AI Toolkit for Audit Practitioners

I am planning an internal audit of [describe the business process or area]. The organization is a [describe industry/type, e.g., large electrical distribution company] using [describe the primary system, e.g., SAP S/4HANA]. Identify the top 8 audit risks for this area, organized by likelihood and potential impact. For each risk, briefly describe what a control failure looks like and what data or evidence would indicate the risk has materialized.

I need to design the scope for an internal audit engagement covering [describe the risk area]. The audit team has [describe data access level, e.g., direct read access to SAP transaction tables]. Draft an engagement scope statement that includes: the objective, the population and time period, the primary test approaches, the data sources required, and the key deliverables. Keep it concise enough to fit in a planning memo.

Here is a list of prior audit findings related to [describe the process area]: [paste finding titles or brief descriptions]. Analyze these findings for systemic patterns. Identify: (1) whether findings cluster around specific process steps, control types, or organizational units; (2) whether any findings suggest a root cause that was not fully addressed; and (3) what a new engagement in this area should prioritize to move beyond surface-level symptoms.

I am preparing to interview [describe the role, e.g., the accounts payable manager] about [describe the process, e.g., the invoice approval and payment process]. The audit objective is to understand [describe what you are evaluating, e.g., whether three-way match exceptions are being reviewed and resolved appropriately]. Generate 10 targeted interview questions that: (1) build understanding of how the process actually works; (2) surface where exceptions occur and how they are handled; and (3) identify whether controls that exist on paper are operating in practice. Avoid yes/no questions.

I have identified the following anomaly in [describe the data source and process area]: [describe the specific anomaly]. Before concluding this is a control issue, I want to consider all plausible explanations. Generate a structured list of: (1) benign explanations that would make this anomaly acceptable; (2) control failure explanations that would make it a finding; and (3) the specific evidence I would need to rule each explanation in or out.

I want to design a population-level data test for the following audit risk: [describe the risk, e.g., sales orders billed at a price lower than the applicable condition record with no authorized exception on file]. The system is [describe the ERP, e.g., SAP S/4HANA]. Describe: (1) the specific data fields and tables I would need; (2) the logic for the test -- what comparison or filter would identify exceptions; (3) what a true positive looks like versus a false positive I should filter out; and (4) what the result set should contain to support a finding.

I am working in SAP S/4HANA and encountered the following table or field: [paste the table name, field name, or both -- e.g., VBRK-NETWR or table BSEG]. Explain in plain language: (1) what this table or field stores; (2) which business process it belongs to; (3) how it connects to other key tables in that process; and (4) what audit-relevant information it typically contains in an electrical distribution business context.

Here is an existing audit procedure from a prior workpaper: [paste the procedure description]. This procedure currently uses statistical sampling. Redesign it as a population-level analytics test. Describe: (1) the data source and fields required; (2) the extraction and filtering logic; (3) the threshold or criteria that defines an exception; (4) what the output dataset should look like; and (5) how results would be documented as evidence. Assume access to [describe the available tool, e.g., Alteryx and direct SAP data access].

I have identified the following audit finding condition: [describe what was observed, e.g., 23% of purchase orders in the sample were approved after the goods receipt date, with the approval recorded retroactively]. Before concluding on root cause, I want to consider the full range of explanations. Generate a structured root cause analysis that considers: (1) process design failures -- was the control designed to prevent this?; (2) system configuration issues -- does the system allow or enforce the control?; (3) behavioral factors -- is this a training, incentive, or oversight issue?; (4) data integrity factors -- could the timing reflect a recording error rather than a control bypass? For each category, identify what evidence would confirm or rule it out.

Draft an audit finding in the standard condition / criteria / cause / effect format based on the following: [describe what you observed, the standard it should have met, and the evidence you have]. The finding should be appropriate for inclusion in a formal audit report. Use specific, factual language. Avoid conclusions that go beyond the evidence described. The audience is [describe, e.g., process management and the CAE]. Keep the total length under 250 words.

Draft a workpaper summary for the following audit test. Format it with these sections: Objective, Population and Period, Procedure, Results, and Conclusion. Source information: [describe the test you performed, the data you used, the exceptions you found, and your overall conclusion]. The summary should be written so that an independent reviewer could understand the work performed and the basis for the conclusion without asking follow-up questions.

Draft a control narrative for the following business process: [describe the process, including the key steps, the systems involved, and the people or roles responsible at each step]. The narrative should: (1) describe the process flow from initiation to completion; (2) identify the key controls at each significant step; (3) note where automated controls exist versus manual controls; and (4) identify where the primary risks of error or fraud are located in the process. Format it as a professional audit document.

Convert the following field notes into a clean, structured audit observation: [paste your raw notes]. The observation should: (1) describe what was observed factually and without editorial language; (2) note any open questions or items requiring follow-up; (3) identify what evidence was collected and what is still needed; and (4) flag any preliminary indicators of control issues without stating conclusions. Keep the tone professional and objective.

Here is an audit finding written for a technical audience: [paste the finding]. Rewrite it for an audit committee or senior executive audience. The rewritten version should: (1) explain the issue in plain business terms without losing accuracy; (2) state the business risk or exposure clearly -- what could happen as a result of this condition; (3) avoid technical jargon unless essential, and define it if used; and (4) end with a clear statement of what remediation would look like. Target length: 150 words or fewer.

Here is an audit finding: [paste the finding]. Here is management's proposed response: [paste the response]. Evaluate whether this response: (1) addresses the root cause identified in the finding or only the symptom; (2) proposes a specific, verifiable remediation action or uses vague language that cannot be tested; (3) includes a realistic and committed completion date; and (4) assigns clear ownership. Identify any gaps in the response and suggest specific language that would make it more defensible and testable.

Draft the [describe the section -- e.g., executive summary or background] section of an audit report for the following engagement: [describe the audit area, the scope, the key findings, and the overall conclusion]. The section should: (1) describe the purpose and scope of the engagement; (2) summarize the key findings at a level appropriate for the described audience; (3) state the overall audit conclusion clearly; and (4) be written in a professional, direct tone without hedging language. Length: [specify, e.g., one page or 300 words].

I need to brief [describe the stakeholder -- role, level, and likely reaction] on the following audit finding: [describe the finding and evidence]. Help me prepare for this conversation by: (1) drafting the key points I should lead with; (2) anticipating the three most likely objections or pushback responses and suggesting how to address each; (3) identifying what I should NOT say to avoid escalating defensiveness; and (4) recommending how to frame the remediation discussion so it feels collaborative rather than punitive.

Draft a professional follow-up email to [describe the recipient and their role] requesting [describe what is needed and why -- e.g., the original purchase order documentation for five transactions flagged in testing]. Context: [describe how long the request has been outstanding and any prior communication]. The email should: (1) be direct and professional without being accusatory; (2) state clearly what is needed, by when, and why it is necessary; and (3) note the impact on the audit timeline if the request is not fulfilled. Keep it under 150 words.

I am an internal auditor preparing to audit [describe the system or platform -- e.g., a warehouse management system, a logistics platform, or a pricing engine]. I have limited familiarity with this system. Provide an overview that covers: (1) what the system does and what business process it supports; (2) the key data it generates and what audit-relevant information it contains; (3) the most common control risks associated with this type of system; (4) the questions I should ask IT or the system owner to understand the configuration; and (5) the data I should request access to at the start of fieldwork.

I am auditing [describe the process or area -- e.g., special pricing agreement reconciliation or branch inventory adjustment practices] at a large electrical distribution company. Explain: (1) how this process typically works in an electrical distribution business context; (2) what can go wrong -- the most common control failures or risk scenarios; (3) what data would typically be available to test this; and (4) what prior audit findings in this area typically look like. Assume I understand audit methodology but am newer to the distribution industry.