Imagine trimming 25% off your audit cycle time while also boosting the quality of insights by 40%. Studies on AI adoption show these gains are not only possible but increasingly common. In this article1, we’ll explore how you—an internal auditor—can harness Generative AI to streamline your engagements, all while aligning with the Global Internal Audit Standards.
AI is reshaping countless knowledge-intensive professions, and internal auditing is no exception. It offers opportunities to streamline our processes, enhance our analyses, and drive innovation in the audit function. A key subset of AI is Generative AI (GenAI), which refers to systems that can create original content—from text to images, video, audio, and even software code—based on user input, or “prompts”. Tools like ChatGPT and CoPilot illustrate just how useful GenAI can be across a variety of tasks and industries.
Consider a 2023 study by the Harvard Business School involving more than 750 consultants at Boston Consulting Group2. They found that AI support helped consultants finish tasks, on average, 25.1% faster than a control group that worked without AI, while delivering results of more than 40% higher quality. That is an impressive improvement—and it points to similarly game-changing possibilities for internal audit teams.
In this piece, I want to show you how GenAI can help streamline your audit process, enhance analysis, and foster innovation. We’ll explore the Global Internal Audit Standards (GIAS) as our backbone, discover practical ways GenAI can be leveraged throughout the audit cycle, and consider the skills we auditors need to keep pace with AI developments. Let’s dive in.
The Global Internal Audit Standards
At the heart of professional internal auditing lie the Global Internal Audit Standards (GIAS)—15 guiding Principles that help us deliver quality audits and it’s worth looking at how AI can fit seamlessly into these Standards.
Domain V focuses on performing internal audits and breaks down the internal audit process into the following Principles:
Principle 13 – Plan Engagements Effectively
Principle 14 – Conduct Engagement Work
Principle 15 – Communicate Engagement Results and Monitor Action Plans
It is worth mentioning that Standard 10.3 emphasises the use of technical resources, such as Audit Management Systems or Data Analytics tools. While AI is not explicitly mentioned in Standard 10.3, the case for using AI becomes clear once you see how much it can help streamline each step of your audit process. Let’s take a look at how GenAI might support each of these Principles in practice.
Plan Engagements Effectively (Principle 13)
A good audit starts with strong planning. We define our objectives, gather initial information, and conduct risk assessments. GenAI can speed up your research, offer new perspectives on potential risks, and help you quickly identify key areas to focus on.
Use Case: Risk Assessment with GenAI
Let’s say your organisation relies on a decentralised procurement process, with a sprinkling of shadow IT. By feeding GenAI with some basic facts—such as the company’s structure, existing controls, and any known process gaps—you can generate an initial list of potential risks. This list might include “Unauthorised Purchases”, “Inconsistent Procurement Policies”, or “Data Security Concerns”. Each risk can be accompanied by a short description to help you decide which warrant deeper scrutiny.
Example Prompt
Act as an experienced internal auditor evaluating our decentralised procurement process. Identify typical procurement risks we should examine. Include a brief description for each. Output should be a table.Example output
Use Case: Developing Work Programmes
Once you’ve identified and prioritised your risks, you’ll need a comprehensive work programme that outlines the controls you expect to see and how you will test each one. You can prompt GenAI to draft a work programme table, linking each risk to its relevant controls and specifying practical test steps.
Example Prompt
Using the procurement risks identified earlier, propose a set of controls and detailed test steps to verify control effectiveness.Example output
By starting with AI-generated insights, you’ll have a blueprint that can save you hours—though you should always use your professional judgment to refine and validate the suggestions before proceeding.
Conduct Engagement Work (Principle 14)
With your plan in hand, the next step is to gather evidence, perform analyses, and assess the level of risk and control effectiveness in the field. GenAI can be particularly useful here, whether you’re working with large datasets or trying to understand more qualitative factors such as corporate culture.
Use Case: Soft Control Assessment (Sentiment Analysis)
Ever wondered if your organisation’s culture supports or hinders control effectiveness? Analysing “soft controls” like leadership style, ethics, and employee engagement often requires sorting through narratives or survey data. GenAI tools with sentiment analysis features can quickly scan open-ended responses and highlight areas of concern—like potential resentment toward certain policies or perceived lack of leadership visibility.
Example Prompt
Act as an experienced culture and behaviour auditor. Review the following open survey responses and assess them using Muel Kaptein’s Behavioural drivers and controls in risk, compliance and assurance (Clarity, Role modelling, Commitment, Achievability, Transparency, Openness to discuss, Call someone to account and Enforcement). Identify any negative sentiments and key themes.
[insert your open survey responses]Example output
Commitment (Do employees and leaders show dedication to ethics and values?) Findings:
There are signs of disengagement and lack of buy-in to organizational values.
Concerns:
Leadership does not appear to fully embody the company’s mission and vision.
Employees may struggle to connect their daily work to broader organizational goals.
From there, you can dig deeper with interviews or focus groups, armed with a more precise understanding of which cultural elements might be affecting your audit objectives.
Communicate Engagement Results and Monitor Action Plans (Principle 15)
Once the fieldwork is done, it’s time to share your insights. GenAI can help you write more concise, consistent audit findings or even evaluate management action plans, saving you time and ensuring a polished, uniform report.
Use Case: Automate Audit Findings
By instructing GenAI to summarise your observations in a structured framework— for example using the structure: Criteria, Condition, Cause, Risk and Recommendation—you can quickly draft findings that highlight key details and recommended next steps. While the final edit still might require a human touch, AI can do much of the heavy lifting.
Example Prompt
Draft an audit finding for a shadow IT issue discovered in the procurement process. Because of decentralised purchasing, the governance is unclear and the procurement policy is unknown, resulting in most departments initiating their own procurement or purchasing a product without following a prescribed procurement process. Use the following structure to write the audit finding: Criteria, Condition, Cause, Risk and Recommendation.Example output
Audit Finding: Unclear IT Procurement Governance Leading to Shadow IT
Criteria:
IT procurement should follow a formal, centralized process to ensure security, compliance, and cost efficiency, as outlined in the organization’s procurement policy.
Condition:
Due to unclear governance, departments independently procure IT solutions without IT oversight, leading to unapproved software and cloud services being used.
Cause:
The procurement policy is not well communicated or enforced, resulting in ad-hoc purchasing decisions.
Risk:
Unauthorized IT solutions increase cybersecurity risks, regulatory non-compliance, and inefficiencies in IT management.
Recommendation:
Clarify and enforce a centralized IT procurement process, ensuring all IT purchases require IT department approval.
Use Case: Evaluating Action Plans (SMART Criteria)
Management may respond to your findings with an action plan. But how many times have we all seen vague, open-ended commitments that never get fully realised? GenAI can help assess whether these plans are Specific, Measurable, Acceptable, Relevant, and Time-Bound (SMART), and suggest improvements to make them more robust.
Example Prompt
Evaluate the following management action plan for mitigating a shadow IT risk. Provide feedback on whether it meets SMART criteria and suggest changes if needed.
[include the management action plan]Example output
Outsourcing the Procurement Process to an External Agency.
Deadline: Three months
Specific: Yes, the plan is specific about the action to outsource the procurement process.
Measurable: No, there are no clear success criteria or evaluation measures mentioned.
Acceptable: Possibly, but acceptance depends on costs and the impact on existing processes.
Relevant: Yes, it can help bring control and consistency to the procurement process.
Time-bound: Yes, there is a clear deadline of three months.
Feedback: It is important to establish success criteria and evaluation measures to assess the effectiveness of the external agency.
Suggestion: Include a follow-up evaluation after three months to determine whether the objectives have been achieved.
By automating parts of your evaluation, you can keep the conversation focused on substance, not admin.
A Vision for the Future of Internal Audit
Incorporating AI into internal auditing signals a shift in how we work. By adopting GenAI, we enable faster research, deeper data insights, and more time for critical thinking—especially when it comes to complex or high-level issues.
Let’s be clear, though: this doesn’t mean our jobs will be taken over by robots. AI tools still depend on human intelligence for context and judgment. We also have to be mindful of AI’s current limitations, like “hallucinating” information it doesn’t have or misunderstanding prompts. Data quality, regular ethical checks, and a watchful eye for biases will remain essential.
The bottom line? AI can complement our strengths as internal auditors, letting us focus on strategic analysis rather than repetitive tasks. This frees up time for deeper dives into an organisation’s risks, culture, and governance structures, ultimately leading to higher-impact audit recommendations.
Skills for Tomorrow
If AI is the future, then it’s time for auditors to skill up. Explore what AI tools can do, experiment with them on small projects, and keep learning as they continue to develop. Internal audit teams should also consider formal training programmes so that everyone is aware of best practices—and potential pitfalls. Adopting a culture of curiosity and innovation helps ensure we’re riding the wave of technology rather than chasing it.
Final Thoughts
AI, and especially GenAI, offers a new frontier for internal auditors ready to take on more strategic, insightful, and efficient ways of working. By blending human expertise with machine-generated insights, we can deliver audits that are faster, sharper, and more relevant than ever in an increasingly digital business landscape.
So, where do you begin? Start small:
Experiment with available AI tools within your company.
Learn about prompt engineering, data ethics, and model limitations.
Collaborate with your IT and data teams for stronger alignment.
Keep Adapting—AI evolves quickly, and so must we.
Thank you for reading, and I hope you feel encouraged to explore how AI can elevate your audit function. Let’s embrace technology while honouring the unique insight, judgment, and leadership that internal auditors bring to every engagement.
This article is an adaptation of Slimmer en Sneller Auditen met AI (in Dutch), originally published in Audit Magazine.