financial account numbers), or vendor-proprietary information into general-purpose AI tools. Use AI features embedded in your audit management platform where the data handling is contractually bound, or local/private AI deployments. Your AI use policy should specify which tools are approved for which data sensitivity levels.

What if the external auditor asks how we used AI?

Increasingly common in 2026, especially for SOX-relevant work. Have ready: your AI use policy, examples of how AI involvement is documented in workpapers, evidence of human review of AI-drafted content, and your data handling controls. External auditors generally accept AI assistance when it's documented, reviewed, and bounded; they reject AI use that's invisible in the workpapers or unreviewed.

How to Use AI in Audit Without Failing Your Next QAR

AI is now embedded in most internal audit functions in some form — drafting risk assessments, suggesting test procedures, summarizing evidence, generating finding narratives. The 2024 IIA Global Internal Audit Standards do not prohibit this, but they do impose documentation and methodology expectations. Your next Quality Assurance Review (QAR) — internal or external — will ask harder questions about AI than the last one did.

This is a practical framework for using AI in audit work in a way that's defensible to the QAR, the audit committee, the external auditor, and, if it ever comes up, a regulator.

The Compliance Question, Reframed

The wrong question is "is AI allowed?" The right questions are:

Is AI involvement documented?
Does human professional judgment govern conclusions?
Does the audit trail let me prove both?

If you can answer yes to all three, AI use is consistent with IIA Standards. If you can't, AI use creates regulatory and reputational risk regardless of the productivity benefit.

The Five Categories of AI Use in Audit

Not all AI use carries the same risk. A useful frame is to categorize AI involvement by what it affects.

Category	Examples	Documentation level	Reviewer effort
1. Mechanical assist	Typo correction, format reformatting, summary of long documents into bullets	Low — internal note sufficient	Standard review
2. Drafting	Drafted risk descriptions, drafted procedures, drafted finding narratives	Medium — flag AI involvement in workpaper	Verify accuracy and evidence support
3. Analysis assist	Sample selection, anomaly highlighting, pattern detection in transaction data	Medium-high — document methodology and AI output	Verify methodology; review sample of AI conclusions
4. Judgment-influencing	Suggested risk rankings, suggested deficiency severities, suggested control gaps	High — document AI involvement, explicit human review, rationale	Independent judgment required; AI output is input only
5. Conclusion	AI-generated final conclusions, AI auto-approval of work	Prohibited in most contexts	Cannot delegate professional judgment to AI

The most common QAR finding will be when category 3 or 4 work is treated like category 1 work — invisible AI involvement in workpapers, no documented human review, no methodology trace.

The Conform-or-Explain Documentation Model

The IIA's 2024 Standards use a conform-or-explain framework: you can deviate from the recommended approach if you document why. Apply the same framework to AI use.

For each significant AI use case in your function, document:

What the AI does — specifically, in your workflow
Why it's used — efficiency, quality, coverage expansion
Who reviewed the AI output — preparer / reviewer chain
How the review was documented — workpaper field, event log entry, signoff record
Where AI was not used and why — exclusions are as informative as inclusions

This is the document you produce when the QAR asks "how do you use AI?" The wrong answer is "we don't, much" if your team is using ChatGPT to draft risk descriptions. The right answer is the documented framework.

The Preparer / Reviewer Discipline

The most important operational control on AI use in audit is the same one professional standards already require for human work: preparer / reviewer signoff with no-self-review enforcement.

We wrote about this in our preparer/reviewer in the AI era piece, but the short version is:

AI cannot serve as both preparer and reviewer. The AI's role is "drafter"; a human preparer takes responsibility for accepting the draft.
The human who ran the AI cannot also be the reviewer of the AI-drafted content. No-self-review applies.
The workpaper must show the AI involvement explicitly. A "this draft was AI-assisted" flag is sufficient; concealing AI involvement is the failure mode.
The reviewer's signoff acknowledges they reviewed the AI-drafted content against evidence, not just the human-edited version.

If your current platform lets a single auditor run AI, accept its output, and mark the work complete without a separate reviewer signoff, the QAR will find this. The fix is operational — system-enforced separation — not a memo telling people to behave differently.

What AI Should Not Do

There are categories of work where AI assistance creates more risk than value, even with review:

Final deficiency classification (control deficiency vs. significant deficiency vs. material weakness). This requires CAE-level judgment grounded in firm-specific materiality.
Final risk ranking decisions for the audit plan. The methodology and inputs can be AI-assisted; the ranking decision cannot.
Independence judgments. Whether a relationship impairs independence is judgment, not pattern matching.
Confidential interview content. AI summarization of interview notes is fine; AI replaying interview content to people outside the audit team is not.
Conclusions on overall ICFR effectiveness. The CAE's signed opinion is not AI-delegable.

Document these exclusions. They demonstrate to the QAR that the function understands where AI's appropriate role ends.

The Audit Committee Conversation

Audit committees will ask about AI use in 2026 if they haven't already. The conversation goes better when the CAE walks in with answers, not when the committee surfaces concerns and the CAE has to scramble.

Prepare to address:

What AI tools the audit function uses — names, vendors, integration model
What data the AI sees — and what controls protect confidentiality
What decisions remain human — explicit, documented exclusions
What evidence exists that AI hasn't introduced errors — sample-based review outcomes, sub-sampling of AI output
How the audit function is keeping pace with AI in the rest of the company — auditing AI use elsewhere requires understanding it inside

The committee's underlying question is "can I defend this in a board meeting if someone challenges the audit function's modernization?" Give them the language to answer yes.

The External Auditor Coordination

For SOX-relevant work especially, the external auditor will ask about AI use. Their concern is whether they can rely on management's testing as evidence of ICFR effectiveness. AI involvement complicates this if it's invisible or unreviewed.

The conversation goes best when you can show:

AI-drafted content is identifiable in workpapers
Human review is documented per workpaper
Sample-based verification confirms AI drafts match underlying evidence
The audit committee has been informed and approved the approach

Most reputable external auditors accept AI assistance under these conditions. Some still push back; the right response is the documented framework, not a softer policy.

A Practical AI Use Policy Template

A working AI use policy for an internal audit function should be no longer than two pages and should cover:

1. Scope — Which AI tools are approved (platform-embedded, general-purpose, prohibited).

2. Permitted uses — Drafting, summarization, analysis assist, evidence review per the five categories above.

3. Prohibited uses — Final classifications, confidential data outside approved platforms, conclusions without human review.

4. Documentation requirements — AI involvement flagged in workpapers; reviewer signoff includes verification; event log captures who ran AI when.

5. Data handling — What data sensitivity levels can be processed by which tools.

6. Review and update cadence — When the policy is refreshed (annually plus on significant tool changes).

7. Training expectations — Required training for all auditors before AI tool use.

8. Audit committee disclosure — Annual report to the committee on AI use.

This document is the answer to "do you have a policy?" — a question the QAR will ask.

A 90-Day Implementation Plan

For functions that have AI use happening but no formal framework:

Weeks 1-2: Inventory current AI use across the function. What tools, what tasks, who's using them.
Weeks 3-4: Draft the AI use policy. Get CAE approval.
Weeks 5-6: Update workpaper templates to support AI involvement flagging. Update review checklists to include AI verification steps.
Weeks 7-8: Train the team on the policy. Run one engagement end-to-end under the new framework.
Weeks 9-10: Refine based on what broke. Update the policy if needed.
Weeks 11-12: Brief the audit committee. Document the briefing.

A function that does this in 90 days is in materially better shape for QAR than one that waits for the QAR to discover the gap.

How Audvera Supports This

Audvera was designed with AI defensibility as a first-class concept. Every AI-drafted block is flagged in the workpaper. Preparer/reviewer signoff is system-enforced with no-self-review. The immutable engagement event log captures who ran AI when, who accepted, who reviewed. The AI involvement chain is queryable and exportable.

If you want to see what AI-with-defensibility looks like end-to-end in an audit workflow, start with the free risk assessment — the engagement skeleton Audvera drafts will show you the full preparer-reviewer trail from the first procedure.