Every audit technology vendor in 2026 says they're "AI-powered." It's in the tagline, the demo deck, and the RFP response. But when you press on what the AI actually does — what it produces, how it works, and what guardrails exist — the answers get vague fast.
That's a problem for a profession built on evidence, verification, and documented reasoning.
This isn't a takedown of AI in audit. AI is genuinely useful for specific audit tasks today, and it's getting more capable. But the gap between vendor marketing and operational reality is wide enough that audit teams making purchasing decisions — or deciding how to use AI in their own work — deserve an honest guide to what's working, what's not, and what questions to ask.
What AI Can Actually Do in Audit Today
Let's start with what's real. These are capabilities that exist in production systems today, not research prototypes or future roadmap items.
Draft Risk Assessments
AI can analyze engagement inputs — entity type, industry, applicable standards, recent events, prior findings — and produce an initial risk assessment. This works because risk identification for common audit areas (IT general controls, revenue recognition, procurement, payroll) is well-documented in professional literature. The AI isn't inventing risks; it's synthesizing from a large base of standards and guidance to produce a starting point.
What it looks like in practice: You enter scope information for a revenue cycle audit at a mid-market SaaS company. The AI drafts a risk assessment identifying areas like revenue recognition timing under ASC 606, contract modification accounting, commission calculations, and deferred revenue management — each with a rationale referencing relevant standards.
Where it's strong: Common audit areas, well-regulated industries, engagements with clear standards applicability.
Where it struggles: Novel risks, company-specific operational issues, anything requiring institutional knowledge the AI doesn't have. A risk assessment for "the company's new cryptocurrency custody operations" will be more generic than one for accounts payable.
Suggest Audit Procedures and Test Steps
Given a risk assessment and scope, AI can generate specific audit procedures — the test steps, data requests, interview questions, and sampling approaches that form an audit program. This is the natural extension of risk assessment: if you know the risks, you can map them to testing approaches based on professional standards and methodology.
What it looks like in practice: For each identified risk, the AI suggests 3-5 test procedures with specific data requests, expected evidence types, and applicable criteria. The auditor reviews, adjusts scope and detail, and approves the program.
Where it's strong: Generating comprehensive initial programs that cover standard testing approaches. Auditors often find that AI suggests procedures they would have included anyway, plus a few they might have missed — particularly cross-references to standards they don't work with daily.
Where it struggles: Procedures requiring deep knowledge of specific client systems, custom processes, or prior-year findings that aren't in the AI's context. The AI might suggest "test a sample of journal entries" without knowing that the client's ERP requires a specific extraction method that your team figured out two years ago.
Analyze and Assess Evidence
AI can review uploaded evidence — documents, data extracts, screenshots — and assess whether it appears to address the test step it's attached to. This is early-stage but functional: the AI reads the evidence, compares it to the procedure requirements, and flags potential gaps or mismatches.
What it looks like in practice: An auditor uploads a bank reconciliation as evidence for a cash balance verification procedure. The AI confirms the document appears relevant, notes the reconciliation date, and flags that the document doesn't include the sign-off the procedure requires.
Where it's strong: Routine document matching, completeness checks, identifying obviously mismatched evidence.
Where it struggles: Nuanced judgment calls. Is this evidence sufficient? Does the reconciliation methodology meet the engagement's standards? Those remain human determinations.
Generate Report Sections
AI can draft finding narratives, executive summaries, and report sections from structured fieldwork data. When findings are documented with criteria, condition, cause, effect, and recommendation fields, the AI can compose these into readable narrative paragraphs.
Where it's strong: First drafts. The AI produces grammatically correct, logically structured narrative from structured data faster than most auditors can write it.
Where it struggles: Tone, political sensitivity, and context that matters for the specific audience. A finding about the CFO's department needs different framing than one about a remote subsidiary, and the AI doesn't know that.
Contextual Q&A
AI assistants that can answer questions scoped to a specific engagement's context — "What test steps cover the segregation of duties risk?" or "Summarize the findings from the procurement section" — are genuinely useful productivity tools for audit teams.
Where it's strong: Navigating complex engagements with hundreds of work items. New team members getting up to speed. Reviewers who need quick context.
Where it struggles: Questions that require reasoning across multiple engagements or institutional context the AI doesn't have.
What AI Can't Do (Yet)
This list matters as much as the previous one, because the gap between "can draft" and "can decide" is where professional judgment lives.
Replace Professional Judgment
AI can identify that a risk exists and suggest how to test it. It cannot determine whether the residual risk is acceptable, whether a control deficiency is material, or whether a finding should be rated high or medium. These are judgment calls informed by experience, organizational context, and professional standards that require human interpretation.
This isn't a temporary limitation that better models will fix. Audit judgment involves weighting factors that are inherently contextual — the organization's risk appetite, the audit committee's priorities, the regulatory environment, the historical relationship between the audit function and the business unit. AI can inform these decisions. It can't make them.
Guarantee Compliance
No AI system can guarantee that your audit complies with IIA Standards, PCAOB requirements, or any other framework. AI can structure work in ways that align with standards, suggest procedures that address standard requirements, and flag potential gaps. But the professional responsibility for compliance rests with the auditor and the CAE.
Any vendor that implies their AI "ensures compliance" is making a claim that would make the IIA's Quality Assurance reviewers uncomfortable, and it should make you uncomfortable too.
Handle Novel Situations Without Supervision
AI performs well on patterns it's seen before. When the situation is genuinely novel — a new type of fraud, a business model that doesn't fit standard categories, a regulatory interpretation that's still being debated — AI outputs need heavier human scrutiny. The AI will produce something confident-sounding regardless of whether it's on solid ground. That's a feature of how language models work, and it's why review gates matter.
Maintain Context Across Extended Engagements
Current AI systems work within context windows. They can analyze what they're given, but they don't maintain a persistent understanding of your engagement that grows over weeks. Every interaction starts with whatever context is provided in that session. This means AI is better at discrete tasks (draft this section, assess this evidence) than at holistic engagement oversight (track how this finding evolved across three review cycles).
The Transparency Problem
Here's where the conversation gets uncomfortable for most vendors.
When an AI drafts a risk assessment, what sources did it use? When it suggests test procedures, what standards informed those suggestions? When it assesses evidence, what criteria did it apply? If you can't answer these questions, you have an AI that produces outputs without an audit trail — which is ironic, given that the entire profession is built on documented evidence.
Most audit software vendors today use AI as a black box. The input goes in, the output comes out, and the auditor is expected to trust it or reject it without visibility into the reasoning. Some vendors describe this as "proprietary AI" or "intelligent automation." What it actually means is: the AI did something, and you can't see what.
This matters for three reasons:
1. Professional Standards Require Documentation
The IIA's Global Internal Audit Standards — specifically those addressing engagement supervision and documentation — require that work products are supported by sufficient, reliable, relevant information. If AI produced content that ends up in your workpapers, the reasoning behind that content is part of the audit evidence. "The AI said so" is not sufficient documentation.
2. Review Is Impossible Without Visibility
How does a reviewer evaluate AI-generated content? If there's no indication of what the AI considered, what sources it referenced, or how confident it is in its output, the reviewer has two choices: accept it on faith or redo the work. Neither is acceptable. Effective review requires that the reviewer can trace the reasoning — human or AI — behind the work product.
3. Audit Committees Will Ask
This is a when, not an if. As AI use in audit becomes more common, audit committees will want to know: How is AI being used in our audit work? What controls exist? How do we know the AI's outputs are reliable? If your answer is "we use an AI-powered tool," you haven't answered the question. If your answer is "here's our AI usage policy, here's how AI-generated content is marked, here's the review and approval workflow, and here are the citation trails," you've demonstrated governance.
What AI Transparency Actually Looks Like
Transparency isn't about being anti-AI. It's about applying the same standards to AI-generated work that the profession applies to human-generated work: document your reasoning, cite your sources, and submit your work for review.
Here's what that looks like in practice:
| Control | What It Does | Why It Matters |
|---|---|---|
| Citation trails | AI outputs reference their sources — specific standards, regulatory guidance, engagement context | Reviewers can verify the basis for AI suggestions without reverse-engineering the reasoning |
| Confidence scoring | The system indicates its own assessment of output quality — how well the inputs matched, how well-established the area is | Auditors know where to focus their review effort; high-confidence outputs need verification, low-confidence outputs need scrutiny |
| Disclosure badges | Visual markers showing which content involved AI assistance vs. human authoring | Everyone working on the engagement — and everyone reading the output — knows what was AI-assisted |
| Review gates | AI-generated content requires explicit human review and approval before becoming part of the official work product | Prevents AI outputs from entering workpapers unreviewed; creates a documented approval trail |
| Export disclosure | Reports exported from the system include a summary of how AI was used in the engagement | Audit committee and stakeholder reports reflect AI involvement transparently |
These aren't aspirational features. They're the minimum controls an audit function should expect from any AI-enabled platform. (For more on how audit management platforms structure these controls: What Is Audit Management Software?)
The Vendor Evaluation Checklist
If you're evaluating audit software that claims AI capabilities, these questions will separate substance from marketing:
About the AI itself:
- What specifically does the AI do? (List discrete tasks, not vague capabilities.)
- What AI models power the system? (Not asking for trade secrets — asking whether it's a general-purpose LLM, a fine-tuned model, or something else.)
- Where does the AI's training data come from? Does it use your engagement data to train models used by other clients?
- What happens when the AI is wrong? How does the system handle corrections?
About transparency: 5. Can I see what sources the AI referenced for a specific output? 6. Is AI-generated content visually distinguishable from human-authored content? 7. Does the system include confidence or quality indicators for AI outputs? 8. How is AI usage documented in exported reports?
About controls: 9. Can I configure which parts of the workflow use AI and which don't? 10. Is there a review gate between AI generation and inclusion in work products? 11. Who reviews AI outputs — and is that review documented? 12. Does the system maintain an audit trail of AI interactions?
If a vendor can't answer questions 5-8 clearly, their AI is a black box. That might be acceptable for a note-taking app. It's not acceptable for audit work products.
Where This Is Headed
Three trends are shaping AI in audit over the next 2-3 years:
AI becomes the starting point, not the exception. We're already seeing this shift. Instead of AI being a feature you can optionally use, AI-assisted drafting will become the default starting point for planning, with human review and refinement as the standard workflow. Audit teams won't debate whether to "use AI" — they'll debate how much review different AI outputs need.
Transparency becomes a procurement requirement. As audit committees and regulators develop expectations around AI use in audit, the ability to demonstrate AI governance will become a differentiator in vendor selection. RFPs will include sections on AI transparency, and vendors who treat AI as a black box will lose deals.
Standards will formalize AI expectations. The IIA's 2024 Global Internal Audit Standards don't yet address AI specifically, but the profession is actively developing guidance. Expect formal positions on AI use in audit work, documentation requirements for AI-assisted content, and quality assurance considerations within the next 1-2 years. Teams that build transparency practices now will be ahead of the curve.
The Honest Assessment
AI in internal audit is real, useful, and getting better. It's not magic, and it's not ready to run audits unsupervised. The technology's value isn't in replacing auditors — it's in eliminating the blank-page problem, accelerating routine drafting, and giving auditors more time for the judgment calls that actually require human expertise.
The vendors who will earn trust aren't the ones with the flashiest AI demos. They're the ones who can show you exactly what the AI did, why, and how you can verify it. In a profession built on documented evidence and professional skepticism, that's not a nice-to-have. It's table stakes.
If your vendor's response to "how does your AI work?" is "trust us" — that should be a finding.
Audvera builds AI transparency into every step: citation trails, confidence scoring, disclosure badges, review gates, and export disclosure. AI assists the work. The auditor owns the judgment. See how it works →