Key Takeaways
- AI can expand controls testing from sample-based snapshots to full transaction populations while practitioners retain oversight of methodology and final determinations.
- Firms that invest in change management alongside AI technology are nearly two times more likely to achieve revenue growth of 10% or higher.
- AI decisions in controls testing must be traceable and verifiable. Governance frameworks like NIST and ISO 42001 give firms a structured path to meet that standard.
Sample-based testing examines only a fraction of the transaction populations needed to provide comprehensive assurance. This creates fundamental assurance gaps that compound over time. Control deviations outside your selection criteria go undetected, which means you're discovering failures months after they occur, precisely when remediation costs the most and client relationships face the greatest strain.
Meanwhile, audit professionals juggle multiple engagements simultaneously, coordinating distributed teams and tracking exceptions manually across fragmented systems. These operational constraints leave little bandwidth to expand testing coverage.
AI is changing this operational model. MIT research analyzing transactions from 79 accounting firms found that professionals using AI support 55% more clients, and shift 8.5% of their time from routine processing to higher-value analytical work like risk assessment and client advisory. This article examines AI applications in controls testing, implementation frameworks aligned with IIA and ISACA standards, and the governance requirements that determine whether firms achieve high AI value or underperform despite technology investments.
What is Agentic AI for Internal Controls?
AI capabilities in internal controls span different categories serving distinct functions. Continuous monitoring tools track client environments in real-time, detecting control failures as they occur. Predictive analytics platforms forecast which controls face elevated failure risk based on historical patterns. Anomaly detection systems identify patterns that rule-based controls miss, analyzing multiple variables simultaneously across transaction populations.
Engagement automation platforms address a different problem: the testing and evidence workflows that consume practitioner hours during engagements. Fieldguide's Field Agents execute complete multi-step testing procedures within practitioner-defined parameters, matching documents to test samples, extracting and validating data, and documenting findings with full proof of work.
Unlike AI copilots that assist with individual tasks requiring continuous direction, agentic AI executes workflows end-to-end while practitioners maintain oversight of methodology and final determinations.These AI categories address different limitations of traditional controls testing. Engagement automation expands testing capacity, letting firms examine broader transaction populations while reducing the manual hours that constrain coverage. Continuous monitoring replaces point-in-time snapshots with ongoing oversight. Predictive analytics shifts assessment from backward-looking to forward-looking.
Full Population Testing
Agentic AI can also execute complete testing procedures within practitioner-defined parameters, handling the evidence matching and data extraction that consume hours during engagements. Once practitioners select samples and define test criteria, AI executes the procedural work, like matching documents, extracting and validating data, while practitioners retain ownership of methodology, judgment, and final conclusions. This shifts the auditor’s role from manual execution to orchestration and oversight, without compromising rigor or accountability.
Staff auditors know the tedium of matching invoices to purchase orders, verifying fixed assets against supporting documentation, or testing accounts receivable confirmations line by line. These extraction and matching tasks that would take days manually now free associates to investigate flagged exceptions and apply professional judgment where it matters.
Practitioners maintain oversight of methodology, sample selection, and final determinations while AI handles the repetitive validation work. Fieldguide's Field Agents apply this approach to audit testing, documenting findings with full proof of work so auditors can trace every conclusion back to source evidence.
Continuous Control Monitoring
AI can provide ongoing oversight throughout the period rather than point-in-time testing. Controls are evaluated in real-time, allowing immediate detection and remediation versus discovering failures months later during fieldwork. This shift matters for engagement economics. Partners need to know which controls require remediation throughout the period, not during final review when failures have already occurred. Continuous monitoring surfaces control failures when they happen, reducing the cost and complexity of remediation while improving overall control effectiveness.
Anomaly Detection
Machine learning algorithms identify unusual patterns that deviate from established norms even when not violating explicit rules. Unlike static threshold-based controls, systems analyze multiple variables simultaneously: amounts, timing, vendor relationships, approval sequences. The result is detection of subtle anomalies indicating fraud, errors, or control breakdowns that circumvent traditional threshold-based controls.
Consider segregation of duties testing. Rule-based systems flag users with conflicting permissions in access matrices, while ML algorithms identify users whose transaction patterns suggest operational conflicts even when formal permissions appear appropriate. Consider the accounts payable clerk who rarely processes invoices but suddenly approves high-value payments during a supervisor's vacation.
Predictive Risk Assessment
AI lets auditors anticipate control failures before they occur. By analyzing historical control test results, exception patterns, personnel turnover, system implementations, and transaction volume changes, AI models predict which controls face highest failure risk in upcoming periods. This fundamentally changes audit planning from backward-looking risk assessment to forward-looking risk prediction.
Partners allocate engagement resources more effectively when systems predict which controls will likely fail rather than identifying which controls have already failed in prior periods. For a manager planning testing across five concurrent SOC 2 audits, predictive analytics might flag that Client A's access provisioning control shows declining effectiveness as headcount scales, or that Client B's change management control typically weakens during quarterly release cycles. The distinction matters during busy season when every hour counts and engagement profitability depends on focusing senior resources where they'll find issues.
The Benefits of AI in Internal Controls
Controls testing consumes a disproportionate share of engagement hours because evidence matching, data extraction, and exception tracking remain largely manual. When AI handles these procedural steps within practitioner-defined parameters, teams reclaim capacity for the judgment-intensive work that actually drives assurance quality: evaluating control design, assessing operating effectiveness, and investigating root causes behind exceptions.
The shift is practical: a manager coordinating five concurrent SOC 2 engagements spends fewer hours chasing evidence status and more hours reviewing findings that require professional judgment. Associates spend less time matching documents to test samples and more time developing the analytical skills that justify promotion.
Building AI Capabilities Systematically
Professional bodies have developed comprehensive implementation frameworks. The IIA's AI Auditing Framework, AICPA's 2025 AI Report, and ISACA's AI Toolkit provide guidance, though formal AICPA and PCAOB audit standards specifically addressing AI are still in development.
1. COSO Framework Integration
Organizations are shifting from traditional Internal Controls over Financial Reporting to AI-powered continuous control monitoring. Traditional ICFR relies on pre-defined rules and sample-based plans, while AI-powered approaches use layered techniques including statistical modeling, machine learning, rule-based tests, continuous risk detection, and real-time control failure detection.
Deloitte's guidance on applying the COSO Enterprise Risk Management Framework to AI shows the five COSO pillars translate directly to AI implementation:
- Control environment: AI governance policies establishing oversight structures, accountability frameworks, and ethical guidelines for AI system deployment and operation.
- Risk assessment: AI-specific risks including algorithmic bias, data quality issues, model drift, and explainability challenges requiring specialized risk evaluation methodologies.
- Control activities: AI-enhanced control mechanisms combining traditional control procedures with machine learning anomaly detection and predictive analytics capabilities.
- Information and communication: Transparent AI decision documentation maintaining audit trails that explain how AI systems reached conclusions and what data informed decisions.
- Monitoring activities: Continuous monitoring of AI system performance tracking accuracy, detecting drift, and validating that models operate within practitioner-defined parameters.
These five pillars provide the governance foundation necessary for successful AI implementation in controls testing, enabling audit and advisory firms to deploy AI capabilities while maintaining the control discipline that auditors must verify.
2. Change Management Investment
Organizations that invest in change management and organizational alignment for AI adoption are nearly two times more likely to see revenue growth of 10% or higher, according to McKinsey's research on generative AI high performers. For audit and advisory firms, this translates to tangible business impact: firms that prioritize change management, workforce development, and governance frameworks alongside technology implementation consistently achieve higher adoption rates and sustainable competitive advantage.
Technology works when organizations invest in data literacy across teams, build organizational trust, and provide hyper-personalized support tailored to different professional levels. Without adequate change management investment, organizations systematically underperform on AI value realization despite having appropriate technology in place.
3. Pilot Implementation Strategy
In order to lay the foundation for successful AI implementation, organizations should test AI tools on already completed prior-year audits first, use pilot implementations on new audits with an expectation of learning time, and anticipate data quality challenges from clients. This approach validates AI system accuracy, builds team confidence through comparison with manual results, and allows nonbillable learning time without affecting engagement realization.
Audit and advisory firms should establish clear success criteria before pilots begin, measuring both technical performance and user adoption rates to inform broader deployment decisions. Gartner's 2025 survey found organizations performing regular AI system performance and compliance audits are over three times more likely to achieve high GenAI value.
Risks Requiring Governance
AI implementation creates new risk categories that existing audit methodologies don't fully address.
The Explainability Requirement
AI decisions must be traceable and verifiable within established governance and measurement frameworks. The “Measure” function in the NIST AI Framework emphasizes transparency in AI operations and decision-making pathways. When auditors cannot explain how AI reached conclusions through documented model logic, algorithms, and audit trails, they cannot exercise professional skepticism or maintain sufficient audit documentation.
Partners face significant professional liability exposure when unable to explain AI-driven risk assessments during quality reviews or regulatory inspections. This risk is particularly acute given that many audit leaders lack formal AI governance frameworks.
Organizations should implement AI governance aligned with the NIST AI Risk Management Framework's "Measure" function, selecting engagement automation platforms with built-in explainability features, and establishing comprehensive documentation standards that capture AI reasoning at decision points. These governance measures ensure auditors can trace every AI decision back to source data and logic, maintaining the professional skepticism required for high-quality audit work.
Data Quality as Systematic Risk Multiplier
Lack of data governance creates potential AI risks. The more data companies collect, analyze, and apply using AI, the greater the potential risk. Unlike traditional procedures where issues affect individual tests, AI trained on flawed data systematically applies those flaws across all procedures.
Audit and advisory firms must implement comprehensive data governance frameworks before AI deployment. This includes data validation and cleansing procedures, monitoring for data drift and distribution changes, and auditing training data quality and representativeness. Managers introducing AI to audit engagements should prioritize data quality assessment before AI deployment. Poor source data creates systematically poor AI outputs regardless of algorithm sophistication. Fieldguide's ISO 42001 certification demonstrates systematic AI governance approaches that address data quality requirements through structured validation processes.
Modernize Controls Testing in Your Organization
The convergence of proven ROI from peer-reviewed research, professional body endorsement, and new certification pathways creates opportunity for firms that plan systematically. Partners who establish governance frameworks aligned with NIST AI Risk Management Framework, invest in change management approaches that improve success outcomes by 1.6x, and focus AI deployment on experienced professionals who achieve larger performance gains will build measurable competitive advantage.
Technology alone doesn't drive results. Firms that combine agentic AI with governance frameworks, change management, and practitioner oversight expand capacity without diluting quality. Fieldguide helps audit and advisory teams move from promising pilots to measurable practice improvement.
Amanda Waldmann
Increasing trust with AI for audit and advisory firms.
