How Do I Document AI Tool Use to Meet FRC Audit Requirements?

This article is for informational purposes only and does not constitute audit or legal advice. You should consult with a qualified professional before making any decisions about the use of AI in your firm.

---

How Do I Document AI Tool Use to Meet FRC Audit Requirements?

The Financial Reporting Council (FRC) has fired the starting gun on AI in audit. Their June 2025 guidance is not a friendly suggestion; it is a clear statement of regulatory expectation. If you are using AI in your audit process and you cannot document it properly, you cannot defend it. It is that simple.

For years, auditors have been experimenting with AI, often in the shadows. But as the FRC noted, "AI tools are now moving beyond experimentation to becoming a reality in certain audit scenarios." That reality comes with rules. The FRC is not interested in your AI vendor's marketing brochure or their promises of efficiency. They want to see your working. They want to see a clear, documented trail that shows how you are using AI to enhance audit quality, not just cut corners.

The End of "The Computer Says So"

The core message from the FRC is that "the computer says so" is not a valid audit opinion. Your documentation needs to go far beyond simply stating that an AI tool was used. It needs to form a bridge between the AI's output and your professional judgment, grounded in the International Standards on Auditing (ISAs).

Your documentation must demonstrate compliance with several key ISAs:

ISA (UK)	How it Applies to AI Documentation
ISA 220 (Quality Management)	Your documentation must show that the use of the AI tool is consistent with the firm's quality management policies and that the engagement partner has taken responsibility for its use.
ISA 230 (Audit Documentation)	The documentation must be sufficient to enable an experienced auditor, with no prior connection to the audit, to understand the work performed, the evidence obtained, and the conclusions reached. This now includes understanding the role of the AI.
ISA 500 (Audit Evidence)	The AI's output is not, in itself, sufficient appropriate audit evidence. Your documentation must show how you have corroborated that output and satisfied yourself as to its reliability.
ISA 200 (Overall Objectives)	You must document how you have maintained professional scepticism throughout the process, challenging the AI's assumptions and outputs rather than blindly accepting them.

A Practical Framework for AI Audit Documentation

So, what does good documentation look like in practice? It is not about creating a mountain of paperwork. It is about creating a clear, logical, and defensible record. Here is a framework to follow for each instance where an AI tool is used in an audit:

1. The Rationale: Why Are You Using This Tool?

• Objective: State the specific financial statement assertion you are testing (e.g., the valuation of inventory, the completeness of revenue).
• Justification: Explain why the AI tool is an appropriate and effective method for gathering evidence on this assertion. How does it enhance the quality of the audit beyond traditional methods?

2. The Process: What Did You Do?

• Tool Identification: Name the specific AI tool used (e.g., "PwC Agent OS," "KPMG Workbench," or a specific vendor tool).
• Data Inputs: Precisely define the data population that was fed into the AI (e.g., "the complete general ledger for the period 1 January to 31 December 2025").
• Parameters: Document the specific settings, queries, or parameters used to run the tool. This is critical for reproducibility.

3. The Output: What Did the AI Find?

• Raw Output: Include a summary or reference to the direct output from the AI tool (e.g., "the AI identified 157 journal entries that met the criteria for high-risk indicators").

4. The Verification: How Do You Know It Is Right?

• Auditor's Corroboration: This is the most important step. Document the independent procedures you performed to verify the AI's findings. For example, "We selected a sample of 30 of the 157 high-risk journals and manually vouched them to supporting documentation."
• Assessment of Limitations: Acknowledge the known limitations of the tool. For example, "The AI model is not designed to detect collusion, so we performed separate manual procedures to address this risk."

5. The Conclusion: What Does It All Mean?

• Auditor's Conclusion: Based on the AI's output and your independent verification, state your professional conclusion regarding the audit assertion.

The Bottom Line: Documentation is Your Defence

The FRC's guidance has drawn a line in the sand. The era of informal AI experimentation in audit is over. If you are going to use these powerful tools, you need to do so within a structured, governed, and, above all, well-documented framework.

Your audit file is your primary defence. It is the evidence that you have acted with professional competence and due care. When it comes to AI, if it is not in the file, it did not happen. And in the eyes of the FRC, that is a risk you cannot afford to take.

---

Take the Next Step

If you are ready to move from theory to action, I can help. My AI Audit gives you a comprehensive assessment of your firm's AI readiness, identifying the gaps in your governance, the risks in your current tooling, and a clear roadmap to get you where you need to be.

Book a Discovery Call → or learn more about the AI Audit.