I spent 25 years as an auditor. PwC. KPMG. Industry roles across FTSE and Fortune companies. SOX programmes, internal audit functions, ERM frameworks, compliance teams.
And in all that time, I watched something that drove me quietly mad.
Brilliant people — CPA-qualified, Big 4-trained, genuinely sharp — spending the majority of their working week on copy-paste. Formatting workpapers. Chasing evidence. Writing the same sentences in the same templates they'd used for ten years. Updating spreadsheets that could have been automated in an afternoon.
The tools weren't helping. If anything, they were making it worse.
The $4 Billion Problem Nobody Is Talking About
The GRC software market is worth $4 billion. The incumbents have raised hundreds of millions and been around for decades.
And yet, walk into any internal audit team today and you'll find the same things you found in 2010:
- Excel risk registers updated by hand every quarter
- Word documents passed around by email for review
- Evidence stored in shared drives with no naming convention
- SOX walkthroughs written from scratch every year
- Board reports assembled by copying numbers from six different systems into PowerPoint
These platforms cost $80,000 to $300,000 per year. They take 6 to 12 months to implement. And they were designed — every single one of them — before large language models existed.
They are not AI-native. They are workflow software with an AI badge glued on the front.
What AI Can Actually Do for Audit Teams
I want to be specific here, because there is a lot of vague AI marketing in this space. Here is what AI — real AI, trained on audit frameworks and regulatory standards — can actually do today:
1. 100% Population Testing in Minutes
Traditional audit sampling tests 25, 50, maybe 100 transactions from a population of 10,000. You flag exceptions in that sample and extrapolate.
AI changes this completely. Upload your entire journal entry population — 50,000 transactions, 500,000, it doesn't matter — and AI can flag every anomaly, every duplicate, every round-number entry, every weekend posting, every unusual account combination. In minutes. Not days.
The Data Analytics Hub runs 100% population testing on any dataset you upload. Upload AP listings, payroll exports, journal entries — AI flags every exception with explanations. 12 pre-built use cases, plus custom analytics in plain English.
2. Evidence Intelligence — From Days to Seconds
Picture the typical evidence request process. You send a PBC list. You wait two weeks. You get a ZIP file with 47 documents named "scan001.pdf" through "scan047.pdf". You spend three days opening each one, figuring out what it is, mapping it to the right control, running the test, writing the conclusion.
AI can classify a document in two seconds. Map it to the relevant control in three. Run the test and write the conclusion in thirty.
What took three days takes ninety seconds.
3. Walkthrough Documentation — From Scratch to Draft in Minutes
Every SOX auditor has written the same walkthrough a hundred times. "We interviewed [name], [title], who confirmed that [control description]. We observed [evidence]. We noted that [observation]. Based on our procedures, we conclude that [conclusion]."
AI knows this structure. It knows PCAOB AS 2201. It knows what a Big 4 walkthrough looks like. Give it the process description and the control objective — it drafts the walkthrough. You review. You adjust. You move on.
4. Continuous Monitoring — Beyond the Annual Audit Cycle
The annual audit is a snapshot. You test controls as they existed on one day, for one sample, in one period. Everything that happened in between is invisible.
Continuous monitoring changes this. Pre-built AI monitors running on a schedule — checking journal entry anomalies, reviewing user access changes, flagging SoD conflicts, monitoring vendor payment patterns — mean your risk exposure is visible every day, not once a year.
The Frameworks That Matter
One thing that separates genuine audit AI from generic AI is framework specificity. An audit team doesn't need a general-purpose chatbot. They need a tool that understands:
- PCAOB AS 2201 — integrated audit of ICFR
- IIA International Standards — the IPPF, Three Lines Model, quality assurance
- COSO ERM 2017 — the seventeen principles
- ISO 27001:2022 — Annex A controls
- GDPR Article 32 — security of processing
- SOC 2 Trust Service Criteria — security, availability, confidentiality
- ASC 606 — revenue recognition, the five-step model
These are not things you can prompt a generic AI to learn on the fly. They require deliberate, specific training on audit methodology and regulatory standards. That is the moat. That is the difference between an AI tool that sounds right and one that produces work that would survive external review.
Why Legacy Vendors Can't Catch Up
Legacy GRC vendors face a fundamental problem: their entire business model is built on workflow software. They charge for process — for moving documents around, storing evidence, routing approvals.
When AI does the work instead of the workflow, their value proposition collapses.
They know this. Which is why every legacy GRC vendor is announcing "AI features" in their roadmap. But there is a crucial difference between a product built AI-native from day one and a legacy product with AI bolted on.
Legacy architecture means: AI features are add-ons, not core functionality. The underlying data model wasn't designed for AI. Implementation timelines haven't changed. Pricing hasn't changed. The product still requires the same number of people to operate.
An AI-native platform is different from the ground up. The AI is not a feature — it is the product.
What This Means for Audit Teams Right Now
If you run an internal audit function, here is what I would tell you:
Start with the use cases where AI saves the most time. Evidence processing and population testing are usually the highest ROI starting points. If your team spends two weeks per engagement on evidence classification and testing, AI can give you most of that time back immediately.
Demand specificity from any AI tool you evaluate. Ask it to write a PCAOB AS 2201 deficiency memo. Ask it to build an RCM for a procure-to-pay process. Ask it to run a journal entry analytics test on a real dataset. If it can't do those things specifically, it is not ready for audit.
Think about continuous monitoring before your next annual plan. The biggest shift AI enables is not doing the annual audit faster — it is making the annual audit less necessary by monitoring continuously throughout the year.
Consider the cost of not adopting. Your peer institutions are looking at this. External auditors are looking at this. Regulators are watching. The question is not whether AI comes to audit — it already has. The question is whether your function is leading or following.
See it in action
AssurAI is live today — 285+ AI tools across SOX, Internal Audit, Risk, Compliance, BCM and Financial Controls. From $499/month. No implementation project.