There’s an aspect to auditing internal controls that has always seemed straight forward to me that for some reason others have trouble grasping. I figure it’s just a personality trait. It doesn’t really matter if the control is financial, operational, or technological, it all boils down to taking the control in question and asking the control owner to “prove it”.
In essence, as an auditor, we’re asking the control owner to prove that the control occurred on a specific day, week, month, or year, depending on the frequency of the control. This thought process has also served me well in the current dis/misinformation age. However, what do we do when the evidence provided is questionable at best? This is being taken to another level now with AI, which allows control owners to create evidence that is perfect. What do we do when the evidence is too perfect?
This ISACA SmartBrief on AI article got me thinking about the topic –> The Audit Evidence Crisis: How AI Deepfakes Are Rewriting Assurance Standards. The article recommends we move on from the “Trust, but Verify” approach to auditing into a new era of “Zero-Trust”.
Why a Zero‑Trust Approach is Essential
A zero‑trust mindset ignites inquisitive and professional skepticism that strengthens the auditor’s ability to:
- Independently obtain audit evidence from IT and OT environment without interference
- Validate the authenticity of evidence before relying on it
- Detect manipulation in digital documents, images, and communications
- Assess whether controls are resilient against AI‑enabled fraud
- Reduce audit risk in environments where deception is increasingly automated.
Taking this a step further, this got me to thinking about how audit firms go about what I like to refer as CYA. I’ll refrain from spelling that out in hopes we all know what it means. There are a few steps during an engagement that deal with fraud and non-compliance, which requires the organization being audited to verify (sign) that they are unaware of a fraud or non-compliance.
- Contract/Engagement Letter – Signed prior to the engagement, this documents details auditor and client responsibilities, amount other topics. Client responsibilities include notifying the service auditor of any fraud or instances of non-compliance.
- Fraud and Non-Compliance Inquiry – Performed during the planning phase, this step involves inquiring with control owners at various levels (e.g., management, staff) whether they are aware of and fraud or instances of non-compliance.
- Management Representation Letter – Signed by the client at the completion of the engagement, prior to issuing the final report, this document reiterates responsibilities by the client to notify the auditor of any instances of fraud or non-compliance.
Now, let’s be real. They’re all manual responses and don’t really prove anything, just a CYA for the audit firm. However, I wouldn’t be surprised if audit firms update their engagement letter, fraud and non-compliance inquiry, and representation letter templates to include references to if/when AI is used to create audit evidence. To an extent, it’s already somewhat tangentially included, but it might need to be specifically noted going forward.
Zalovo GRC 