Artificial Intelligence (AI) tools such as OpenAI’s ChatGPT, Google’s Gemini, and Microsoft’s Copilot are rapidly reshaping internal auditing. For audit leaders, these tools present powerful opportunities, but also serious governance, regulatory, and ethical challenges. Given the recent development in these areas, this topic is especially relevant because AI adoption is becoming an Audit Committee discussion point. In this article we discuss some opportunities, threats and challenges which audit leaders can encounter.

1. Opportunities for Internal Audit

a) Enhanced Audit Efficiency

AI tools can quickly analyse large datasets, contracts, policies, and emails. This enables auditors to:

• Perform full-population testing instead of sampling
• Detect anomalies in procurement, payroll, or revenue recognition
• Identify fraud patterns using predictive analytics

Example:
A retail company can use AI to analyse GST invoices and detected duplicate vendor payments—something missed by manual sampling.

b) Better Risk Assessment

AI can map emerging risks from regulatory updates, news feeds, or internal data.

Example:
In EU banks, AI tools scan thousands of regulatory circulars under **European Union rules to flag compliance gaps in real time.

c) Improved Reporting & Communication

Tools like ChatGPT help draft executive summaries, board reports, and root-cause analysis. This improves clarity and turnaround time—especially useful for Audit Committee reporting.

Example:
An internal audit team can use Copilot to prepare dashboards for fraud analytics, reducing reporting time by 40%.

d) Continuous Auditing & Monitoring

AI enables real-time controls testing and monitoring, aligning with modern internal audit expectations.

Example:
UK telecom companies use AI to monitor billing errors and customer complaints continuously.

2. Key Threats

a) Hallucinations & Accuracy Risk

AI tools can generate incorrect or fabricated results. Law firms in India have already reported instances of AI producing fictitious case law, leading to strict internal AI policies.

For auditors, relying blindly on AI outputs can damage credibility and audit quality.

b) Data Privacy & Confidentiality

Uploading sensitive company data into public AI tools can violate regulations like GDPR in the EU or DPDP Act in India.

Example:
An auditor uploading payroll data into ChatGPT could expose personal information and breach privacy laws.

c) Regulatory Risk

Different regions have different AI governance frameworks:

• EU – Risk-based regulation under the European Union Artificial Intelligence Act, requiring transparency and controls.
• UK – Sector-specific, principle-based AI oversight.
• USA – Fragmented, sector-driven regulation encouraging innovation but creating compliance complexity.
• India – Emerging frameworks through DPDP Act, Digital India Bill, and initiatives like the India AI Safety Institute, with still-developing AI-specific regulation.

Internal audit must understand these regional differences when auditing multinational companies.

d) Over-automation Risk

Auditors may lose professional scepticism if AI performs too much analysis. Internal audit judgment cannot be outsourced.

3. Implementation Challenges

a) Governance & Policies

Companies need AI usage policies covering:

• Approved tools
• Data usage restrictions
• Documentation & audit trails

Example:
Some courts in India allow AI only for administrative tasks, not decision-making, highlighting governance boundaries.

b) Skill Gap in Audit Teams

Auditors must understand AI models, data bias, and prompt engineering. Traditional accounting skills alone are insufficient.

c) Model Explainability

Audit conclusions must be defensible. If AI models cannot explain outputs, they are difficult to rely on in regulatory or forensic investigations.

d) Ethical & Bias Concerns

AI trained on biased datasets may lead to unfair audit conclusions—for example, flagging certain vendor categories disproportionately.

4. Regional Perspective

India

• Rapid digital adoption in banking, telecom, and GST ecosystems.
• Limited AI-specific law but strong data protection focus.
• Internal audit must emphasise governance and vendor-risk management.

EU

• Strongest regulatory oversight through AI Act.
• Internal audit must assess AI risk classification, transparency, and documentation.

UK

• Principles-based approach requiring auditor judgment.
• Emphasis on accountability and fairness.

USA

• Innovation-driven environment.
• Focus on cybersecurity, SOX compliance, and AI-related fraud risk.

5. Practical Use Cases in Internal Audit

• Contract review for related-party transactions
• ESG disclosure validation
• Cybersecurity log analysis
• Fraud analytics in procurement
• Policy gap analysis for regulatory compliance

6. The Way Forward for Internal Auditors

Internal audit functions should:

1. Create AI governance frameworks
2. Train auditors on AI risks
3. Use secure enterprise AI tools
4. Validate AI outputs independently
5. Report AI risks to the Audit Committee

AI should be treated as a co-pilot—not a decision maker.

 

Conclusion

AI is transforming internal audit from retrospective assurance to predictive insight. However, auditors must balance efficiency with skepticism, innovation with governance, and automation with accountability. For global organisations spanning India, EU, UK, and USA, internal audit has a unique role in ensuring AI is used responsibly, ethically, and in line with regulatory expectations.

 

About the author:

Amit Sharma is the Vice President and Head of Audit – APAC at EXL, with over 25 years of experience in internal audits, risk management and compliance. As part of his commitment of giving back to the auditing profession, he also serves on the IIA India Delhi Branch Board of Governors and is the Chairperson of the Publications & Research committee of IIA India Delhi Branch.