Walk into any internal audit function this year and you will hear the same thing: the team has tried a handful of AI pilots, a few have stuck, and most of them sit somewhere between a curiosity and a habit. Someone is using a chatbot to summarize policies. Someone else drafted a risk assessment with it last quarter. The CAE has been asked twice this month what the function is actually doing with AI, and the answer is harder to put together than it should be. The tools are in the building. The fieldwork has barely moved.
This article covers where AI is genuinely working in internal audit today, the six concrete uses showing up across engagements, and what changes when agents start executing defined steps instead of just drafting around them.
In most internal audit functions, AI does three things well right now: it drafts, it summarizes, and it checks. It writes a first version of the planning memo, condenses a long policy or interview transcript, and flags gaps in evidence that a human would otherwise catch on the second or third pass. That is real progress from where the function sat two years ago. It is also where most tools stop, because they sit outside the engagement and assist around the work rather than executing any of it.
The execution gap is the more interesting story. The IIA's 2025 Pulse of Internal Audit found that 41% of CAEs use generative AI for internal audit activities, but the deeper applications trail well behind: just 25% use it for advisory work and 15% for assurance. Adoption is real; embedding it in the work that carries professional weight is still early. The six patterns below trace where that shift is happening.
Audit planning loses hours at the blank page. Someone has to write the planning memo, build out the risk assessment, draft the request list, and rough in the work program. Much of it does not require deep judgment to get started; all of it takes time to start from nothing.
AI earns its keep first in drafting, the most common real-world use today. Early in planning, teams use generative AI to draft audit objectives and rough in risk assessments. The same wins show up in summarizing long interviews and checking draft policies against a standard. You trigger it; it removes the cold start and hands back a stronger first version than a blank page.
The limits are worth naming. A drafted risk assessment is a starting point, not a conclusion; the objectives still have to reflect this entity's actual risks, and the policy check still needs a person who knows what the control is supposed to do. Quality also depends on what the tool can see. A general chatbot working from a pasted excerpt produces something generic, while a draft built from the prior-year file, the current scope, and the firm's methodology starts much closer to usable. Either way, drafting is where AI in planning is most mature and least risky: it compresses the cold-start hours without touching the judgment that follows.
The worst time to find out an evidence request came back incomplete is weeks later, when it is buried under many others and the control owner has moved on. By then the follow-up is a cold trail and the timeline has slipped.
The shift here is from batch review to real-time review. Instead of waiting until the day a workpaper is opened to discover that a report is the wrong period or a population file is missing a column, AI can read each submission as it lands and flag the gap immediately. The follow-up goes back to the process owner while the request is still in front of them, not three weeks later when the context has cooled.
That matters because evidence drift is one of the quiet drivers of fieldwork slippage. Validating submissions as they arrive surfaces mismatches and gaps faster, and the same reading-on-arrival ability speeds up the sorting that buries teams once evidence starts flowing. One manufacturer saw exactly that: by using a natural language processing tool to categorize procurement documents, it sharply cut the time internal audit spent gathering and organizing information. Closing the gap between submission and review keeps the follow-up warm.
For managers tracking dozens of open items across concurrent engagements, this is the difference between a clean status board and email chaos. When validation runs at intake rather than at review, the gaps surface while the request is still live, and the follow-up goes out before the trail goes cold.
This is where the work changes hands. Drafting and evidence review speed up what surrounds a procedure; execution changes who actually completes the first pass of the procedure itself.
Control testing is the clearest place to see it, because so much of the work is repetitive by design: match evidence to the sample, validate the data, check it against the requirement, document the result. None of those steps require professional judgment on the first pass. All of them benefit from being done consistently and in the same place.
The shift is already visible across the profession, which tells you where the work is going. RSM has described using agentic AI on labor-intensive processes like building risk and control matrices and drafting observations in minutes rather than days. KPMG has described AI handling repetitive work and a large share of audit work programs. PwC's controls testing includes review checkpoints so users refine the logic before execution. These are early versions of one idea: the routine pass of the procedure can be executed, not just drafted.
This is the line between assisting and executing. Assistance speeds up the drafting a person still performs. Execution means the routine pass of the test gets done: evidence matched to samples, data validated, exceptions identified, results documented, with the practitioner reviewing and approving the output. The work changes hands; the judgment does not.
Testing the sample still leaves the rest of the population untested. Sampling was always a compromise: you check a slice and infer the rest. AI changes that math by reading the whole population and letting the anomalies rise to the top.
In practice, AI-based tools can analyze 100% of the population to detect outliers, and NLP combined with automation can sweep 100% of revenue or purchase transactions to surface the exceptions worth a closer look. Machine learning models flag anomalous entries across large databases that a sampled test would never reach.
Adoption is further along than you might expect. A Gartner survey found anomaly and error detection in use by 39% of finance functions, which means elevated-risk areas now get flagged before the partner ever looks. That is the model working as designed: the agent surfaces the population-wide outliers, and the practitioner brings judgment to the ones that matter. Review is not a safety net bolted on after the fact. It is the half of the model where the professional call gets made.
Most of the AI you see in audit still looks at one engagement at a time, but leaders need a view across engagements: recurring exceptions, control themes, and connections that span workpapers rather than sitting in a single test.
Engagement-scoped analytics start to connect those dots. Machine learning helps auditors analyze large data sets for anomaly and predictive analysis across an engagement. The volume is the forcing function: audit leaders face a growing number of business cases across the organization, all at once, and a single-workpaper view misses the connective tissue between them.
A portfolio lens is what closes that gap: analytics that surface patterns, anomalies, and connections across engagements rather than inside one, so leaders see the themes their individual workpapers cannot.
You can have strong drafting, sharp exception detection, and fast testing, and still lose the engagement to coordination drag. Where does each item stand? What is blocked on evidence? What is flagged and waiting for attention? When that lives across email, spreadsheets, and a document repository, managers spend their week assembling status instead of running the work.
The fix is consolidation: one view that pulls status from the work itself instead of from a separate tracker someone updates by hand. When requests, evidence, testing status, and review flags all live in the same place, a manager can see what is ready, what is blocked, and what is waiting for attention without stitching it together from email and spreadsheets. AI helps less with the coordinating here and more with keeping the underlying status current as the work moves, so the picture is accurate when someone looks. The payoff is fewer hours spent assembling status and more spent acting on it.
Read the six uses together and the trajectory points one way: practitioners and AI working every engagement, with the AI executing the routine pass and the practitioner owning the judgment. The functions seeing the most from AI are not the ones with the most tools. They are the ones moving execution inside the engagement system instead of around it.
That progression tends to come in stages rather than all at once. Writing in an IIA piece, KPMG's Charles King draws a useful line between efficiency AI, using the technology to do the same work faster or with fewer people, and opportunity AI, using the freed-up time to move the function toward advisory and higher-value work. Most internal audit functions are still in the efficiency phase, and that is a reasonable place to be. The shift to opportunity is less about better tools than about trusting AI with execution and building the review habits that keep that execution honest.
Many internal audit functions do not run this lifecycle alone. They co-source and outsource it to audit and advisory firms, and those firms need a system that can execute the work at scale across many clients at once. Fieldguide is an end-to-end AI-native platform purpose-built for audit and advisory firms, with AI assisting the task-level work and executing defined procedure steps while practitioners review and approve every output before anything is relied on; the work speeds up, but professional judgment stays with the practitioner.
The platform carries ISO 42001 and AIUC-1 AI governance certification and SOC 2 Type 2 attestation. Half of the Top 100 US CPA firms, including members of the Big Four, run on it. Request a demo to see how the model fits your firm's engagements.