Using AI in an audit raises quality control questions that ISQM 1 requires firms to address directly: how AI tools are validated, how their use is documented, and how the firm prevents over-reliance on automated output. AI is a tool the firm's quality system must govern, not a replacement for that system. Abdelhamid & Co (MOE LC0106-01, FTA TAN 30003958) documents AI use as part of every engagement's quality file.
Why AI Use Is a Quality Control Issue, Not Just a Technology Choice
ISQM 1 requires a firm to design a system of quality management covering risk assessment, resources, and engagement performance. When a firm introduces AI into audit procedures — analytics, document matching, drafting — that tool becomes part of the resources and engagement performance components of the quality system. It needs to be governed the same way any other audit resource is governed: validated before use, monitored for reliability, and subject to policies on when and how staff can rely on its output.
Key Facts on AI and Audit Quality Management
| ISQM 1 Component | How AI Use Fits In |
|---|---|
| Risk assessment | Firm must assess the risk of over-reliance on AI output |
| Resources | AI tools are technological resources requiring validation before use |
| Engagement performance | Policies must define when staff can rely on AI output without independent verification |
| Monitoring and remediation | Firm must monitor whether AI-assisted engagements meet quality standards |
| Documentation | Engagement files should record what AI was used for and how it was validated |
The Over-Reliance Risk ISQM 1 Is Designed to Catch
The specific risk quality management frameworks worry about is staff treating AI output as inherently more reliable than it is, simply because it looks precise and consistent. A junior team member who accepts an AI-flagged "no anomalies found" result without understanding what the analytics actually tested is exactly the scenario ISQM 1's engagement performance requirements are meant to prevent — the firm needs policies and training that address this specifically, not generic supervision language that predates AI tools.
What Firms Should Document About AI Use
| Documentation Item | Why It Matters |
|---|---|
| Which AI tool was used and for what procedure | Allows review of whether the tool was appropriate for the task |
| How the tool's output was validated | Demonstrates the auditor did not simply accept AI output at face value |
| Who reviewed AI-assisted conclusions | Confirms appropriate supervision was applied |
| Any limitations identified in the AI tool | Supports future risk assessment and tool selection decisions |
| Training provided to staff using the tool | Demonstrates competence requirements under ISQM 1 were addressed |
Independence and Ethics Considerations
Where an AI tool is provided by a third party, firms should also consider whether using that tool creates any threat to independence or objectivity — for example, if the same AI platform is marketed by a vendor with a financial relationship to the audit client. This is a less common scenario than the over-reliance risk, but it belongs in the same governance conversation, since IESBA's conceptual framework requires firms to identify and address threats from any source, including technology vendors.
Methodology — Governing AI Use Within Our Quality System
1. Assess each AI tool before adoption against reliability, data security, and independence considerations.
2. Define firm-wide policies on which procedures AI can support and what level of independent verification is required.
3. Train staff on the specific tool's capabilities and limitations before they rely on its output.
4. Require documentation of AI use, validation performed, and reviewer sign-off on every engagement.
5. Monitor a sample of AI-assisted engagements as part of the firm's ongoing quality monitoring.
6. Update policies as tools, standards, or firm experience change.
Common Mistakes and Risks
The most common gap is firms adopting AI tools operationally without updating their quality management documentation to reflect it — meaning the tool is in daily use on engagements, but the firm's ISQM 1 risk assessment and policies were never updated to address it. This creates a real inspection and quality risk even when the actual audit work performed was sound.
Why Choose Abdelhamid & Co
We govern our use of AI within our ISQM 1 quality management system, with clear policies on validation, supervision, and documentation for every AI-assisted procedure. See our Audit & Assurance Services.
Frequently Asked Questions
Does ISQM 1 specifically require policies on AI tools?
ISQM 1 does not name AI specifically, but its requirements for resources, engagement performance, and risk assessment apply directly to any technology tool used in an audit, including AI.
What is the biggest quality risk from using AI in audits?
Over-reliance — staff accepting AI output as a conclusion without independently verifying it, particularly for judgment-heavy areas.
Should audit firms document which AI tools they use?
Yes. Documenting the tool, its validation, and reviewer sign-off supports both engagement quality and the firm's ISQM 1 monitoring requirements.
Can using a vendor's AI tool create an independence issue?
It can, if the vendor has a financial relationship with the audit client. Firms should assess this under the IESBA conceptual framework before adopting a tool.
Do junior staff need special training to use AI audit tools?
Yes. Staff should understand a tool's capabilities and limitations before relying on its output, consistent with ISQM 1's competence and supervision requirements.
How does Abdelhamid & Co govern AI use in audits?
We validate tools before adoption, train staff on their limitations, require documentation of AI use on every engagement, and monitor AI-assisted engagements as part of our quality system.
Related Services
- Audit & Assurance Services — external and internal audit
- Data Analytics Services — computer-assisted audit techniques
- Forensic & Legal Auditing Services — investigation and fraud risk assessment
- Insights — more UAE audit and AI guidance
Contact Us
To discuss AI governance within your audit quality system, contact Abdelhamid & Co in Sharjah on 00971065610040 or visit our contact page.
Last reviewed: