Audit readiness in an AI-enabled finance function

The external auditor's job is unchanged by AI. The job is to opine on whether the financial statements are free from material misstatement. AI has not changed the standard. It has changed the procedures that the audit team uses to satisfy themselves of it, and the procedures that the entity must have in place for the audit to proceed efficiently.

The audit-readiness question is, in practice, about anticipating what the audit team will ask and being able to answer with documentation rather than reconstruction. The framework below is what gets the entity ready.

What the auditor is actually testing

For an AI-enabled finance function, the audit team is testing several things specifically.

• Whether the AI-generated outputs that have entered the financial statements are reliable.
• Whether the controls over those outputs are designed and operating effectively.
• Whether the entity owns the outputs — that is, whether a named human has accepted responsibility for each material output, with evidence.
• Whether the AI deployments are subject to a governance framework that is documented, applied, and reviewed.
• Whether the entity can produce, on request, the evidence that supports any individual output.

None of these tests is new in concept. Each is the same kind of test the audit team would apply to any internal model, any third-party software, or any process that produces inputs to the financial statements. What is new is the volume of outputs, the speed of model evolution, and the unfamiliarity of some of the procedures.

Five questions the audit team will ask

For an entity with material AI in the finance function, the audit team will, in some form, ask the following.

1. What AI systems are in use in the financial reporting process? Including those embedded in third-party tools and those built in-house. The entity must have an inventory.
2. For each system, who validated it, against what benchmark, with what ongoing monitoring? The entity must have model validation documentation.
3. For the period under audit, what outputs were generated, and what human review was applied? The entity must have a review log.
4. What incidents occurred in the period, and how were they remediated? The entity must have an incident log.
5. How are the AI outputs reconciled to the underlying source data, and is the reconciliation auditable? The entity must have the audit trail from output back to source.

If the entity can answer each of these with documentation, the audit moves forward. If it cannot, the audit will require additional substantive procedures, which increase the time, the cost, and the risk of qualified opinion or significant deficiency findings.

The documentation that closes the file

The audit file for an AI-enabled finance function typically requires the following items, retained contemporaneously rather than reconstructed at audit time.

• A model inventory listing every AI system in use in financial reporting, the purpose, the owner, the risk classification, and the validation status.
• A validation report for each model, refreshed at a defined cadence — typically annually for material models, more often for higher-risk ones.
• A monitoring dashboard or equivalent that shows the performance metrics over the audit period.
• A review log that records the human review applied to material outputs, with reviewer, date, and disposition.
• An incident log with root cause and remediation for each event.
• The policy documents — model risk policy, AI governance policy, data governance policy — that the entity operates under.
• The audit committee reporting on AI deployments during the period.
• Evidence that the controls over AI are tested, either by internal audit or by management testing, with the results.

None of these documents is exotic. They are the standard documents of a controlled process, applied to a new model class.

The review evidence that the audit team can rely on

The audit team will want to test, by sampling, that the human review of AI outputs is operating as designed. The evidence the entity must produce for a sampled output typically includes:

• The original AI output, with timestamp.
• The reviewer, with role and authority.
• The date and nature of the review.
• The disposition — accepted, modified, rejected — and the rationale.
• The downstream action taken on the output.
• The retention of the underlying source data the AI used to produce the output, sufficient to allow the audit to verify the output if necessary.

The entity that maintains this evidence contemporaneously will have a short conversation. The entity that has to assemble it at audit time will have a much longer one, with worse outcomes.

Where the audit conversation goes wrong

Several patterns produce predictable audit difficulty.

The undisclosed deployment. An AI system has been in use during the period but was not declared in advance to the audit team. The team discovers it during procedures and treats the lack of advance disclosure as a finding in itself.

The unsupported output. A material output is referenced in the financial statements but cannot be traced to its inputs or its review. The audit team has no basis on which to rely on it.

The hallucination. A specific output is challenged and found to be incorrect. The procedure for catching this should have caught it but did not, raising questions about every other output the procedure was supposed to cover.

The model that drifted. The model was validated when deployed but has not been monitored. The audit team cannot determine when the performance degraded or what outputs may have been affected.

The vendor dependency. A third-party AI tool is in use and the entity cannot produce evidence of the vendor's controls. The audit team cannot rely on the tool, and the entity must produce alternative evidence — which is often expensive.

Each of these patterns is preventable. The prevention is the discipline of treating AI deployments as financial-reporting-relevant from the first day, not the day the audit begins.

Preparing the first AI-enabled audit

For an entity facing its first audit with material AI in the finance function, a preparation sequence has the following components.

1. Disclose the AI deployments to the audit team early — at the audit planning stage, not at the field-work stage. Use the planning conversation to agree the procedures.
2. Provide the model inventory, the validation documentation, and the policy framework in advance, so that the audit team can review before procedures begin.
3. Walk the audit team through a worked example: take a single material output, show the inputs, the model, the review, and the downstream action. The walkthrough sets expectations for the sampling.
4. Agree the population, the sampling approach, and the evidence requirements in writing, so that the testing is not negotiated transaction by transaction.
5. Be ready for the question the audit team will ask but did not signal in advance — the unexpected question is the one that defines whether the entity is genuinely ready or only superficially ready.

The first AI-enabled audit is the most demanding. Subsequent audits run more easily, because both sides have established what the procedures look like and the entity has internalised the documentation discipline.

This piece sits inside the CFO in AI framework. See also AI governance for the finance function and AI in the financial close. Lorna writes from practice at IMPT. The verified page records what is and isn't published here.