Can Artificial Intelligence Be Used In Audits?

Artificial intelligence has undoubtedly been one of the most prominent topics in recent years. With the AI revolution, the use of artificial intelligence has become increasingly widespread across various domains.

However, while leveraging AI, it is essential to do so cautiously, taking into account the inherent risks. In this context, the use of artificial intelligence in audit activities is one of the areas that requires particular sensitivity. Therefore, a structured evaluation of the considerations, advantages, disadvantages, risks, and potential use cases of AI in audits is clearly valuable.

1. Advantages of Using Artificial Intelligence in Audits

• Increasing the speed of audit processes

• Enhancing the relative quality of audits

• Improving consistency across audit activities

• Accelerating report preparation

• Minimizing human errors in audits

• Reducing manual workload

• Providing support for data analysis

• Supporting document review activities

2. Disadvantages and Risks of Using Artificial Intelligence

• Generation of false-positive results

• Incorrect assumptions made by AI

• Emergence of biased outcomes due to flawed AI models

• Dependence on Training Data Quality: If AI is trained on incomplete, biased, outdated data, or datasets that do not represent real enterprise environments, its assessments will also be inaccurate.

• Data Quality Issues: Poor data quality may result in vulnerabilities being overlooked.

• Risks of Black-Box AI Models: The decision-making logic of the AI model must be transparent. Otherwise, assessments and decisions may become questionable.

• AI’s Own Security: It must be clearly defined how the AI system is secured, which standards it complies with, and how information security is ensured across all domains—particularly data processing, logging, and access control. In addition, there should be reasonable assurance that this security is maintained on a sustainable basis.

• Model Manipulation (Adversarial Attacks) and Tampering Risks: Artificial intelligence may:

• Be forced to produce incorrect decisions through manipulated inputs,

• Be deceived by tampered evidence,

• Be caused to classify attacks as normal activity,

• Fail to properly analyze sector-specific requirements,

• Generate recommendations that are misaligned with the audited organization’s budget, staffing, organizational structure, culture, and operating model.

• Data Privacy and Risk of Sensitive Information Leakage into Models: In audits, AI may access security controls, logs, confidential information, trade secrets, corporate files, network topology data, and vulnerability information. Such data may be:

• Leaked,

• Rendered usable for malicious purposes,

• Processed unintentionally,

• Stored,

• Included in model training datasets.

These risks are significantly higher for AI systems operating in the cloud or with internet connectivity.

3. Activities That Can Be Performed in Audits Using AI

• Execution of some technical controls

• Preparation of draft reports

• Pre-assessment of complex analyses

• Detection of anomalies in large data sets

• Maximization of sample sizes

• Formal and structural review of reports

4. Activities That Cannot Be Performed in Audits Using AI

• Validation of final outputs

• Making final compliance or non-compliance decisions

• Replacing human expertise and professional judgement

• Interpreting complex requirements or evaluating nuanced and context-specific issues

• Performing physical audits

• Authorizing the publication of assessment findings or final reports

Conclusion

Artificial intelligence is not an auditor; it can only serve as a tool that supports the auditor. In this context, it may be used as an analytical instrument, but the decision-making authority must always remain with the auditor. Moreover, the auditor retains full responsibility for all work performed. Allowing AI to fully assume the role of an auditor would introduce significant risks and limitations.