How Auditors Are Currently Using Generative AI
Jul. 23, 2024
The integration of GenAI in audits and financial reporting is in its early stages but rapidly evolving, the PCAOB said in a new report.
The largest audit firms in the U.S. are using generative artificial intelligence mostly on administrative and research activities right now, but the likelihood for GenAI to be used down the road in certain aspects of planning and performing the audit is high, according to a report released by the Public Company Accounting Oversight Board (PCAOB) on July 22.
“The integration of GenAI in audits and financial reporting is in its early stages but rapidly evolving,” the PCAOB said in the report. “Audit firms and preparers alike emphasized that they are continuing to explore various ways of integrating GenAI-enabled tools in auditing and financial reporting.”
The U.S. audit regulator recently spoke to auditors who work at the U.S. arms of the largest global networks firms (i.e., the Big Four, RSM US, BDO USA, Grant Thornton), as well as several auditors from non-affiliated firms in the U.S. that audit more than 100 issuers, about where GenAI is now and where it’s headed in the auditing process.
Based on those discussions, here’s what the PCAOB said in the report:
Current use of GenAI
Some audit firms stated that their staff can use GenAI when preparing certain administrative documents or initial drafts of memos and presentations related to the audit. They also indicated that they had developed and deployed GenAI-enabled tools to assist staff in researching internal accounting and auditing guidance. As expected, the global network firms are further along in developing and deploying GenAI-enabled tools than non-affiliated firms are.
Investment in GenAI
Most firms indicated that they are continuing to invest in GenAI-enabled tools—either by developing them internally or working with third parties. These firms identified several potential areas where such tools may assist engagement teams in the future with planning and performing audits, including:
Assisting with summarizing accounting policy and legal documents.
Evaluating the completeness of audit documentation against relevant documentation requirements.
Performing certain risk assessment procedures.
Scoping the audit.
Evaluating the completeness of financial statement disclosures.
Comparing amounts in the financial statements or notes to the financial statements with audited amounts.
Limitations on the use of GenAI
Data privacy and data security continue to be areas of focus for audit firms. Some firms described safeguards in place that address what information can be uploaded to their GenAI-enabled tools in order to prevent confidential information, such as data of companies under audit, from becoming public. Other firms noted that they have policies in place that limit the extent to which staff can use GenAI tools in an audit. They don’t allow GenAI to be used when performing audit or attest procedures due to data privacy concerns and other risks, such as reliability concerns related to GenAI output.
Supervision and review of GenAI
The firms that are investing in GenAI-enabled tools indicated that they expect the technology to augment, but not replace, humans in auditing or in financial reporting. In their view, human involvement remains essential for auditors and preparers and is needed to review the output from GenAI.
“Some firms noted that, despite the ongoing integration of GenAI, their policies for the supervision and review of audits have not changed. These firms indicated that an engagement team member who uses a GenAI-enabled tool is still responsible for the results and documentation of the work,” the PCAOB said. “Likewise, these firms indicated that supervisors who review work performed with the assistance of GenAI are expected to apply the same level of diligence as when reviewing work where GenAI was not involved.”
Risks related to GenAI
Some audit firms stressed the importance of the auditability of both the underlying source data (whether from public sources or confidential company information) and GenAI-created content when GenAI-enabled tools are used.
“For example, some firms are designing their GenAI tools to document the relevant underlying source data used. Further, some firms noted that GenAI output may not always be reliable because GenAI may sometimes generate new content that is false or misleading (so-called “hallucinations”) or may be skewed or biased,” the PCAOB said. “To mitigate these risks, some firms are developing more specific instructions or queries for users that are intended to improve the consistency and accuracy of responses provided by GenAI. Some firms also pointed to risks related to the data used in GenAI tools (e.g., using source data in large language models that is incomplete or compromised).”
In addition, some firms indicated that the use of GenAI by preparers could amplify certain existing IT risks, such as those related to the segregation of duties, or potentially create new risks that previously didn’t exist. Firms indicated that identifying and assessing new and emerging risks remain top of mind as GenAI-enabled tools are developed and integrated in audits.
Firm policies related to GenAI
Firms emphasized the importance of policies and procedures, internal controls, and training related to the use of GenAI, while others said the development of policies, procedures, and controls for GenAI tools was similar to the development for other technology solutions.
“For example, these firms develop resources and training for staff on the appropriate use of technology tools, including GenAI,” the PCAOB said.
[CPA Practice Advisor]