Daksh

Facebook-f Linkedin-in Twitter Youtube Instagram
Search
Close this search box.
Search
Close this search box.

AI in Audit Oversight: Advancing in Detection, Lagging in Governance

Table of Contents

I. Abstract

Abstract: India AI’s recent challenge for the use of Artificial Intelligence (AI) for the audit ecosystem reflects an emerging regulatory interest in the potential use of AI tools to strengthen the National Financial Reporting Authority’s (NFRA) supervisory and enforcement capabilities. The purpose of these applications would be to test compliance across large datasets from various regulators, to source data and analyse financial performance, provide NFRA specific insight bot, etc. This article situates India’s approach within a comparative framework and draws on the UK Financial Reporting Council’s guidance on AI in audit and the US Public Company Accounting Oversight Board’s Generative AI Spotlight. It argues that AI-enabled supervision alone cannot be a substitute for audit-use governance. Although AI-driven supervision has the potential to significantly improve ex post detection of irregularities, its effectiveness depends on the parallel development of standards governing auditor reliance on AI tools and firm-level AI governance. Without such guidance, the introduction of AI into audit practice may generate new uncertainties around professional judgement and evidentiary standards that current auditing frameworks are not well equipped to manage. Strengthening regulatory intelligence is not sufficient and needs to be complemented by having a proper governance framework in place for AI-influenced audit practice.

II. Introduction

The National Financial Reporting Authority (NFRA) has announced a collaboration with IndiaAI Mission in January 2026, to introduce the Financial Reporting Compliance Challenge. It’s an initiative inviting firms to develop artificial-intelligence (AI) tools that can enhance the audit ecosystem by helping NFRA in its day-to-day operations like extracting text and financial data from documents and evaluating them against certain standards like Indian Accounting Standards (Ind AS), Securities and Exchange Board of India (SEBI) disclosures, and Reserve Bank of India (RBI) regulations. Expected outputs consist of a compliance validation report generator, an automated analytics engine, NFRA specific insight bot, etc. India’s approach has deviated from that of the United Kingdom (UK) and the United States (USA), as it is mainly focused on developing AI for use within the regulatory system itself, rather than issuing guidance on how audit firms could deploy such technologies at a micro level. In contrast, the UK Financial Reporting Council (FRC) released its first guidance on the use of AI

audits that encourages firms to create audit trails for their tools, establish clear governance frameworks, and ensure explainability. A year earlier, the US Public Company Accounting Oversight Board (PCAOB) had released a Generative AI Spotlight that reflected the perspective of several audit firms and companies on the integration of GenAI in audits and financial reporting. It noted that most of the AI used within auditing was largely experimental and that privacy, data security, and reliability issues curtail its full-fledged deployment. It highlighted the need for policies, training and human review for AI outputs. This blog synthesizes guidance from the NFRA initiative, FRC guidance, PCAOB spotlight, and other frameworks like the NIST AI Risk Management Framework to explore the main challenges that may arise in the implementation of AI in audit governance and how such gaps could be addressed.

India’s Detection Centric Initiativ

Audit oversight and regulatory inspections have relied on labour-intensive reviews of samples of audit files and financial statements. AI has the potential to transform this by enabling full-population testing (analysis of every single data point rather than relying on samples) and rapid identification of anomalies. An AI tool can conduct a journal entry testing (JET) process to detect unusual patterns much faster than an auditor can do manually. It can process documents like bank statements, legal contracts, and financial reports efficiently to help identify and assess risk. NFRA’s challenge is an experimental attempt at exploring these capabilities by developing applications that extract data, segment documents, validates compliance and generates analytics. It will help the regulator scale oversight by comparing disclosures and financial statements for a large number of companies at one go. When coded against a pre-determined set of compliances, AI can run repeatable checks, reducing deviation across inspection teams. It can flag patterns in revenue recognition, related-party notes, and other high-risk areas. Such detection capabilities can address the resource constraints and information asymmetry. NFRA’s plan to inspect 10 firms using AI to screen for high-risk engagement shows how regulators can expand coverage and increase speed while reallocating human expertise to areas that require judgment. However, detection is only one part of the equation. It may amplify risks without governance.

Emerging Themes from Global Guidance

A review of global guidance reveals four major themes that NFRA’ could focus on while developing its own tools or issuing guidance for the auditing community: documentation and explainability, human oversight, risk management and data privacy, and professional competence.

Documentation and Explainability: The FRC’s AI in Audit guidance stresses that the black box nature of many AI models necessitates clear documentation around governance, development and explainability. Firms must maintain an audit trail of what the tool does through its entire lifecycle.This includes documentation of the model’s purpose, the data on which the AI was trained and validated including data sources, selection criteria, and data quality controls. But the guidance also warns about over-documentation that can divert resources from the main functionality of enhancing audit quality. The PCAOB spotlight document also highlighted that organisations are developing guardrails to document underlying source data and reduce the probability of “hallucinations” or false outputs.

Human Oversight and Professional Judgement: All the guidance documents unequivocally emphasise human involvement. The spotlight asks the engagement team to remain alert and responsible for results, when using AI. Supervisors are advised to apply the same diligence while reviewing work. AI outputs do not relieve auditors of their responsibility, they merely reduce it by taking on the grunt work. The aim of the AI tools should be to augment and not to replace humans. The CAQ’s Generative AI paper articulates a “human in the loop” principle i.e., employees should review the accuracy and completeness of inputs, understand the explainability of the outputs and be able to defend the same. The level of human involvement should be proportional to the risk profile and the kind of task at hand, but vigilance and professional skepticism are non-negotiable.

Risk Management and Data Privacy: Privacy and security risks are heightened where generative AI relies on third-party or cloud infrastructure, considering the sensitivity of client data and audit working papers. The PCAOB spotlight observes that data privacy and security risks limit generative AI’s use in audit procedures, prompting some firms to prohibit AI use altogether. The risks include data poisoning (intentionally providing AI with unreliable data to influence the entire workflow and produce unreliable output), or malicious prompt injections (giving malicious prompt directly or disguising it as data that causes the model to ignore its original developer instructions). In order to combat these risks, the NIST AI RMF provides a broader risk management framework which organises risk management activities into govern, map, measure and manage functions. Audit firms can be made aware of the characteristics of a trustworthy AI that also considers societal dynamics and human behaviour. Even the White House Executive Order and the EU AI Act calls for a safe, secure and trustworthy AI through explainability, human oversight and risk-based classifications of AI systems. There needs to be robust data governance, model validation, version and access control, and regular monitoring. NFRA’s challenge recognises some of these requirements by mandating explainability and strict confidentiality.

Professional Competence and AI Literacy: There is a need to increase professional competence of auditors by increasing AI literacy, applying critical thinking and assessing risks and controls. Creating guidelines and standards would only help so much, if the people who supervise the process are not properly trained. Auditors are expected to develop new skills in data analytics, machine learning and ethical AI.

Detection Gains vs Governance Gaps

NFRA’s stated objective identifies the importance of using AI to strengthen regulatory oversight but it remains largely focused on the tools that can be used by the regulator itself, leaving an important governance blind spot on the audit-firm side. AI undoubtedly provides substantial detection gains by enabling the processing of financial statements and disclosures at scale and lowering the cost. However, these detection gains can only come to fruition only if the AI-generated data and analysis produced by audit firms are themselves governed by clear standards. High-performing AI models often operate as black boxes, giving rise to conflict between performance and explainability. There needs to be proper guidance and thresholds for acceptable explainability so that auditors don’t have to rely on outputs they cannot fully interrogate. Ultimately, NFRA will be dealing with these outputs as evidence for auditory lapses and if inaccurate outputs produced at a firm level are used as an evidentiary input at the regulatory level, the regulator will have a difficult time relying on such inputs. The current auditing standards in India provide very little guidance on how AI tools could be deployed efficiently as well as ethically by audit firms.

Conclusion

NFRA’s initiative on using AI may deliver faster inspections, improve risk detection and expand the scale of operation for the regulator, but the lack of governance measures for overseeing the AI usage by audit firms can give way to faulty regulation and result in ‘garbage in garbage out’ phenomena at a regulatory level. Global guidance like FRC’s documentation requirement, PCAOB’s stress on human oversight, NIST’s risk management functions, cumulatively highlight the core principles that need to be converted into enforceable standards and implemented in practice at a granular level before it the audit work generated using AI can be judged and assessed based on the same principles at a macro level.

NFRA could develop criteria to approve AI tools used by the audit firms. Such criteria may include evaluation of model bias, evidence of explainability, assessment of training data quality etc. Firms should mandatorily document the steps and parameters used at every step and process of audit analysis. Then, NFRA should review

these documents to understand how AI tools influenced the audit process and whether there is any further evidence to corroborate the result. This puts NFRA in a place to accurately evaluate and challenge the AI conclusions in case of discrepancy. NFRA must set strict data-handling standards for AI tools to protect confidentiality and comply with the data protection laws. As AI adoption grows rapidly across auditors, NFRA needs to balance its detection capabilities with governance measures to safeguard audit quality and maintain public trust in the AI era.

SHARE

RECENT ARTICLES

Get in Touch

© 2021 DAKSH India. All rights reserved

Facebook-f Linkedin-in Twitter Youtube Instagram

Powered by Oy Media Solutions

Designed by GGWP Design

© 2021 DAKSH India. All rights reserved

Facebook-f Linkedin-in Twitter Youtube Instagram

Powered by Oy Media Solutions

Designed by GGWP Design

Bhavya Sudhir
+ posts
Rohith C H
+ posts