Let’s Use AI Effectively in Our Internal Audit Practice

There’s been a lot of discussion about the need for every internal audit function to adopt AI tools. Some go as far as saying that unless they do that, they will become obsolete. The sky is not falling… yet. We are not about to lose our value to the board and top management.

But I am positive that we can do more, better, and faster if we use AI effectively.

This is not a new thought. New technologies have been an enabler of internal auditing my whole career, from Excel to desktop analytics. What is new is the breadth and depth of change that is possible.

So what are some of those possibilities?

AuditBoard and KPMG recently shared AI for auditing: 12 use cases to jump‑start your journey. They assert (with my emphasis):

Instead of fearing AI, internal auditors should embrace AI as a tool that helps them increase their value to the business. Once and for all, AI will not replace internal auditors. AI automates; humans validate. AI can fast‑track data analysis, but human judgment is essential for turning that analysis into actionable insight. If anything, AI’s ubiquity makes internal audit more indispensable, given fast‑growing AI auditing and assurance needs.

Further, AI won’t necessarily change how much time internal auditors dedicate to their work. What will shift is where they allot that time. Many hours historically spent on audits will be dedicated to advisory work. AI will help propel the profession towards the IIA’s 2035 vision, where internal auditors are indispensable strategic advisors to their organizations.

Internal auditors should embrace this opportunity to rethink and enhance their methodologies. It’s time to give AI the low‑value, high‑intensity work and let the humans focus on what has always been the most meaningful part of the role: providing the risk and strategic insight and assurance that helps our organizations protect, create, and enhance value. The hardest parts now are (1) proving that AI can be relied upon and (2) upskilling ourselves and our teams in using AI effectively.

I’m not sure I agree with their assessment, but it will take time for us to see how AI is used. In the meantime, let’s have a look at their 12 use cases.

I used Adobe’s AI to generate a summary that included this:

| Use Case | Description | Example Benefit |

|---|---|---|

| Research & Planning | AI assists with memos, reports, and industry research | Faster, more thorough prep |

| Process Narratives | Synthesizes documents into draft narratives | Saves time, improves clarity |

| Workpaper Reviews | First‑pass QA, error flagging, formatting | Reduces manual review effort |

| QAIP Reviews | AI‑enabled checklist validation | Streamlines compliance checks |

| Analytics Co‑pilot | Suggests analytics procedures, data prep guidance | Unlocks new insights |

| Translations | Context‑aware, technical language translation | Breaks language barriers |

| RACM Comparisons | Compares controls to frameworks, finds gaps | Ensures compliance, harmonization |

| Prompt Libraries | Curated prompts for consistent AI use | Boosts team productivity |

| Prompt Library Apps | Custom apps for repeatable AI tasks | Simplifies workflows |

| Knowledge Repositories | AI‑powered access to regulations, standards | Quick, accurate answers |

| Agentic AI | Autonomous agents for monitoring, reporting | Real‑time risk detection |

| Intelligent Staffing | AI matches skills to projects, explains choices | Optimizes team assignments |

There’s too much low‑value work in 11 of the 12 for me, such as helping with workpaper reviews. In addition, risk monitoring should be done by management – and internal audit should be assessing whether it is sufficient and effective.

What I already love is the ability of these tools to provide summaries of lengthy documents, like the table Adobe’s product provided.

When I was CAE at Business Objects back in 2009, they came up with a brilliant marketing message of:

See the Light

The company was the leader in Business Analytics, including analytics on your desktop, tablet, and phone. They said their products:

• Provide immediate answers to business questions without needing to wait for IT to build custom reports.

• Allow users to find data as easily as using a consumer search engine.

• Are a way for non‑technical business users to “see the light” by making complex data easy to understand and navigate.

The AI tools at our disposal today can do this in spades!

Last week, my friend from down under, Tom McLeod (whom you should follow, especially for his insights on AI), shared on LinkedIn about a recent conversation he had. It starts with:

Recently a Chief Audit Executive nearly knocked over her coffee as we were chatting about life and AI.

Her enthusiasm was best summed up by her wise observation:

“AI is letting Internal Audit see things for the very first time.”

Later in the post he says:

AI makes the invisible visible by analysing patterns, behaviours, and dependencies at a scale and granularity no human‑led audit model can reach, revealing signals that were previously too small, too fast or too intertwined to detect.

It runs continuous synthetic testing – stress‑scenarios, behavioural simulations, and rule‑interpretation models – that expose risks and contradictions long before they surface in real operations.

This is my #1 expected use of AI: not just shining a light on the company’s data (and other sources) but delivering insights such as trends in:

• fines from government agencies

• breaches of policy

• credit given to new or existing customers

• credit notes granted

• the number and age of open IT service requests

• days’ sales in inventory and receivables

• equipment breakdowns and maintenance costs

• safety incidents and near‑misses

• the cost of materials

• product returns

• type and volumes of calls to the customer support centre

• time to hire

• employee losses

• product quality defects

• scrap rates

• gross margins

• revenues by sales team

• product sales

It can also, and this is intriguing, compare the results and performance of different business units, or your company’s performance against its competitors.

My team and I did as much of this as was reasonable, given our limited resources. We obtained and reviewed the reports that management got. But there are so many reports and so much to review, that it was never enough. That can change now.

The more we know, the deeper the insights, the better we can:

1. Understand the potential effect (i.e., the risk level) of any control deficiencies

2. Know what to audit, when

Of course, AI will also make it easier to:

• Monitor the external environment for changes in regulations, laws, etc.

• Build process narratives and flowcharts (though many wonder why they’re needed)

• Identify potential risks to audit based on the experience of others – but be careful to audit the risks of your organization, not those of others

• Draft an audit report – but a human must exercise judgment on what is important

• Capture and summarize the results of an interview

• Test the entire population (e.g., ensure bank reconciliations are performed on time, by the right people). This is easier and faster with AI, but remember that an opinion should be on the adequacy of controls; testing data alone does not allow an opinion on whether controls even exist.

As I said, it’s going to take some time to see all the ways that AI can provide serious value for internal audit functions.

But until then I will hold to my view that shining light on the business will be the star.

What do you think?