Artificial Intelligence In Audit

by John McCarthy Consulting Ltd. | Feb 2, 2026 | Blog, News

The Financial Reporting Council issued a Thematic Review Report in June 2025 which provides useful guidance on the use of artificial intelligence in audit procedures, including illustrative examples and documentation expectations for firms utilizing AI tools in their audits.

Use of AI in Audit Procedures

The Financial Reporting Council have come up with a new acronym call ‘ATTs’ or Automated Tools and Techniques to describe the use of AI tools in audit. Specifically, these would be ‘Technology used to perform risk assessment procedures and/or obtain audit evidence’. Some of this is not new as firms have already been using ATTs for data analytics used to audit journal entries and revenue.

The ultimate aim of the Report is to support the use of ATTs by audit firms to improve audit quality.

The Report refers to the need to ensure that ATTs are subject to a certification process that complies with the requirements of the ISQM (Ireland) 1 so that quality objectives are established to ensure such tools and techniques are appropriately obtained or developed, implemented, maintained and used to enable the performance of quality audit engagements.

The Financial Reporting Council reviewed the certification process in the Top 6 firms in the UK namely BDO, Deloitte, EY, Forvis Mazars, KPMG and PwC and the report is based on these findings. One unidentified firm had a KPI which reported against usage targets for certain key ATTs, to encourage their use by audit teams.

Responsible AI deployment according to the Report helps to improve trust in financial reporting by for example helping identify potentially fraudulent journals.

Use of AI in Audit Procedures

The report is accompanied by an illustrative example and documentation guidance which covers the testing of journals for suspected fraudulent entries in a listed retail business.

Fraud procedures often consist of filtering the population of journals by applying rules-based criteria which may indicate higher risk, for example, journals posted at certain times or with certain values. This tool allows the identification of more subtle patterns that may be indicators of risk, enhancing the quality of the procedure.

More information is available in Technical Alert 04 2025 Quality Management Top tips available on the Institute’s website. A template ISQM Toolkit (to assist with the ISQM implementation) is available to purchase for €250 +VAT.

2. RI CPD – Each Responsible Individual’s (RI) CPD is reviewed in line with the IAASA CPD Guidelines on the regulation, monitoring and enforcement of continuing education for statutory auditors. More details are available at final-cpd-guidelines-020221.pdf (iaasa.ie).

RIs are required to:

• Plan CPD annually by reflecting on the knowledge, skills and values required to fulfil their responsibilities;
• Identify learning and development needs;
• Complete sufficient, relevant, and appropriate CPD annually to meet the learning and development needs and to demonstrate achievement of learning outcomes in the Institute IES 8, Table A template document;
• Evaluate the effectiveness of the CPD activities regularly and revise the approach as necessary;
• Maintain appropriate written CPD records, including supporting documentation to evidence CPD planning, completion, and evaluation; and
• Submit an annual declaration confirming compliance with CPD

More information is available at the CPD hub on the Institute’s website CPD for Responsible Individuals – ..rteredaccountants.ie (charteredaccountants.ie)

3. Evidence of challenge and scepticism – Audit files must demonstrate that the

auditor has evaluated whether the accounting estimates and related disclosures are reasonable (see ISA540). Auditors should watch out for indicators of possible management bias.

4. Central Bank Regulated Entities– Under the Companies Act 2014 (Schedule 5)

Republic of Ireland entities cannot avail of the small company exemption and cannot file abridged financial statements with the CRO.

Auditors are reminded that financial statements for such entities cannot be prepared under FRS 102 Section 1A, and full financial statements must be filed with CRO. Neither can such entities avail of the Provisions Available for Audits of Small Entities (PAASE).

5. Risk assessment (ISA 315) – the risk assessment on file must be tailored to the specific client’s circumstances and generic risks that are prepopulated with not be regarded as convincing.

6. Fraud considerations (ISA 240) – fraud considerations should be evidenced on the file, including the likelihood of management override of controls and risks connected to related parties. In our own file reviews John McCarthy Consulting Ltd. Has seen comments like ‘there has never been a fraud’, according to the Directors. Such comments are not regarded as displaying sufficient scepticism by the auditors.

7. Audit of construction contracts, including long term contracts and work in Audit files need to show that the audit firm has a good understanding of the entity being audited, the risk assessment is appropriate and responses to assessed risks are adequate. The requirements of ISA 540 on accounting estimates and judgements will be relevant. The audit file will also need to contain adequate evidence of challenge of management assumptions.

8.      Assembly of the final audit file – ISA 230 requires the auditor to complete the administrative process of assembling the final audit file on a timely basis, typically within 60 days after the date the auditor’s report is signed. New audit procedures or forming new conclusions cannot be documented once the audit report is signed.

9.      Statutory Duty Confirmation (SDC) – under Section 27B of the Central Bank Act 1997, auditors are obliged to make a written report (‘SDC’) to the Central Bank of Ireland (CBI), stating whether or not circumstances have arisen that require the auditor to report a matter to the CBI.

The ‘SDC’ must be submitted to the CBI within one month of the date of the auditor’s report. The ‘SDC’ should cover the period commencing on the date of issue of the previous declaration to the date of signing the current declaration. The format for these reports is set out in Appendix 2 of Technical Release 02 2025 – Reporting under The Central Bank and Financial Services Authority of Ireland Act 2004 which is available on the Institute’s website.

10. Group Audits (ISA 600) – Where group accounts are not prepared, firms are expected to clearly document the basis for the non-consolidation.

Group Audit documentation should clearly demonstrate how the component auditor’s work was directed, supervised, and reviewed. Firms are reminded that component performance materiality should be set at an amount lower than group performance materiality.

See our ISQM TOOLKIT at this link. We can tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements.  Please contact John McCarthy FCA by email at john@jmcc.ie.

For AML training and compliance please send a mail to john@jmcc.ie.

For audit cold file reviews and tailored training sessions explaining more about various topics like AML, Audit, FRS 102, please send a mail to john@jmcc.ie.

For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:

• Our latest CPD Webinar on The Main Changes in Irish GAAP (recorded July 2024)
• Anti-Money Laundering Policies Controls and Procedures Manual (March 2022) — View the table of contents
• AML Webinar (December 2023) available here, which accompanies the AML Manual. It explains the latest legal AML reporting position for accountancy firms and includes a quiz. Upon completion you receive a CPD certificate for attendance in your inbox.
• Letters of engagement and similar templates—Please visit our website here where immediate downloads are available in Word format. A bulk discount is available for orders of five or more items bought together.

ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements.  Please contact John McCarthy FCA by email at john@jmcc.ie.