AI is software, a tool. Granted more probabilistic than deterministic as traditional software - but it is still a tool. Audit was designed to asses outcomes that are consistent, traceable, and supported by complete evidence.

AI challenges all three.

First, let’s be sure to clarify two distinct differences:

1. Audit using AI (tooling)

2. Audit auditing AI (object of audit)

These are not the same problem, and conflating them leads to the wrong solutions. This article will explore the latter. The idea of Audit using AI to complete its tasks, or as others in the industry stated, to replace entry audit roles will be explored in the next article.

Does Audit audit Software today?

We don’t actually audit software today as a standalone artifact. Audit doesn’t say “let me see the code base”, it leaves that to the expert software architects where specific security and other code based functions are reviewed.

Audit is concerned with what software produces, not how. This is done in three main ways:

• Controls

  • Access controls

  • Change management

  • Deployment processes

  • Segregation of duties

• Outputs

  • Transactions (e.g. Financials)

  • Reports

  • Decisions

• Processes

  • Workflows

  • Compliance adherence

These are not preferences - they are the conditions that make audit possible. In other words, Audit doesn’t ask: “Is this software correct?”

It asks:

“Does this system produce controlled, reliable outcomes I can check against?”

What does Audit need to do their job?

Audit relies on:

• Logic is defined

• Behavior is consistent

• Outputs are reproducible

• Evidence is complete

• Failures are traceable

Considering deterministic software meets these needs it’s not a problem, right? But AI is probabilistic software so it fundamentally breaks what Audit needs. AI is materially different is that outputs are not reproducible, even when input is the same. Logic is not traceable, it’s weighed possibilities that are not exposed, hence untraceable. and evidence is no longer a binary of yes or no- exists or not.

The AI Shift

AI changes how systems behave.

So before we talk about AI governance or new audit frameworks, we need to ask a more basic question:

What are we actually auditing against when the system no longer behaves predictably?

Audit, to close controls, rely on correctness, traceability and completeness of the open items they could essentially check off as done. Now, they have to expand their acceptability of what is acceptable, the boundaries of probability and whether something is sufficiently covered or not. It’s clear to see that it is no longer an objective assessment, but rather a range that will heavily rely on human judgment to define.

They are essentially forced to move from proving to evaluating the outputs, usage, data, training and design of the AI tool within a given context.

Not, is it correct, but is it acceptable?

From relying on software logic that’s coded and makes predetermined decisions traced to requirements to now evaluating inputs and constraints. Confirming standards for data quality, and prompts and assessing guardrails for both.

Moreover, unlike Governance which is upstream, audit is the last downstream check of organizational compliance. Before AI, audit is a point-in-time check, AI’s introduction of inconsistency over time due to learned patterns and drift, audit must now become longitudinal.

AI’s differences now forces audit to become more involved in correctness rather than existence of artifacts. if AI can simply check whether a documented artifact has been uploaded, a human auditor must engage to ensure the document satisfies risk reduction and that involves more than the artifact’s existence.

Audit now needs to define acceptable ranges and ensure outcome accountability can be traced to a human to meet regulatory compliance. Moreover, Audit cannot solve this alone. Their counterpart - organizational governance - should be consulted: Governance defines acceptable behavior and audit evaluates whether it holds.

Without that alignment, neither works. Controls should be designed together to account for gaps in data governance, model risks, bias and documentation usage as satisfactory control closures.

Finally, as organizations automate routine checks, it concentrates risk in what cannot be automated: judgment and accountability - that’s where audit’s burden is shifting to.