How To Use Technology For Audit Preparation

I've sat in more than 50 audits across GCC & Europe (ISO 27001, SOC 2, SAMA etc..) You rarely fail for missing a piece of evidence... You fail because the proof is scattered, outdated, ownerless, or can't be found (while the person providing it swears they submitted already) To avoid this: 1- Pick one system of record for evidence (SharePoint or Google Drive, etc.). No WhatsApp, Teams DMs, or email threads as “evidence.” 2- Create one folder per Framework. Create sub folder per control group. Use a clean name for files, {ControlName}{YY-quarter(e.g. Q1)} 3- Assign one named owner per domain (Access, Assets, Change, Incident). Give each an audit response cheat sheet: what to show, where it lives, who to pull in (good luck with getting other teams doing it!) 4- Run a pre-audit dry run: fresh eyes click every link, open every file, check dates/signatures, and tie each piece of evidence to the control ID. Time-box to 2 hours. Ask the team: “If we were audited tomorrow, where would you point the auditor to?” 5- Automate refresh: exports/screenshots as needed (monthly?), owner sign-offs, and expiry checks so proofs don’t go stale. Simple fix: Make evidence hygiene the product, not an afterthought. Or simply save yourself the headache, at Vamu we automate a large part of this, and map controls to owners and time-stamped proofs so the folder is clean by default. But you can start with the list above this week. Audits are won (or lost) in the evidence folder.

Dear AI Auditors, Foundations of AI Audit AI has quickly moved from “emerging tech” to business-critical systems. Banks use it to flag fraud. Insurers use it to price policies. HR teams use it to screen candidates. Customer service depends on chatbots powered by large models. But most audit functions still don’t have a tested playbook for AI. This gap creates blind spots at exactly the time when regulators, investors, and the public are asking tougher questions about trust. If you’re leading or participating in AI audits, here are the foundations you can’t afford to ignore: 📌 Define the Scope Clearly Don’t audit AI in the abstract. Focus on systems that shape financial reporting, compliance obligations, or customer outcomes. A fraud detection model or claims assessment tool deserves priority over a low-impact internal chatbot. 📌 Understand AI Evidence Types AI doesn’t always produce “traditional” evidence. You’ll need artifacts like training data lineage, system logs, model documentation, and bias test results. Decide up front what will count as valid audit evidence. 📌 Check Governance Structures Who owns AI risk in your organization? If no one can answer clearly, you’ve uncovered a governance gap. Look for oversight committees, a Chief AI Officer role, or designated control owners. 📌 Assess Data Integrity Models are only as reliable as their inputs. Confirm whether the data is authorized, accurate, and complete. Ask how often it is refreshed? How is quality measured? Who signs off? 📌 Review Model Transparency If management can’t explain why a model makes certain decisions, the risk is already high. Auditors should look for explainability tools, model cards, or other documentation that turns the “black box” into something testable. 📌 Evaluate Monitoring and Drift Detection Models age. They lose accuracy as real-world conditions shift. Look for monitoring dashboards, alert thresholds, and documented retraining cycles. 📌 Link AI to Business Objectives Every AI system should connect to measurable goals, cost savings, fraud reduction, and customer satisfaction. If the business case is weak, even a well-governed system may not justify the risk exposure. Auditors who master these foundations will protect their organizations from regulatory penalties, reputational damage, and costly AI failures. Those who don’t risk leaving critical blind spots unchecked. AI isn’t optional anymore. Neither is AI audit readiness. #AIAudit #AuditLeadership #AIControls #AIGovernance #ModelRisk #InternalAudit #GRC #AITrust #AuditCommunity #RiskManagement #CyberYard #CyberVerge

This one checklist made my life 10x easier (Save hours later by following these steps now!) Over the last 22 months, I’ve attended 184 walkthrough meetings. Trial. Error. Frustration. Fixes. And through all of that, I created this simple system. A checklist that every auditor should follow after the walkthrough ends. If you’re tired of scrambling for screenshots, losing notes, and chasing follow-ups days later, Save this post. Share it with your team. Use it every time. Post-Walkthrough Checklist: The SOP I swear by 1. Segregate your screenshots (Immediately) - Use Windows + Print Screen to capture quickly. - Create a new folder right after the meeting using this format: [Date]_[Control_ID]_[ControlName]_[AuditName] - This makes it easy to find everything later. 2. Store in two places - One local folder on your laptop - One shared folder (e.g., Teams) so others don’t need to ping you 3. Summarize your notes - Right after the meeting, take 5–10 minutes to clean up your notes. - Capture who said what, any key clarifications, and system flows. 4. Save notes smartly - Again one local, one shared. - Use the same naming format for consistency. 5. List out all follow-ups in one place - Don’t rely on memory. - If something needs clarification or additional evidence, document it immediately. 6. Assign owners and due dates - Use a tracker to assign each follow-up to a control owner with a clear timeline. - This alone will save you days of back-and-forth. 7. Update your main control tracker - Capture the status of the walkthrough and all pending items. - If your team doesn’t have a control tracker, create one. (And if they do make sure you’re using it daily.) Bonus: I personally keep a tracker with separate tabs for each audit I’m working on. Every control I’m assigned gets listed with deadlines, dependencies, and current status. This isn’t just a checklist. It’s a habit. Follow it after every walkthrough and your future self will thank you during wrap-up week. Have your own post-walkthrough system? Drop it below! I’d love to see how others do it.

Last week, I participated in an Internal Audit Collective working group focused on developing AI use cases for audit projects. It was a memorable meeting for me because this was the first time I witnessed AI in action. The group leader demonstrated a prompt designed to create a RACM for audits that an organization has never conducted before. The audit topic chosen was AI Governance, and within 59 seconds, the system generated an incredibly detailed RACM, complete with specific risk statements, standard control descriptions, and comprehensive testing and assurance procedures. After participating in the working group and witnessing the prompt in action, three key insights stood out to me. 1. After reviewing the details and sources referenced by the prompt to create the RACM, it was apparent this prompt would save 40-50 hours per project. For a team conducting 10-12 audit projects annually, that's equivalent to an entire additional audit saved by one prompt. With the average audit project costing $35K compared to just $35/month for a Gen AI license, the economic advantage is clear. This dramatic cost difference explains why AI adoption in our industry will significantly outpace the implementation of data analytics over the past two decades. 2. Internal Auditors will remain essential. This prompt demonstrated how AI can automate the "what" and "how" of audit planning, but it failed to address the crucial "why" component. Less skilled internal auditors may present AI-generated content (such as RCMs) as their original work. Effective audit leaders will quickly identify and address this practice. Skilled internal auditors will leverage AI-supported work as valuable context rather than a final product. They must still conduct interviews with business management and audit leadership to understand the purpose behind the audit. Additionally, they need to comprehend the reasoning behind the AI prompt's suggestions rather than accepting them at face value. 3. Currently, larger internal audit teams are adopting Gen AI more rapidly than smaller teams. Within the working group, most contributing members either work for larger teams (those >15-20 people) or have already developed a strong interest in AI. On one hand, this is reasonable since larger teams can dedicate resources to implementing AI. But smaller teams stand to benefit more. The ROI from adopting AI will be much higher. Looking ahead, I believe the next wave of audit leaders for smaller teams (15 or fewer people) will be hired by AI-forward companies based on two key factors: meeting the minimum qualifications for the role AND bringing a practical playbook with experience implementing 10-20 different AI use cases that can deliver immediate impact. These ideal candidates will be auditors with proven AI proficiency—primarily those from larger audit teams or those who have actively invested time to learn and effectively incorporate AI into their audit methodology.

Your next audit will ask: "How do you govern AI-generated data?" Most security leaders can't answer that question today. **The Problem:** Traditional privacy programs were designed for structured databases containing known PII. AI blew that model apart. Copilot prompts generate data. AI-assisted documents contain context. Agent interactions create unstructured content your legacy DLP tools weren't built to classify. A CSO Online survey found 48% of CISOs rank strengthening data protection as their top 2026 priority. But most organizations adopted AI faster than their privacy controls could keep up. Here's what changed: Before: Privacy tracked known data in known locations Now: Sensitive data is generated continuously through AI interactions you may not even log Before: DLP matched patterns (SSNs, credit cards) Now: AI outputs contain semantic meaning patterns can't reliably detect Before: Protection focused on data at rest Now: AI creates sensitive data in motion—prompts, responses, and agent-to-agent exchanges **The Solution:** You need visibility into AI-generated data and controls that follow that data wherever it moves. We use Microsoft Purview to govern AI interactions across Microsoft 365 Copilot, Copilot Studio agents, and Foundry AI workloads. You apply classification, labels, retention, and DLP where those interactions are logged and supported. Here's how to start: 1. **Map your AI data surface** - Identify where AI generates or processes data in your environment (prompts, outputs, agent interactions) 2. **Extend classification to AI workflows** - Configure Purview to scan and classify sensitive information in AI interactions using trainable classifiers for semantic content 3. **Apply sensitivity labels** - Ensure labels travel with AI-generated content through workflows and enforce protection automatically 4. **Enable AI-aware DLP** - Update policies to detect sensitive data in prompts and AI outputs, not just traditional file types 5. **Log and monitor** - Capture AI interactions in audit logs for compliance reporting and investigation Security Copilot capabilities inside Purview help investigators reason over AI-related privacy risk using natural language, making it faster to respond to audits and data subject requests. **Test Your Readiness:** If an auditor asked today: "Show me all AI interactions from the last 30 days involving customer financial data," could you answer confidently? If not, let's talk about getting your AI privacy controls audit-ready before that question lands on your desk. #MicrosoftSecurity.#Purview #Privacy #Copilot ProArch

Run this 15-minute audit with your CFO to stop automating the wrong things. Most teams hand complex judgments to tech while still doing manual data entry. Step 1: List weekly recurring decisions Expense approvals, reclasses, prepaid terms, accruals, fixed-asset adds, variance accept/reject, rev-rec edge cases, vendor terms, etc. Step 2: Apply 3 filters to each decision Can someone reasonably be fired for getting this wrong? Yes → Human. No → AI candidate. Would a mistake delay close if questioned? Yes → Human. No → AI candidate. Will I need to defend it to the board/auditors? Yes → Human. No → AI candidate. If any of 1-3 = Yes → Human. If all are No and data is available/clean → AI candidate. Step 3: Run a reality check AI agents should handle (rule-based, high volume and low risk): 1) Expense approvals under $500 (clear rules) 2) Standard journal entries (pure calculation) 3) Bank reconciliation matching (pattern recognition) 4) Invoice coding to GL accounts (rule-based) Humans should handle (context heavy, high stakes): 1) Revenue rec for non-standard contracts (scrutinized) 2) Budget estimates & reserves (material, earnings-impacting) 3) Period-end cut-off & completeness (misstatement risk) 4) Tax provision & material disclosures (regulatory risk) Outcome: You stop debating where AI “fits” and start routing work by risk and judgment and a foundation to build on. If you're evaluating AI for finance, start with this audit instead of a demo, or DM me for help.

💡 How to Ensure IT SOX Controls Pass Auditor Sampling Every IT SOX team dreads the same phrase: “Sample failed due to missing evidence.” Here’s how to make sure your controls pass auditor sampling every time 👇 ⚙️ Step 1️⃣ — Understand Sampling Logic 🎯 Review last year’s auditor sampling approach (random vs. judgmental). 📊 Validate your population for completeness & accuracy (C&A) before testing. ✅ Outcome: clean population accepted by auditors. ⚙️ Step 2️⃣ — Strengthen Control Execution Consistency 🧩 Create SOPs with timelines, reviewers, and evidence standards. 🎓 Train control owners on what valid evidence looks like. ⚡ Automate evidence collection where possible. ✅ Outcome: every sample looks the same — complete, accurate, on time. ⚙️ Step 3️⃣ — Pre-Test Internally 🔍 Do a mock sample test (e.g., 5 random items) before auditors arrive. 🛠️ Fix any documentation or timing gaps. ✅ Outcome: zero surprises during actual audit testing. ⚙️ Step 4️⃣ — Keep an Audit-Ready Evidence Repository 🗂️ Store evidence by control name, quarter, and date. 🔒 Use version control or GRC tools like AuditBoard or ServiceNow. ✅ Outcome: auditors find everything fast — no follow-ups, no chaos. ⚙️ Step 5️⃣ — Conduct Post-Sample Reviews 👀 Have an independent reviewer check every sampled item. 🧾 Validate timestamps, approvals, and segregation of duties (SOD). ✅ Outcome: 100% of samples pass with confidence. ⚠️ Common Pitfalls (and Fixes) ❌ Incomplete population → ✅ Validate early using system logs ❌ Missing evidence → ✅ Automate collection & reminders ❌ Late control execution → ✅ Use SLA dashboards ❌ Control owner turnover → ✅ Document roles & backups ❌ Manual controls → ✅ Automate where feasible 🧭 Final Thought Passing auditor sampling isn’t luck — it’s discipline, documentation, and design. Build maturity, automate the basics, and make every sample a non-event. 💥 Pro tip: Run your own mini-audit once a quarter — by the time auditors show up, you’ll already know the results. #ITSOX #ITAudit #TechRisk #Compliance #InternalAudit #SOXTesting #SOXCompliance #GRC #AuditReadiness #CISO

How AI Tools Enhance IT Audits AI tools are transforming IT audits by automating tasks, improving accuracy, and saving time. They streamline processes like gathering information, analyzing evidence, risk assessment, and documentation. AI supports various audit stages explained below: 1. Information Gathering: AI scans documents, extracts key details, and summarizes large reports, helping auditors focus on critical areas. It generates interview questions and provides quick access to data. Example: “Summarize ITGC controls from this document.” 2. Evidence Analysis: AI identifies patterns, flags anomalies, and highlights exceptions in logs or configurations. It reduces manual effort in analyzing system data and ensures nothing is overlooked. Example: “Detect unauthorized access or unusual activities in system logs.” 3. Creating PBC Lists: AI automates the preparation of PBC (Prepared by Client) lists based on audit scope and dynamically updates them for scope changes. Example: “Create a PBC list for ITGC covering user access and change management.” 4. Risk Assessment: AI evaluates risks, categorizes them (high, medium, low), and simulates potential outcomes. It enhances decision-making by analyzing trends and vulnerabilities. Example: “Highlight risks in access management controls for ERP systems.” 5. Risk Control Matrix Preparation: AI generates customized RCMs, maps risks to controls, and ensures alignment with standards like SOX and COBIT. Example: “Generate an RCM template for ITGC audits.” 6. Code Review: AI analyzes source code to detect vulnerabilities, inefficiencies, or non-compliance with coding standards. Example: “Identify hardcoded credentials or deprecated functions in this code.” 7. Defining Testing Attributes: AI ensures consistency by defining attributes like completeness, accuracy, and timeliness for testing controls. Example:“Provide test attributes for user access reviews.” 8. Workpaper Documentation: AI drafts work papers, organizes evidence, and maintains clear audit trails, ensuring faster and structured documentation. Example: “Prepare work papers summarizing ITGC test results.” 9. Custom Reporting: AI generates tailored reports for clients, regulators, or audit committees. It simplifies complex findings into easily understandable formats. 10. Evidence Management: AI tags, organizes, and retrieves evidence efficiently, reducing delays during audits. 11. Continuous Monitoring: AI integrates with audit management systems for real-time control monitoring, helping auditors proactively identify risks. 12. Audit Insights: AI provides actionable insights by analyzing historical audit data, highlighting recurring issues, and suggesting areas for improvement. Key Benefits of AI in Audits Efficiency: Automates repetitive tasks, saving time. Accuracy: Identifies risks and anomalies with precision. Scalability: Handles large datasets effortlessly. Consistency: Ensures uniform audit procedures. #ai #itgc #itac #sox

🌊📄🏄♂️ From Drowning in Documents to Surfing with AI: A NED's Guide to Sanity Just as a master librarian can instantly locate critical information among thousands of books, AI is that librarian who never sleeps - but for board documents and audit reports. It's a powerful tool that can multiply NEDs' productivity 10x. Take board meeting preparation for the Chair of Audit and Risk Committee (ARC) as an example. The preparation can include: 📌 Review of the agenda 📌 Familiarisation with general board papers 📌 Close review of finalised audit reports and deciding which ones to discuss in detail at the meeting 📌 Review of risk reports and risk register updates since the last meeting, including any changes to key risk ratings or emerging risks 📌 Review of any regulatory correspondence to discuss with the board 📌 Review of previous meeting minutes and follow-up on outstanding action items related to audit and risk matters 📌 Preparation of any specific updates to provide to the entire board, including key recommendations from the ARC AI can help with any of these tasks. The ARC Chair can feed all audit reports and ask which ones need to be reviewed, in addition to those with High-Risk classification, which are always reviewed. Conversely, if there are too many, the NED can ask AI for a suggestion, including a justification, which can wait until the following meeting. #BoardInnovation #AIforLeadership #CorporateGovernance #FutureOfBoards #AI #NED

NEW GUIDANCE ISSUED: GTAG – Continuous Auditing and Monitoring (3rd Edition) In today’s fast-changing business environment, internal auditors must leverage technology to stay ahead. The Institute of Internal Auditors Inc.’s updated Global Technology Audit Guide (GTAG): Continuous Auditing and Monitoring, 3rd Edition is now fully aligned with the Global Internal Audit Standards™ and offers practical insights on how continuous auditing: • Enables ongoing risk and control assessments • Uses technology for real-time data analysis • Aligns with management’s monitoring for greater efficiency • Strengthens governance and decision-making 📥 Members can download it free here: https://lnkd.in/e58kSee2 #TheIIA #InternalAudit #IIAGuidance #GlobalStandards