AI Prompts for Auditors: A Tested Library by Audit Area [2026]
Most "AI prompts for auditors" lists you'll find online are written by marketers who've never signed an audit report. The prompts are generic ("act as an auditor and review this"), the output is unusable in a working paper, and there's no word about what to do when the model invents a section number. This post is the opposite — a library of prompts we've actually run, organised by the audit areas you work through on an engagement, with notes on how to verify what comes back.
Two ground rules before you start. First, a prompt is a drafting aid, not a conclusion — every output below has to be checked against the source before it touches a file. Second, never paste client PII or raw books into a public LLM; the DPDP-safe section near the end shows you how to get the same quality with anonymised inputs. With that understood, here's the library.
How to use this library
Each prompt below is built to a pattern: give the model a role, the standard or framework, the specific input (anonymised), and the output format you want. Vague prompts produce vague output, so the examples are deliberately specific. Paste one in, replace the bracketed placeholders with your (anonymised) facts, and read the result as a junior's first draft — useful, fast, and wrong often enough that you must check it.
A note on tools: free-text prompting is excellent for drafting, reasoning, and explaining. It is poor at anything that must be reproducible — run the same prompt twice and you can get two different answers, which is fatal for sampling, recalculation, or 100% population testing. Where reproducibility matters, we flag it and point you to a deterministic engine that produces the same output every time on the same data.
Risk assessment and analytical procedures
This is where AI earns its keep early in the engagement: turning a trial balance into a set of risk hypotheses and explainable variances. Keep the numbers anonymised (entity name removed, figures are fine) and you stay well inside DPDP.
You are a statutory auditor planning a FY2024-25 audit under the SAs.
Here is a two-year comparative trial balance summary (figures in ₹ lakh):
[paste anonymised summary — account, CY, PY].
1. Compute year-on-year movement (₹ and %) for each line.
2. Flag movements that warrant analytical investigation under SA 520,
stating WHY each is a risk (not just that it moved).
3. List the three accounts I should prioritise for substantive work
and the assertion at risk for each.
Output as a table. Do not invent figures not in my input.
Acting as an audit senior, draft 8 analytical-review expectations for a
[manufacturing / trading / services] company before I see the numbers —
e.g. expected gross-margin direction, expected interest-to-debt ratio,
expected employee-cost-to-revenue trend. For each, state the business
logic so I can challenge management if actuals diverge.
I have these ratios for CY vs PY: [paste anonymised ratios].
Explain the FOUR most plausible business reasons for each significant
shift, and for each reason, the ONE corroborating document I should
request from management to confirm it.
Verify: the model's arithmetic on movements is usually fine but spot-check two or three lines yourself — LLMs do drop digits. Treat every "risk" it raises as a hypothesis to test, not a finding. The expectations prompt is safe to trust because it's reasoning, not recall.
Ledger scrutiny
Useful for getting from a wall of Tally entries to a shortlist worth opening. The model is good at spotting patterns in narrations and amounts you describe to it; it cannot see your Tally file, and you should not upload it.
Below are anonymised ledger narrations and amounts from a single expense
ledger [paste — date, narration, ₹ amount, no party names].
Identify entries that an auditor would scrutinise further and group them by
reason: round-sum amounts, weekend/holiday postings, narration mismatch
with the ledger head, or unusually large items. Explain each flag in one line.
Here is the monthly trend of [ledger name] over 12 months (₹): [paste].
Which months break the pattern, and what are the likely causes
(provision reversal, year-end adjustment, reclassification)? Tell me what
to ask the client to explain each break.
Draft a ledger-scrutiny checklist for the "Repairs & Maintenance" account
for a company audited under the Companies Act 2013, focused on the
capital-vs-revenue distinction and the risk of expensing capital items.
Verify: open every flagged entry in Tally and read the actual voucher — the model is working only from what you pasted, so its flags are leads, not conclusions. The capital-vs-revenue checklist is reliable but cross-check thresholds against the entity's own capitalisation policy.
Journal-entry testing (SA 240)
SA 240 requires you to test journal entries for fraud risk. AI is genuinely useful for designing the test and explaining a flagged entry — but the actual selection of entries from a full population is exactly where you should not rely on free-text prompting.
Under SA 240 paragraph 32(a), I must test journal entries for fraud risk.
Design a set of risk-based JE selection criteria for a mid-size Indian
manufacturer using Tally, covering: entries to revenue near period-end,
round-sum manual journals, entries by senior/unusual users, entries with
blank or vague narrations, and entries that debit expense and credit
suspense. For each criterion, explain the fraud hypothesis it addresses.
Here is one anonymised journal entry the criteria flagged:
[date, accounts Dr/Cr, ₹ amount, narration, posted-by role].
Walk through what's unusual about it, the three innocent explanations,
the three fraud-risk explanations, and the evidence that would
distinguish between them.
Explain, in plain language for my file, why testing 100% of manual
journal entries gives stronger SA 240 coverage than sampling, and what
documentation I should keep to evidence the completeness of the population.
Why deterministic beats prompting here: an LLM cannot reliably apply criteria across a 200,000-row journal, and it won't give the same selection twice — so you can't reproduce or defend it. Run the selection and 100% testing through a deterministic core that applies the rules identically every time and logs the population, then use the prompt above only to explain the entries it surfaces. See our note on 100% population testing versus sampling.
GST and TDS reconciliation
AI is a fast reconciler-explainer: tell it the differences and it'll classify them and tell you what to chase. The numbers must come from your reconciliation; never paste GSTINs, supplier names, or invoice-level PII into a public model.
I'm reconciling GSTR-2B with the purchase register for a quarter.
Here are the difference buckets (₹, count of invoices), no party data:
[paste]. For each bucket, give the likely cause (timing, ITC ineligible
u/s 17(5), supplier non-filing, RCM), the ITC implication, and the
client action I should request.
Draft a working-paper note explaining the GSTR-3B vs GSTR-1 vs books
revenue reconciliation for FY2024-25, with the standard reconciling items
an Indian auditor expects (advances, credit notes, schedule-vs-month
cut-off, exempt supplies) and where each typically arises.
Here are TDS amounts: deducted per books ₹___, deposited per challans ₹___,
reflected in Form 26AS ₹___, per 26Q returns ₹___.
List every reconciling item that could explain the gaps and the section-wise
checks (194C, 194J, 194Q) I should perform, including interest u/s 201(1A)
exposure if any short-deduction is found.
Verify: the model does not have live access to GST law changes or your actual returns — confirm every section reference (especially 17(5) blocked-credit items and the 194Q/206C interplay) against the bare Act or a current commentary. Recompute any interest figure yourself.
Working-paper drafting (SA 230)
This is the highest-value, lowest-risk use of AI on the engagement: turning your rough conclusion into a structured working paper. You bring the judgement; the model brings the structure and the prose.
Turn my rough notes into a structured audit working paper.
Notes: [paste your anonymised conclusion and the procedures you performed].
Use this structure: Objective | Procedures performed | Results | Conclusion |
Standards relied on. Keep it factual, no boilerplate, no claims I haven't
made. Flag anything in my notes that is a conclusion without stated evidence.
I tested [area] and concluded [conclusion]. Draft the SA 230 documentation
showing the nature, timing and extent of procedures, the significant matter,
and the professional judgement applied — so a reviewer who wasn't there can
follow what I did and why.
Review this draft working paper for SA 230 sufficiency.
[paste]. Tell me what a quality reviewer or NFRA inspector would mark as a
gap: missing linkage to risk, conclusion not supported by stated work, or
absent rationale for a judgement. Don't rewrite it — list the gaps.
Verify: the "flag conclusions without evidence" and "list the gaps" framings are deliberate — they make the model a critic of your file rather than an author of unsupported text. Read every drafted line and delete anything asserting a procedure you didn't actually perform. This pairs well with a Claude Projects working-paper workflow.
CARO 2020 clause analysis
Twenty-one clauses, each with sub-clauses, and the wording matters. AI is good at translating a clause into the specific checks and a draft reporting paragraph — provided you verify the clause text, because this is a prime hallucination zone.
For CARO 2020 clause (i)(c) on title deeds of immovable property, list:
the exact information the clause requires me to report, the procedures to
obtain it, the documents to inspect, and a template reporting paragraph for
BOTH the "no exceptions" and "exceptions noted" cases.
A company has [describe facts: defaulted on a ₹__ term loan repayment of
__ days, has loans to related parties of ₹__, made no CSR contribution].
Which CARO 2020 clauses are triggered, what does each require me to report,
and draft the reporting language for each. Cite the clause number.
Give me a CARO 2020 clause-by-clause data-request list I can send the client
— for each clause, the one or two documents/schedules I need to form my view.
Verify — important: confirm every clause number and its requirement against the actual CARO 2020 order text, not the model's memory. Clause numbering is precisely where LLMs hallucinate (claiming clause (xvi) covers something it doesn't). Use the prompt to draft, then check the order. For the deeper reporting-defensibility question, see AI hallucinations in audit.
Going concern (SA 570)
Going concern is judgement-heavy and disclosure-sensitive — exactly the kind of reasoning task where a good prompt helps you think, as long as you keep entity identifiers out.
Acting under SA 570, here are anonymised indicators for an entity:
[net current liabilities ₹__, recurring losses ₹__ for __ years, loan
covenant breach, key customer lost]. Classify each as a financial,
operating or other indicator of going-concern doubt, assess whether
they collectively suggest material uncertainty, and list the mitigating
factors and evidence I should obtain before concluding.
Management has given a going-concern assessment relying on [a parent
support letter / projected cash flows / a refinancing in progress].
For each, tell me the audit procedures to evaluate it and the specific
weaknesses I should probe (e.g. is the support letter legally binding,
are the projection assumptions corroborated).
Based on the conclusion that a material uncertainty EXISTS and is
adequately disclosed, draft the "Material Uncertainty Related to Going
Concern" paragraph for the audit report per SA 570, and tell me where it
sits relative to the opinion paragraph.
Verify: the report-paragraph structure under SA 570 is something to confirm against the standard — placement and wording of the material-uncertainty paragraph are testable facts, not judgement. The procedures and probing questions are reasoning and generally reliable, but the conclusion is yours alone.
Audit report drafting
Modifications, EOM paragraphs, and KAMs have prescribed structures. AI drafts them quickly; you must confirm the structure and supply the substance.
I am issuing a QUALIFIED opinion because [describe the matter and its ₹
quantified effect, anonymised]. Draft the Basis for Qualified Opinion
paragraph and the Qualified Opinion paragraph per SA 705, quantifying the
effect and keeping the language precise. Tell me what must NOT change in
the standard opinion wording.
Draft a Key Audit Matter paragraph (SA 701) for [revenue recognition /
expected credit loss / inventory valuation], following the why-it-was-a-KAM
and how-we-addressed-it structure, leaving placeholders for the specific
procedures I performed.
Explain the difference between an Emphasis of Matter paragraph and a
qualification for [my fact pattern], so I choose correctly under SA 706
vs SA 705.
Verify: standardised report wording (the opinion paragraph, headings) must match the SA format exactly — check it against the standard, not the draft. KAM and EOM substance is yours. For choosing the right model for each of these tasks, see which AI model CAs use by task.
How to prompt safely (DPDP)
The DPDP Act 2023 makes you accountable for personal data you process — and pasting a client's ledger, with names, PAN, GSTINs and salary data, into a public chatbot is processing it on a third-party server you don't control. Three rules keep you safe:
- Anonymise before you paste. Strip names, PAN, GSTIN, addresses, and bank details. Replace parties with "Party A", "Vendor 1". Figures and dates are usually fine — the audit logic doesn't need the identity.
- Aggregate where you can. "Repairs ledger, 12-month trend, ₹" is far safer than 400 line-level vouchers, and it's often more useful for the model.
- Prefer enterprise/no-train deployments for anything sensitive. Where data can't be fully anonymised, use a tool with a data-processing agreement and training switched off — not a free consumer account.
Build these into reusable, pre-anonymised templates so safety isn't a per-prompt decision. Our DPDP-safe prompt template library for CA firms gives you those templates ready to adapt. For audit areas where even anonymised free-text isn't defensible enough — population testing, recalculation, anything a reviewer must reproduce — an AI audit agent built on a deterministic core keeps the data inside your environment and produces the same result every run. If you'd like to see that distinction in practice, the demo walks through a worked engagement.
A final discipline, drawn from these prompts collectively: notice how the verification note never says "trust it". Every prompt is a draft generator, and your sign-off rests on the source you checked, not the text the model produced. That habit — draft fast, verify always — is what makes AI defensible in an Indian audit file.
Frequently Asked Questions
Are AI prompts reliable enough to use in an actual audit file?
A prompt is a drafting aid, not a conclusion. Every output has to be checked against the source before it touches a working paper, and you should read each result as a junior's first draft: useful and fast, but wrong often enough that you must verify it. Prompts are strongest for drafting, reasoning and explaining, and weakest at anything that must be reproducible, such as sampling or population testing.
Can I paste a client's Tally ledger or GST data into ChatGPT or Claude?
Not in raw form. Under the DPDP Act 2023 you are accountable for the personal data you process, and pasting names, PAN, GSTINs or salary data into a public chatbot is processing it on a server you do not control. Strip identifiers and replace parties with labels like "Vendor 1", aggregate where you can, and for sensitive work use an enterprise deployment with a data-processing agreement and training switched off.
Why do auditors get different answers when running the same prompt twice?
Free-text language models are not deterministic, so the same prompt can produce different output each time. That is fine for drafting and explanation but fatal for journal entry selection, recalculation or 100% population testing, where a reviewer must reproduce your work. For those tasks, run the selection and testing through a deterministic engine that applies the rules identically every run, and use prompts only to explain the entries it surfaces.
Where do AI models hallucinate most when used for Indian audit work?
The biggest risk is statutory citation: CARO 2020 clause numbers, Standards on Auditing references, GST sections like 17(5) blocked credits and the 194Q interplay, and the exact wording of report paragraphs under SA 705 and SA 706. Models frequently invent or misattribute these. Use the prompt to draft, then confirm every clause number and section against the bare Act, the CARO order text or the actual standard.
Which audit tasks are safest to use AI prompts for?
Working-paper structuring under SA 230 is the highest-value, lowest-risk use: you bring the judgement and the model brings the structure and prose, especially when you ask it to flag conclusions without evidence rather than author new claims. Analytical-review expectations and going-concern reasoning are also generally reliable because they are reasoning rather than recall. Anything requiring a precise statutory citation or reproducible selection needs verification or a deterministic tool.