AI has moved quickly from a technology topic to a governance topic. The IIA’s updated AI Auditing Framework explicitly broadens its coverage of generative AI and large language models, with stronger emphasis on AI governance, ethics, transparency, accountability, enterprise risk management, and board oversight. At the same time, the Global Internal Audit Standards require chief audit executives to ensure the function has technology to support the audit process, evaluate that technology regularly, provide appropriate training, and address risks arising from technology use, including information security and privacy.[2][1]
Why AI is attracting attention in internal audit
That combination explains why AI is attracting so much interest in internal audit. The question is no longer whether the function should understand AI. It should. The more useful question is where AI can add practical value now, and where expectations have moved ahead of what can be governed responsibly. NIST’s AI RMF frames AI risk management as part of responsible development and use, aimed at improving trustworthiness through governance, mapping, measurement, and management of risk.[4]
A helpful distinction is to separate three ideas that are often blurred together. Traditional automation follows predefined rules. Analytics helps identify patterns, anomalies, or relationships in data. Generative AI produces synthetic outputs such as text, code, images, or summaries from prompts and context. NIST’s Generative AI Profile defines generative AI in precisely that way and treats it as a distinct risk-management context. That distinction matters because not every audit use of “AI” carries the same risk profile or evidentiary implications.[5]
Where AI may realistically help today
In practical terms, AI is most useful where it supports audit work rather than substitutes for audit judgement. One realistic use case is early-stage risk assessment support: helping auditors organise large volumes of background information, group emerging themes, and identify areas for deeper human review. Another is document review and summarisation, especially where audit teams must work through policy sets, committee papers, procedures, contracts, or issue logs before deciding what matters most. These uses can improve speed and coverage, but the value still depends on how well the outputs are reviewed and challenged. This is a professional judgement based on current patterns of adoption.
AI can also be useful in more structured support tasks. For example, it may help compare control descriptions across processes, assist with control mapping, or generate first-draft content for workpapers and reports. Used carefully, that can reduce administrative effort and free experienced auditors to focus more on scoping, interviewing, interpretation, and challenge. The Global Internal Audit Standards explicitly contemplate the use of technology, including data analysis tools and tools that assist with communication and collaboration, to improve effectiveness and efficiency.[1]
In data-heavy environments, AI techniques may also assist anomaly detection and pattern identification. That is not entirely new; internal audit has used analytics for years. The difference is that newer tools may help audit teams work across larger unstructured datasets, surface unusual relationships more quickly, or support triage of issues for further testing. Even so, the output remains a lead, not a finding. Under the Standards, internal auditors must analyse relevant, reliable, and sufficient information and base findings and conclusions on sufficient, reliable, and relevant evidence.[1]
Where caution is required
This is where the hype often runs ahead of reality. NIST’s Generative AI Profile identifies confabulation — the production of confidently stated but erroneous or false content, often colloquially called hallucinations — as a risk unique to or exacerbated by generative AI. For internal audit, that point is not academic. A plausible but inaccurate summary, an invented citation, or an overconfident explanation can weaken planning, distort testing, or contaminate reporting if it is not independently checked.[5]
Confidentiality and data handling are equally important. NIST treats privacy, unauthorized disclosure, leakage, and de-anonymization as core AI risk considerations, and the IIA’s Standards require audit leaders to identify and respond to technology risks, including information security and privacy of individual data. For audit functions, that means AI use cannot be separated from broader data classification, access control, vendor governance, retention, and approved-use decisions.[5][1]
Bias and explainability also matter more than many early adopters assume. NIST identifies trustworthy AI characteristics as including accountability and transparency, explainability and interpretability, privacy enhancement, and fairness with harmful bias managed. It also notes that lack of explainability can hinder appropriate use, while explainable systems are easier to debug, monitor, document, audit, and govern. For internal audit, that has a practical consequence: if a tool materially influences audit reasoning, the team should be able to explain how the output was used and why it was considered appropriate in context.[4]
There is also a human-factor risk. NIST’s AI RMF notes that human roles and responsibilities in overseeing AI systems need to be clearly defined and documented. In an audit context, one practical concern is over-reliance by less experienced staff, especially where polished outputs create a false sense of quality. That specific risk is partly interpretive, but it is consistent with NIST’s human-AI interaction guidance and with the professional obligation for skepticism under the Standards.[4][1]
Why human judgement, review, and governance remain central
Internal audit is ultimately an evidence-based profession, not a content-generation exercise. The Standards require internal auditors to exercise due professional care and professional skepticism, critically assess the reliability of information, seek additional evidence where information may be incomplete, inconsistent, false, or misleading, and determine findings using evidence gathered during the engagement. Those obligations do not disappear because an AI tool is helpful. If anything, they become more important.[1]
That is why the most sensible view of AI in internal audit is as an assistant, not an adjudicator. It may help organise information, accelerate drafting, or highlight patterns worth testing. It should not be treated as a substitute for auditor judgement, for engagement supervision, or for defensible evidence. The IIA’s AI Auditing Framework itself emphasises reasonable assurance, recognising AI’s complexity and evolving nature while maintaining transparency, traceability, and accountability.[2]
What a sensible adoption model looks like
A more disciplined adoption model usually starts with low-risk use cases. Examples might include summarising internal policies, suggesting interview themes, helping structure risk-and-control inventories, or producing draft wording for internal use subject to review. These uses are easier to govern because the human reviewer remains close to the output and the consequences of error are easier to contain. This is a practical recommendation based on current implementation experience.
From there, functions should define acceptable use, prohibited use, review expectations, and data-handling rules before adoption widens. NIST’s AI RMF is built around GOVERN, MAP, MEASURE, and MANAGE, while the IIA’s AI Auditing Framework highlights assessment of AI strategy, AI governance maturity, AI-related risks, controls over data and algorithms, support for AI policy development, and assurance over AI-enabled processes. Internal audit does not need to invent its governance model from scratch; it should align its own use of AI with the enterprise’s broader AI governance and risk-management approach.[4][2]
A particularly important discipline is to separate assistance from conclusion-making. AI may help prepare material for human analysis, but the final judgement on scope, evidence, findings, and reporting should remain clearly owned by qualified auditors and subject to supervisory review. That is consistent with the Standards’ emphasis on professional skepticism, sufficient reliable evidence, and quality in engagement performance. It is also consistent with NIST’s view that human oversight processes should be defined and documented.[1][4]
A practical conclusion
The reality is more useful than either extreme. AI is neither a passing distraction nor a substitute for professional auditing. Used well, it can improve efficiency, support broader coverage, and help audit teams deal with growing volumes of structured and unstructured information. Used badly, it can introduce weak evidence, opaque reasoning, privacy exposure, and misplaced confidence. For internal audit leaders, the practical path is to adopt AI incrementally, govern it explicitly, and keep human judgement firmly at the centre. That is how AI is most likely to enhance internal audit capability rather than dilute it.[4]
Sources
- Global Internal Audit Standards — The Institute of Internal Auditors
- AI Auditing Framework | Internal Audit Guidance — The Institute of Internal Auditors
- Artificial Intelligence in Internal Auditing Resources — The Institute of Internal Auditors
- Artificial Intelligence Risk Management Framework (AI RMF 1.0) — National Institute of Standards and Technology
- Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile — National Institute of Standards and Technology
Prepared with AI assistance and review by HAWK3E Risk Advisory.