The use of generative and agentic AI in audit is increasing rapidly as accountancy firms seek to improve efficiencies in audit engagements. The development of regulatory guidance has, however, largely trailed behind the pace of innovation, with little formal guidance on this topic issued since last July when the FRC published its landmark guidance on AI in audit. That guidance was an important first step in providing a coherent approach to AI deployment and offered insight into the documentation requirements for AI tool development that the FRC expected to see.
Late last month, however, the FRC published further guidance focused on identifying and mitigating risks arising from the use of generative and agentic AI in audit engagements (the March Guidance). In what the FRC describes as the first from any audit regulator globally on generative and agentic AI, the March Guidance sets clearer expectations about where responsibility and regulatory scrutiny will sit as AI adoption and rollout increases.
Three Risks to Audit Quality
The March Guidance categorises AI-related risks to audit quality into three areas:
- Risk of deficient outputs – where the output of an AI tool itself might be flawed, incomplete or inappropriate, but is subsequently relied upon in the audit. This could arise from issues with the inputs or with the performance of the system itself. Categories of deficient outputs include fabricated material (hallucinations), missing information that should have been included (omissions), misrepresentations of information (distortions) and faulty reasoning.
- Risk of misuse of outputs – where an AI tool produces an appropriate output, but it is misinterpreted or misunderstood by the user, leading to inappropriate reliance during the audit. The guidance recognises that explainability will vary by tool and use case but stresses that auditors must understand outputs sufficiently to evaluate them critically.
- Risk of non-compliant methodology – where an audit firm’s methodology permits approaches that may not meet established auditing standards. This may be particularly relevant where methodologies introduce new forms of audit procedures or different approaches resulting from reliance on new AI tools.
Mitigating AI Risks
The March Guidance sets out possible mitigations across all three risk categories. While it ultimately provides two illustrative examples of how a hypothetical audit firm might consider the risks posed to audit quality by using an AI tool, the nature and extent of mitigating activities implemented in each category will remain a matter of professional judgement. The overall goal for firms should be to achieve an appropriate level of confidence in the quality of any AI output, ensuring that audit quality is maintained throughout the engagement.
The mitigations outlined in the March Guidance serve as a useful checklist for firms seeking to deploy generative and agentic AI in audit engagements:
- Safeguards in system design and development. Firms should consider designing more detailed AI workflows, including defining the tasks the system will perform, how it will approach them, and where review activities should be built into the process. Reviews may be undertaken by humans, other large language models (LLMs) or rules-based protocols. Firms should also consider whether complex tasks can be broken into simpler stages, whether one LLM can review another’s work, or whether outputs from multiple LLMs can be synthesised to improve reliability.
- Approval and certification processes. Firms should test AI tools to ensure they consistently produce outputs that are appropriate for their intended purpose. They should also implement ongoing monitoring to identify unexpected behaviours and assess any impact on audit quality.
- Training and governance. Employees must understand how and when AI tools should be used. Training should focus on writing effective prompts, reviewing AI-generated work, identifying deficiencies and maintaining audit quality. Firms should also establish clear policies governing the appropriate use of AI tools.
- Human review and oversight. Staff reviewing AI outputs must have the necessary competence to identify deficiencies. They should apply professional scepticism, understand the principal risks associated with the specific AI tool and its intended use, and remain alert to the risk of automation bias.
Conclusion
Compared with last year’s guidance, the March Guidance presents a more detailed and mature framework for firms seeking to deploy AI tools within audit engagements. While described as a codification of good practice, the FRC notes that it will also provide a conceptual foundation for future FRC work in this area. Firms would therefore be well advised to review whether their current practices align with the FRC’s guardrails.
Ultimately, however, the March Guidance makes clear that accountability remains unchanged. In line with ISQM (UK) 1 and ISA (UK) 220, firms and engagement partners remain fully responsible for audit quality, regardless of how advanced or autonomous any AI tool becomes.
About the authors
Ian Ko is a Senior Associate in the Regulatory team at Kingsley Napley LLP. He specialises in advising professional services firms and individuals, particularly in the accountancy and audit sector, who are subject to investigations and enforcement proceedings, as well as those seeking advice on regulatory compliance, including the use of AI.
Ananta Singh is a Trainee Solicitor in the Regulatory team at Kingsley Napley LLP.
