A vendor pitched your firm last month. The demo showed a tool that “reads” contracts, flags going concern indicators, generates variance explanations, and writes draft audit opinions. The partner was impressed. You were sceptical but couldn’t articulate exactly why. The gap between what AI audit products claim and what they can defensibly produce under ISA requirements is wide, and it’s getting wider as vendors add more features without explaining which outputs constitute audit evidence and which do not.
AI in audit currently falls into two categories: tools that automate data processing tasks such as journal entry testing and analytical review (usable now, defensible under ISA 500 and ISA 520 ) and tools that claim to replicate auditor judgment (overstated, not yet defensible under ISA 200.7 and ISA 500.6 ).
Key Takeaways
- Which AI audit applications produce defensible evidence under ISA 500 , and which produce outputs that require additional corroboration
- How to evaluate vendor claims against what ISA 520 , ISA 240 , and ISA 500 actually require
- What a practical adoption framework looks like for a mid-tier firm considering AI tools today
- Where AI genuinely saves time on an engagement versus where it introduces new documentation burdens
- What AI audit tools actually do today
- Where vendor claims outpace what ISA standards accept
- The evidence question: can AI output be audit evidence?
- Worked example: Hendriks Packaging B.V.
- Practical checklist for evaluating AI audit tools
- Common mistakes
- Related content
What AI audit tools actually do today
AI audit tools on the market in 2025 fall into four functional categories. Two are mature and produce reliable outputs. Two are early-stage and carry significant limitations that vendors rarely disclose upfront.
The first mature category is anomaly detection in journal entry testing. Tools like MindBridge, HighRadius, Caseware’s IDEA Analytics, and Inflo ingest a full journal entry population and flag statistical outliers using pattern recognition. This is a direct application of ISA 240.32 (a), which requires the auditor to test journal entries for characteristics indicating possible manipulation. These tools do what an experienced auditor does with data analytics, except faster and across the full population instead of a sample. The output (a scored list of unusual entries with explanations for the flag) is usable as part of your ISA 240 journal entry testing, provided you document the tool’s methodology and the basis for the scoring model.
The second mature category is analytical review automation. Tools that pull trial balance data across periods and flag fluctuations beyond a set threshold are automating ISA 520 ’s requirement for analytical procedures. The ciferi ISA 520 analytical review calculator does this without AI, using rule-based calculations. AI-powered versions add natural language variance explanations. Those explanations can be a starting point, but they are not your analytical conclusion. ISA 520.7 requires the auditor to evaluate the results, not the tool.
The two early-stage categories carry more risk. Contract reading tools (which extract key terms from lease agreements and loan covenants) produce useful summaries but miss nuance. An AI tool will extract a covenant ratio from a credit agreement. It won’t identify that the covenant’s definition of EBITDA in Schedule 4 excludes restructuring costs the client classified as operating. The covenant calculation the AI performed is wrong. ISA 500.9 requires you to evaluate the relevance and reliability of information used as audit evidence. An unverified AI extraction fails that test.
The fourth category is draft opinion and report generation. Vendors now market tools that produce first drafts of going concern paragraphs, key audit matter descriptions, management letter points, and engagement summary memos. These outputs are text generation, not audit judgment. ISA 700.10 requires the auditor to form an opinion. ISA 570.17 requires the auditor to evaluate management’s assessment. No tool forms an opinion. No tool evaluates an assessment. A generated paragraph might save you fifteen minutes of writing time. It does not save you from reading the FS, evaluating the evidence, applying professional judgment, and reaching your own conclusion.
In our experience, the firms that get the most out of AI tools are the ones that treat them the way they treat a competent but unsupervised junior: useful for ticking and bashing through large populations, dangerous the moment you stop checking the output. Nobody has been fired for running MindBridge over a journal population. People have been fired for filing the output as their WP without reading it.
Where vendor claims outpace what ISA standards accept
The pattern in vendor marketing is consistent. The tool performs a data processing function (flagging anomalies, computing ratios, extracting text, comparing periods). The marketing material describes this as “AI-powered audit assurance” or “automated risk assessment.” The gap between the function and the label matters because it affects how firms document their reliance on the tool.
ISA 500 .A31 notes that when using computer-assisted audit techniques, the auditor considers whether the technique is appropriate for the purpose and whether the results are reliable. If a vendor describes their anomaly detection tool as performing “risk assessment,” a junior team member might document it as their ISA 315 risk assessment procedure. It is not. It is a data analytics procedure that informs the risk assessment. The risk assessment itself requires the auditor’s judgment about inherent risk and control risk under ISA 315.31 , which no anomaly detection algorithm performs.
The IAASB recognised this tension. ISA 500 ’s application material ( ISA 500 .A31 through A33) addresses automated tools but never equates the tool’s output with the auditor’s conclusion. The tool produces data. The auditor evaluates it, applies professional judgment per ISA 200.7 , and reaches a conclusion.
Watch for these specific vendor claims and test them against the ISA requirement they reference.
| Vendor claim | What the tool actually does | ISA requirement it relates to | What you still need to do |
|---|---|---|---|
| “Automated risk assessment” | Flags statistical anomalies in financial data | ISA 315.31 (risk assessment) | Apply judgment to determine inherent and control risk. The flags are inputs, not conclusions. |
| “AI-powered going concern analysis” | Computes financial ratios and compares to thresholds | ISA 570.10 (identify events and conditions) | Evaluate management’s plans, assess feasibility, form your own conclusion under ISA 570.17. |
| “Intelligent contract review” | Extracts text strings from PDF documents | ISA 500.9 (relevance and reliability) | Verify extracted terms against the actual contract. The AI’s extraction is not evidence that the term is correct. |
| “Automated sampling” | Selects items from a population using a scoring model | ISA 530.7 (sample design) | Evaluate whether the sample design achieves the audit objective. Document the basis for the selection method. |
Can AI output be audit evidence?
Yes, but conditionally. ISA 500 .A6 through A12 establish that evidence can come from various sources, including information produced by the client’s information system, external sources, and the auditor’s own procedures. An AI tool that processes client data produces information derived from the client’s information system, filtered through the tool’s algorithm.
For that output to qualify as sufficient appropriate evidence, ISA 500.9 requires it to be relevant (connected to the assertion being tested) and reliable (from a source that can be trusted, given its nature and the circumstances). The tool’s output meets the relevance test if you’ve configured it to address a specific assertion. The reliability test is harder. You need to understand what the algorithm does, whether it has been validated, and whether its output is consistent with other evidence.
In practice, this means AI tool outputs work best as corroborative evidence alongside traditional procedures, not as replacements. Run the anomaly detection alongside your own journal entry testing. Pair the analytical review automation with your own ISA 520 expectation model. For contract extraction, read the key contracts yourself and use the AI output as a cross-check. For draft report generation, treat the output as a starting template that you rewrite after forming your own conclusion. The AI accelerates the work. Your procedures provide the evidential basis.
ISA 500 .A31 specifically addresses this point for computer-assisted audit techniques. The auditor needs to evaluate whether the technique was appropriate for the purpose and whether the results are reliable. If you run a vendor’s AI tool over the full journal population and it flags 47 entries, you document what the tool does (its methodology, the basis for its scoring), why you selected it, and how you evaluated the 47 flagged entries. The tool’s output plus your evaluation of that output together constitute audit evidence under ISA 500 .
Worked example: Hendriks Packaging B.V.
Client scenario
Hendriks Packaging B.V. is a Dutch packaging manufacturer with €52M revenue. The engagement team is considering whether to use an AI journal entry testing tool (MindBridge) for the 31 December 2024 audit. Performance materiality is set at €312,000.
Define the scope of AI tool use
The team decides to use MindBridge for ISA 240.32 (a) journal entry testing only. The tool will not be used for risk assessment, going concern analysis, analytical procedures, or any other procedure. The team documents this scope decision in the audit strategy memo.
Documentation note: “AI tool use. MindBridge deployed for ISA 240.32 (a) journal entry analysis over full population (42,891 entries, period 1 Jan–31 Dec 2024). Tool used for anomaly detection only. Risk assessment, going concern, and all other procedures performed manually. Rationale: MindBridge’s scoring methodology aligns with ISA 240 ’s requirement to test journal entries for unusual characteristics.”
Evaluate tool reliability under ISA 500.A31
The team reviews MindBridge’s methodology documentation. The tool assigns a risk score (1–100) to each journal entry based on statistical deviation from expected patterns across 14 scoring dimensions (amount, account combination, posting time, user, frequency, reversal status, and eight additional factors). The team notes that MindBridge publishes its methodology and has been subject to independent validation.
Documentation note: “Tool reliability assessment: MindBridge scoring methodology reviewed. 14 scoring dimensions documented. Independent validation by [source: verify with MindBridge]. Methodology consistent with ISA 240 .A46 indicators of possible fraud. Conclusion: tool output is appropriate for use as an input to ISA 240.32 (a) testing.”
Evaluate flagged entries
MindBridge flags 38 entries with a risk score above 75 (the team’s threshold). The team investigates each entry: 31 have valid business explanations (documented with supporting evidence), four relate to year-end adjusting entries requiring additional scrutiny, and two are immaterial posting errors (combined €1,840, below the clearly trivial threshold of €15,600). One entry (€287,000, posted by the CFO at 11:47 PM on 28 December) requires a discussion with management and corroboration with supporting documentation.
Documentation note: “MindBridge results: 38 entries flagged (score >75). 31 entries with valid business purpose confirmed (see individual WP references F.1.3.a through F.1.3.ae). 4 year-end adjustments, additional procedures performed (WP F.1.4). 2 posting errors, immaterial (combined €1,840). 1 unusual entry requiring management inquiry (WP F.1.5). Refer summary at F.1.2.”
The reviewer sees clear documentation of why the tool was selected, what it does, what the team did with its output, and how each flagged item was resolved.
Practical checklist for evaluating AI audit tools
- Ask the vendor what the tool’s output is classified as under ISA 500 . If they cannot answer this question or reference the wrong standard, that tells you their product was built without auditor input.
- Verify whether the tool’s methodology is documented and available for your file. ISA 500 .A31 requires you to evaluate whether the technique is appropriate. You cannot evaluate what you cannot see.
- Determine which assertions the tool’s output addresses. An anomaly detection tool addresses ISA 240 fraud risk indicators. It does not address ISA 315 risk assessment, even if the vendor calls it a “risk assessment tool.”
- Document the tool’s scope in your audit strategy memo before fieldwork begins. Specify which procedures use the tool and which do not.
- Treat all AI outputs as inputs to your procedures, not as conclusions. Your working paper documents the tool output and your evaluation of that output. Both are required.
Common mistakes
- Failing to document the tool’s methodology in the audit file. If a reviewer cannot understand what the tool did, the output is undocumented audit evidence under ISA 230.8 , which requires the auditor to prepare documentation sufficient to enable an experienced auditor to understand the procedures performed and the evidence obtained.
Related content
- ISA 500 : Audit evidence. Covers what makes evidence sufficient and appropriate, including the reliability hierarchy that applies to AI-generated outputs.
- ISA 520 analytical review calculator. Performs analytical review calculations without AI, giving you a baseline to compare against vendor tools.
- How to document journal entry testing under ISA 240 . The journal entry testing procedures that AI tools are designed to support, with documentation examples you can adapt.
Related tools
Related reading
Frequently asked questions
Can AI output be used as audit evidence under ISA 500 ?
Yes, but conditionally. ISA 500.9 requires evidence to be relevant and reliable. AI tool outputs work best as corroborative evidence alongside traditional procedures, not as replacements. You need to understand what the algorithm does, whether it has been validated, and whether its output is consistent with other evidence.
What AI audit applications are mature enough to use today?
Two categories are mature: anomaly detection in journal entry testing (tools like MindBridge that flag statistical outliers under ISA 240.32 (a)) and analytical review automation (tools that flag trial balance fluctuations under ISA 520 ). Contract reading tools and draft opinion generators are early-stage and carry significant limitations.
Does AI replace the auditor’s professional judgment?
No. ISA 200.7 requires professional scepticism and ISA 500.6 requires sufficient appropriate evidence. AI tools produce data processing outputs, not audit conclusions. The PCAOB’s 2023 staff guidance emphasised that the auditor’s professional judgment cannot be delegated to a tool, regardless of how sophisticated it is.
How should I document AI tool use in the audit file?
Document the tool’s scope in your audit strategy memo before fieldwork. Specify which procedures use the tool and which do not. For each tool used, document its methodology, why you selected it, what it produced, and how you evaluated the output. ISA 230.8 requires documentation sufficient to enable an experienced auditor to understand the procedures performed.
What is the difference between AI-powered risk assessment and actual ISA 315 risk assessment?
When a vendor describes their anomaly detection tool as performing “risk assessment,” it is performing a data analytics procedure that informs the risk assessment. The risk assessment itself requires the auditor’s judgment about inherent and control risk under ISA 315.31 , which no anomaly detection algorithm performs.