Generative AI (GenAI) presents a significant opportunity for internal audit (IA) teams of all sizes to amplify their impact, boost efficiency, and enhance the quality of their work. Many organizations are still in the early stages of GenAI adoption, which means there is a substantial opportunity for IA to step in and provide valuable advisory services while also leveraging the technology to improve its own processes.
The key is to view GenAI not as a replacement for human auditors, but as an intelligent companion or augmentation tool that helps us become more efficient, productive, and insightful in our day-to-day tasks. By automating routine and repetitive tasks, GenAI frees up auditors to focus on higher-risk areas and more complex, value-added activities.
While the landscape of this technology keeps evolving, here are the key audit activities where we believe, GenAI can deliver immediate value, with specific use cases and practical prompts to get your team started.
1. Audit Planning and Risk Assessment
This is one of the most promising areas for immediate GenAI application. Surveys of early adopters show that the planning phase had the highest potential for extensive use of GenAI. It can significantly accelerate the process of understanding a new audit area and identifying potential risks.
Key Use Cases
Rapidly Understand New Audit Areas: Quickly learn about industry standards, best practices, regulations, and new technologies relevant to an upcoming audit.
Initial Risk Identification: Generate a preliminary list of risks and controls for a specific process based on best practices, which serves as a starting point for your detailed risk assessment. This helps overcome the "blank page" problem.
Drafting Audit Planning Documents: Create initial drafts of planning memos, audit objectives, scope statements, and Risk and Control Matrices.
Practical Prompts Examples
"Act as an experienced internal auditor. I am planning an audit of the procure-to-pay process for a mid-sized manufacturing company. Summarize the key process steps, common risks (e.g., fraud, operational, compliance), and standard internal controls typically found in this cycle."
"Based on the key risks in a procure-to-pay process, generate five potential audit objectives for an upcoming internal audit. For each objective, suggest the preliminary scope and key questions to ask the process owner."
"Create a draft Risk and Control Matrix in a table format for the 'vendor master file management' sub-process. Include columns for: Risk Description, Control Objective, and Example Control Activity."
2. Fieldwork Execution
During fieldwork, GenAI can act as an assistant, helping with data analysis, documentation, and drafting communications, thereby streamlining the evidence-gathering phase.
Key Use Cases
Summarizing Large Documents: Analyze and summarize lengthy documents like contracts, policies, or meeting minutes to quickly identify key clauses, requirements, or deviations.
Generating Test Scripts: Develop detailed test plans and scripts for repeatable tasks, ensuring consistency across the audit team.
Drafting Information Requests: Write clear, concise, and professional emails to request evidence and information from stakeholders, saving time and ensuring a consistent tone.
Practical Prompts Examples
"I have uploaded a 50-page service contract with a third-party vendor. Act as a risk manager and summarize the key clauses related to data security, service level agreements (SLAs), liability, and termination. Identify any clauses that may pose a significant risk to our organization."
"You are a senior IT auditor. Write a detailed test script to assess the user access review process for our primary ERP system. Include steps to verify the completeness of the user list, the appropriateness of access levels, and evidence of management review and sign-off."
"Draft an email to the Accounts Payable Manager requesting the following information for our procure-to-pay audit: 1) A list of all new vendors added in Q3, 2) The policy for vendor master file changes, and 3) Exception reports for duplicate payments for the last six months. Ensure the tone is collaborative and professional."
3. Audit Reporting
The reporting phase is critical for communicating audit results effectively, and GenAI can dramatically improve the quality and efficiency of this process. It helps ensure reports are clear, concise, and impactful.
Key Use Cases
Drafting Audit Findings: Structure and write initial drafts of audit findings, ensuring all key elements (Criteria, Condition, Cause, Consequence, Recommendation) are included.
Improving Clarity and Tone: Refine drafts for clarity, tone, and length. GenAI is excellent at rephrasing complex technical issues into clear business language for executive summaries.
Brainstorming Recommendations: Generate practical and actionable recommendations to address identified control weaknesses or process inefficiencies.
Practical Prompts Examples
"Act as a Chief Audit Executive. Write a draft audit finding based on the following notes: Condition - 15% of new hires were granted system access before their background checks were complete. Criteria - Company policy requires background checks to be completed before any system access is granted. Cause - HR and IT processes are not synchronized. Consequence - Risk of unauthorized access to sensitive data by unvetted employees. Recommend a solution to automate the workflow."
"Review the following paragraph from an audit report and revise it to be more concise and suitable for an executive audience: '[Insert paragraph here]'. Focus on clarity and business impact."
"Summarize a 10-page internal audit report into a five-bullet-point executive summary. The key findings are related to deficiencies in inventory management, outdated IT security policies, and non-compliance with travel expense procedures."
4. Follow-Up and Issue Tracking
GenAI can assist in automating the administrative burden of the follow-up phase, ensuring that management actions are tracked effectively.
Key Use Cases
Drafting Follow-up Communications: Create emails and status update requests for management to provide progress on their remediation efforts.
Summarizing Management Responses: Consolidate management responses across multiple audit findings to identify thematic issues or patterns.
Practical Prompts Examples
"Draft a polite but firm reminder email to a department head regarding an overdue management action plan from the Q2 IT Audit. The original due date was 30 days ago. State the importance of resolving the issue and ask for an updated timeline."
"Generate a brief status update report for the audit committee on unresolved high-risk issues. Include columns for: Audit Finding, Original Due Date, Current Status, and Department Owner."
Important Considerations Before You Begin
While the opportunities are significant, it is crucial to proceed with caution.
Data Security and Privacy: Never input sensitive or confidential company data into public GenAI models. Advocate for the use of secure, private instances or in-house models where data is protected and not used for training external models.
Accuracy and "Hallucinations": GenAI models can produce incorrect or fabricated information ("hallucinations"). Always apply professional skepticism. You must independently verify all outputs and treat GenAI-generated content as a starting point, not a final product. In addition, do not forget about inherent bias in training dataset which may skew final output.
Human in the Loop: Effective human oversight is essential. An auditor's review is necessary to validate the relevance, accuracy, and completeness of GenAI outputs. Your professional judgment and experience remain your most valuable assets.
We have previously touched upon these themes in other articles on AI.
So, with the above guardrails, your team can begin harnessing the power of GenAI to enhance your audit processes immediately, positioning internal audit as a forward-thinking and value-driven function within your organization.
If you like this article and would like to discuss further how we can assist you in supercharging your Internal Audit function, contact us for a complimentary consultation.
We welcome your comments.