Related posts
See all
Key Insights
- Methodology still governs the engagement. AI changes who executes the procedures, not what counts as sufficient evidence.
- Regulators have settled it: the evidence bar stays put when technology does the work, and new quality standards pull AI tools inside the firm's quality system.
- The real inspection exposure is agent output that can't be traced back to an identified risk, which makes documentation architecture the thing to get right first.
The pitch is everywhere: AI is going to replace audit methodology. But it's the other way around. Methodology sets the rules of the audit, from what gets tested to what counts as evidence to what the partner signs off on, and none of that moves. What AI changes is who performs the procedures and how fast the work runs. This article covers what AI actually changes, what stays governed by your methodology, and how to tell whether a platform can execute inside your firm's approach.
How AI is changing audit execution
Audit execution has looked roughly the same for years, which is what makes the current change easy to underestimate. The baseline is decades of linear, manual, sampling-based work. Now, new tools can expand analysis across full populations and support testing that genuinely responds to assessed risks, rather than picking 25 items and hoping the sample tells you the story. The same shift runs through the rest of the engagement: evidence reviewed the moment it arrives, documents analyzed at scale, workpapers drafted as the testing runs.
What hasn't changed is the evidence bar. The PCAOB's TAA amendments to AS 1105 and AS 2301 took effect for fiscal years beginning on or after December 15, 2025. They keep the rule where it has always been: sufficient appropriate audit evidence, whether a person or an agent did the legwork. Agents can execute test procedures, flag anomalies, organize evidence, and document results. The practitioner still decides what counts as sufficient evidence and which flagged items are material.
And inspectors are paying attention. PCAOB inspection priorities have explicitly called out auditor use of technology, including generative AI, alongside familiar areas like ICFR, materiality, and audit evidence. If you're using it, expect questions about it.
How audit methodology governs the engagement
Methodology isn't an abstract document sitting in a shared drive. In your firm, it's how PCAOB and AICPA standards actually show up in the day-to-day: in workflows, supervision structures, templates, and quality gates. Bringing agents into execution doesn't loosen any of it. If anything it raises the stakes, because the methodology is now what keeps fast output inside the rules.
Testing requirements don't bend for faster execution
The testing floor doesn't drop. For every relevant assertion tied to a significant account, you still owe substantive procedures regardless of how strong your control testing came back; the procedures exist to respond to assessed risks, not to reward strong controls. And they have to carry an element of unpredictability: the same playbook run the same way every year doesn't satisfy the standard, no matter how efficiently it runs.
Documentation and quality control prove the work
Performing the work is only half the requirement. The performance standards define what gets done on the engagement; the documentation and quality control standards define how your firm proves it got done.
If your risk assessment lives in one section and your substantive procedures live in another, inspectors still expect to see a clear thread between them. When that thread is missing from the workpapers, you're not just facing one finding. The issue is citable under both the performance standard and the documentation standard.
Quality control adds a firm-level layer on top. The PCAOB's new quality control standard, QC 1000, takes effect December 15, 2026, and requires firms to run a quality system covering everything that affects the audits they issue. That includes the technology used on engagements: if AI tools execute procedures, the firm's quality system has to account for how those tools are used and reviewed.
Professional judgment stays with the practitioner
No obligation in the standards transfers to the model, no matter how much of the execution the AI carries.
The engagement partner's personal obligations
Even with agents running half the procedures, the engagement partner is still personally on the hook. They determine whether the right consultations happened on contentious, judgment-heavy matters. They determine whether the evidence is sufficient and appropriate to support the auditor's report under AS 1000. Supervision sits in the same place: AS 1201 puts it on the partner and the team members in supervisory roles, with no exception for technology. The standards put these determinations on people. Not the platform, not the model.
Professional skepticism also reaches further than people sometimes assume. It covers any information obtained during the audit, not just the items formally designated as evidence, as the AS 1000 rulemaking lays out.
Skepticism applies to each individual auditor
Skepticism doesn't stop at the partner's desk. Everyone on the engagement team carries it individually, a point PCAOB staff guidance in SAPA No. 10 makes explicit. It applies when you assess risks, when you run the tests, and when you weigh what came back.
The AICPA's Code of Professional Conduct makes the same demands of every CPA. It requires due care, proper planning and supervision, and enough relevant data to back your conclusions. Put the two together and the division of labor is clear: AI executes the work, and the practitioner keeps the judgment and the responsibility.
Why doesn't AI replace audit methodology?
AI doesn't replace methodology because methodology is what makes agent output stand up as audit evidence. Procedures only count if they respond to assessed risks, follow the firm's approach, and leave a record an inspector can follow. An agent can produce the output fast. Methodology is what makes it count.
The inspection record shows the stakes. The PCAOB's 2024 inspection cycle found a 39% aggregate Part I.A deficiency rate across 171 inspected firms and more than 800 public company audits. A Part I.A deficiency means the firm did not obtain sufficient appropriate audit evidence to support its opinion. Revenue is among the most common deficient areas. Evidence sufficiency is already where audits fail most.
That failure mode doesn't care who performed the procedure. If your firm's AI executes substantive testing on revenue, the workpapers still need to show how those procedures respond to the identified risk. Output that can't show that linkage lands on the profession's weakest spot, agent or not.
Documentation has to carry the risk-to-response linkage
The bar for workpapers is an old one: an experienced auditor should be able to pick up the file and understand the work performed, the evidence obtained, and the conclusions reached. What's new is an explicit requirement, in the amended AS 1215, to document the linkage between identified risks and the responses to them. In an agent-executed engagement, that linkage is the whole game. Workpaper architecture has to make it visible and traceable, not buried in agent output.
If an audit firm uses AI to test 100% of journal entries, inspectors may treat that as an improvement over sampling, or they may ask detailed questions about the model itself. Current standards don't specifically address AI, so either reaction is on the table. Firms that can show how the practitioner evaluated the output before relying on it are positioned to answer those questions; firms that can't are guessing.
Can AI be configured to your firm's audit methodology?
Methodology is firm-specific by design. How a firm assesses risk, selects samples, documents testing, and evaluates evidence reflects choices the firm made and stands behind. Even where the standards got more prescriptive, as SAS No. 145 did for risk assessment, how the firm meets the requirement is still its own design. That's why platform choice is a professional standards question, not just a workflow preference. A platform that dictates its own sampling approach, risk assessment documentation, or evidence standards forces the firm to rework its methodology to fit the software. At that point the tool governs the methodology instead of the other way around.
Some of the largest firms have tried to solve this by building proprietary platforms around their own audit approaches, but keeping pace with where AI is going is a full-time engineering problem even at that scale. For most firms, the real question is whether a platform can be configured to match the firm's existing methodology and execute within it. Fieldguide treats this as a design principle: the platform aligns to a firm's methodology and prior work through Agent Knowledge and Agent Configuration.
Three questions separate platforms that execute inside a methodology from platforms that quietly replace it. Can the platform adapt to your firm's risk assessment approach and testing parameters? Can you trace each identified risk to the procedure that addresses it in the workpaper? And does the documentation architecture reflect your methodology, or the vendor's?
Running your methodology on Fieldguide
Fieldguide is the industry's only end-to-end AI-native platform, purpose-built for audit and advisory, with the Agent Workforce, methodology depth, and audit-grade rigor firms need to run engagements this way. The platform operates within a firm's existing methodology rather than imposing its own: practitioners direct the work through Field Orchestrator, Field Orchestrator coordinates Field Agents, and Field Agents execute. Agent Knowledge grounds that execution in the firm's methodology and prior-year work, and Agent Configuration tunes Field Agents to the firm's frameworks, sample sizes, and approach. All outputs require practitioner review and approval before they are finalized. To see how the platform works inside your firm's methodology, request a demo.
Amanda Waldmann
Increasing trust with AI for audit and advisory firms.
