AI 101 for Audit Practitioners: Practical Use Cases to Elevate Audits
Over the past two and a half years, bringing artificial intelligence (AI) into my personal and professional life has been nothing short of game-changing. AI has changed the way I work, making my job fun again and giving me insights into data like I’ve never seen before — and I’m eager to share my experience with you. Whether you’re an AI enthusiast or just curious, I hope my story will inspire you to see what’s possible with AI.
As an auditor with over 20 years of experience in external and internal audit at Hilton, RSM, Fannie Mae, and Deloitte, when I embarked on my AI journey I quickly discovered that AI would become my best friend. Now, as the owner of my own firm, AuditPartners, AI has provided me with an army of virtual resources that deliver invaluable insights and outputs — with no overtime or complaints! Embracing and incorporating AI into our firm has truly been a game-changer, and it’s my conviction that every auditor can benefit from leveraging AI in their day-to-day work.
In this article, I’ll share my most important advice for leveraging AI effectively and responsibly, and illustrate what that advice looks like in practice with three concrete audit use cases for AI — complete with sample AI prompts and outputs. I hope to inspire you to explore how AI can enhance your audit work too — there’s no time like the present to get started!
5 Tips to Start Using AI in Internal Audit
For those new to AI, I recommend starting with small, manageable projects and gradually scaling up. I built a solid foundation in AI by initially focusing on simple use cases, then progressively tackling more complex projects. The potential use cases for AI are endless and are limited only by your imagination. If you can imagine it, AI can serve as a powerful guide to accelerate your progress.
1. Start With the Basics
To effectively leverage AI in audits, start by understanding the fundamentals of artificial intelligence and mastering the skill prompting for optimal outcomes. If you haven’t signed up for an AI tool yet, I encourage you to do so and start interacting with it by asking it questions. You can begin with basic inquiries to get an overview and then collaborate with the AI, refining your queries as you go. This iterative process will help you maximize the benefits of AI in your auditing tasks.
People often ask me which course is best for learning AI, and my response is usually that the most effective way to learn AI is through hands-on practice.
Leverage AI tools to automate tasks, analyze data, and enhance decision-making in your audit processes. Many of these tools are free to sign up for and even offer mobile applications, allowing you to interact with the models directly on the go.
This could even include tools like an AI note-taker, which has been a growing trend lately. I’ve personally been using Fathom.Ai, which is free and one of the best AI note-takers I have used thus far. This hands-on experience is invaluable in grasping how AI can be leveraged effectively.
2. Take the Time to Write Effective Prompts
With AI, the quality of your prompting will largely determine the quality of the output. To get the most out of AI tools, here are some of my favorite prompting tips:
- Describe the Problem: Clearly articulate the issue you want AI to address.
- Give Details: Provide specific details about the problem.
- Command: State what you are seeking from the AI.
- Example Output: Provide an example of the desired output or something to refine.
Don’t hesitate to re-prompt the AI to expand upon or simplify the response. Most importantly, always validate and revalidate the AI’s response before use.
3. Engage with the Community
Joining AI communities on Linkedin, Reddit, AI-focused webinars, and forums provides support and insights from other enthusiasts and professionals. Networking with like-minded individuals, especially in audit, can facilitate learning and collaboration.
A few AI resources to follow: There are many engaging and growing newsletters and channels you can subscribe to which helps with keeping up with the latest tech news and trends in AI.
4. Training and Certifications
If you’re looking to expand your knowledge in AI auditing, obtaining the latest ISO 42001 certifications is an excellent step forward. These certifications include foundational, implementer, and lead auditor (LA) levels, providing comprehensive insights into AI auditing standards. AuditPartners is an approved ISO training provider, offering courses on ISO 42001. These programs are designed to enhance your expertise in AI auditing and help you stay current in the industry.
5. Persistence is Key
The learning curve for AI can be steep, but persistence pays off. The technology is still new, so it is the perfect time to start. Continuous learning and staying updated with the latest developments in AI are essential for long-term success.
A Day in the Life of an AI-Powered Auditor
What do these tips look like in practice? Let me describe a typical day for an auditor who embraces AI’s productivity-boosting potential, then follow with some concrete use cases.
It’s Monday morning, and after I drop my kids off at school I log on to my computer. Awaiting me is a neatly summarized AI weekly report from Copilot of my meetings and tasks, conveniently sitting in my email inbox. This quick recap starts my week off on the right foot by reminding me of the tasks I’m carrying over from last week, and giving me an overview of what’s most pressing in my queue for this week.
I quickly review my inbox, and I ask CoPilot AI to draft a response to a few emails. After tweaking the responses to fit my own words, I hit send on each one. With my emails out of the way, I’m ready to dive into my tasks.
I open my AI-driven audit management project tool in ClickUp where all my tasks are organized and clearly displayed.
I have a department budget to draft, some audit fieldwork to complete, and an IT Policy and Password Compliance Review — and that’s just the top items! The to-do list seems endless, but here’s where AI truly shines. For those new to using AI in internal audit, I’d like to illustrate how easy it can be by breaking down three practical examples related to my to-do list: creating a department budget, reviewing journal entry transactions for compliance, and conducting an ITGC password control test. I’ll show you how using ChatGPT or other AI models can save time and boost productivity in both your work and personal life.
Before we dive into these examples, it’s crucial to consider the type of data you’re sharing and your company policies. Whether you’re using an open-source tool like GPT or a private enterprise tool with enhanced data privacy and security, remember that the examples below are for demonstration purposes only, using dummy data. If you choose to use an open tool like GPT, ensure you modify your screenshots or data to exclude any sensitive information. Additionally, check with your IT department to confirm it is permitted.
AI for Internal Auditors Example 1: Create a Departmental Budget
Let’s use AI to help me create a budget for an internal audit department. Using ChatGPT, I gave the AI my overall budget, number of employees, and general salary information and asked it to consider benefits, co-sourcing, travel, and technology costs. I also wanted the model to give me some money left over in case there are other expenses such as training or unforeseen projects. Without much effort, the AI produced a viable budget that I could use to manage my department.
If you’ve ever faced the daunting task of creating a budget without knowing where to start, you’ll understand the value of a tool that simplifies the process. Even those with no prior experience can find it incredibly useful. You can even take your existing budget and tweak it to fit your current needs or future projections. What used to be a tedious manual process that took hours of juggling numbers and figures is now streamlined with the help of AI. The AI handles most of the heavy lifting, allowing you to reallocate or adjust as needed. Budget completed!
Sample Budget Allocation Prompt and Output
- Prompt:
- Come up with an Internal Audit Budget for Me in a detailed Corporate Format
- Total Internal Audit Budget is $2.5m
- Team consists of 5 FTEs (CAE, Audit Manager, Sr. IT Auditor, 2 Auditors)
- Chief Audit Executive’s Salary is $250k
- Factor in benefits, misc.
- Allocate Co-Sourcing Budget 20%
- Allocate Travel Budget 10%
- Technology and the remaining budget should be broken out with your guidance on how I should best spend it for a new department.
- Put this into a table format for me once you have shown me the breakdown as the final step.
- Export it into excel for me
Example Analysis Output:
Here’s a breakdown of how you could allocate the $2.5 million internal audit budget.
Category | Amount |
Salaries and Benefits | $1,066,000 |
Co-Sourcing | $500,000 |
Travel | $250,000 |
Technology | $375,000 |
Miscellaneous | $309,000 |
Total | $2,500,000 |
AI for Internal Auditors Example 2: Perform Audit Fieldwork
How well can AI-powered data analytics perform fieldwork for an audit? I gave the AI journal entry information and an approval matrix for this test. I prompted it to analyze the data for approval limits and separation of duties violations, produce an issue listing, and create an audit report. In the end, an audit that generally takes an experienced auditor countless hours to complete was done in less than 10 minutes and up to 50x faster and more accurately. I could quickly see how these tools were a game-changer, allowing us to do more than ever before. Fieldwork completed!
Sample Audit Fieldwork AI Prompt and Output
- Prompt: (Note: Uploaded a dummy journal transactions log and approval matrix data in an Excel file.)
- Analyze Compliance: Compare transactions against the approval matrix to identify non-compliant entries.
- Identify SOD Violations: Search for any instances of creators approving their own transactions.
- Summarize Findings: Compile audit findings, including compliance issues and transaction distribution by approver.
- Draft Audit Report and Control: Prepare an audit report summary and formulate a control statement based on the analysis.
- Provide the following output:
- Analyze Compliance: Compare Transactions Against the Approval Matrix
- Identify non-compliant transactions by comparing each transaction’s amount with the approval limits of the approver.
- Identify SOD Violations: Search for Instances of Creators Approving Their Own Transactions
- Scan the data to find any instances where the creator and the approver are the same person.
- Summarize Findings: Compile Audit Findings
- Summarize the findings, including the number of compliant and non-compliant transactions, and identify any SoD violations.
- Draft Audit Report and Control: Prepare an Audit Report Summary and Formulate a Control Statement
- Prepare a brief audit report summary and a control statement based on the analysis.
- Analyze Compliance: Compare Transactions Against the Approval Matrix
Example Analysis Output:
- Total Transactions: 2,340
- Compliant Transactions: 2,280
- Non-Compliant Transactions: 60
- SoD Violations: 24
Control Statement:
Based on the analysis, it’s recommended to:
- Enhance Approval Processes: Ensure that approvers have appropriate limits and that these limits are adhered to.
- Enforce Segregation of Duties (SoD): Implement controls to prevent creators from approving their own transactions.
- Training: Provide training to approvers on the importance of compliance with approval limits and SoD principles.
- Regular Audits: Conduct regular audits to ensure ongoing compliance and address any issues promptly.
AI for Internal Auditors Example 3: IT General Controls (ITGC); Password Security Test
Let’s leverage AI to streamline our IT audit test for password security compliance. I used ChatGPT to set up this audit by providing it with the control/compliance requirements, an example IT Security policy, and dummy screenshots taken from the internet of various system password security settings. The AI factored in elements like password complexity, expiration, history, and multi-factor authentication, while also suggesting additional checks for weaknesses and recommending ways to boost overall security. It even told me the type of systems that were being used in each of the screenshots, like Active Directory, Unix, AS400, etc.
Let’s take it a step further — I want a formal output to share with my management. We can ask the model to provide us with a memo outlining the observations and procedures performed along with any recommendations for management.
Conducting an IT audit can be overwhelming, especially if you’re unsure where to begin. AI simplifies this process, making it accessible even to those without prior experience. You can adjust your current audit framework to meet present needs or future security demands. Instead of spending hours manually examining policies and testing parameters, AI streamlines the task and handles the bulk of the work. This allows you to make necessary adjustments effortlessly. Audit completed!
Sample IT General Controls (ITGC); Password Security Test Prompt and Output
- Prompt: (Note: Uploaded dummy IT policy and password settings screenshots as documents.)
- Review IT Policy: Ensure the current IT policy complies with industry standards.
- Password Compliance: Verify that the password settings in the system screenshots align with the IT policy and industry best practices.
- Summarize Findings: Compile findings into a report, highlighting any discrepancies and areas for improvement.
- Draft Recommendations: Prepare a set of recommendations based on the findings to enhance compliance and security.
- Provide the following output:
- Review IT Policy:
- Compare the current IT policy against industry standards such as ISO 27001 and NIST guidelines.
- Identify areas where the policy aligns and where it may need improvement.
- Password Compliance:
- Analyze the provided screenshots of the password settings.
- Ensure the settings meet the requirements outlined in the IT policy and follow best practices, such as complexity, expiration, and history requirements.
- Summarize Findings:
- Compile the findings into a comprehensive report, detailing any discrepancies between the policy and the actual settings.
- Highlight areas where the current practices meet or exceed standards, as well as areas needing attention.
- Draft Recommendations:
- Provide a set of actionable recommendations to address any identified gaps.
- Suggest updates to the IT policy and system settings to ensure full compliance and enhanced security.
- Review IT Policy:
Example Analysis Output:
IT Policy Review:
- Compliant with sample IT policy and ISO 27001: Yes
- Compliant with NIST Guidelines: Partially (needs updates on password complexity)
- Password Compliance:
- Complexity: Meets standards (requires uppercase, lowercase, numeric, and special characters)
- Expiration: Needs improvement (currently set to 180 days, recommend 60 days)
- History: Needs improvement (currently set to remember last 2 passwords, recommend last 10 passwords)
Recommendations:
- Update IT Policy:
- Include stricter guidelines on password complexity and expiration.
- Recommended to align with NIST guidelines fully.
- Enhance System Settings:
- Adjust password expiration from 180 days to recommended 60 days.
- Increase password history to 10 from current setting of 2.
- Training:
- Conduct training sessions for staff to emphasize the importance of adhering to updated IT policies.
- Regular Reviews:
- Schedule regular reviews and audits of IT policies and system settings to ensure ongoing compliance.
Looking to the Future
At my firm, we are not just users of AI — we are AI pioneers and innovators. As the first AI-centric audit firm, we provide comprehensive services including consulting, technology tools, training, and certifications for all things related to AI in auditing
By embracing AI, we can transform our work processes, enhancing efficiency and uncovering new opportunities. As auditors, leveraging these advanced tools can significantly elevate our work, making us more effective and insightful in our roles. The future of auditing is here — join me!
Faisal Shafiullah is the CEO of AuditPartners which is an IT Audit and Risk advisory firm headquartered in Florida. Faisal has over 20 years of experience with the Big 4 and industry including time at Deloitte, RSM, Fannie Mae and Hilton. Connect with Faisal on LinkedIn.