Using AI in statutory audit.

Where AI helps in an Indian statutory audit, where it does not, what to keep off the prompt, and how to document AI use under SA 230. Written for practising CAs, not for marketing decks.

1 · The moment we’re in.

ICAI’s AI portal is live. AICA Level 1 is running. The CRET committee will roll AI into the core CA syllabus by 2028. The Big Four have spent close to a billion dollars between them building AI academies for their staff. Vendors are pitching audit-specific AI tools every week. Whether you adopt or not, your clients and your reviewers will assume you have an informed view by next audit cycle.

This guide is the working CA’s view of where to start. It deliberately avoids two failure modes: (a) the “AI changes everything” sermon, and (b) the “upload your trial balance to ChatGPT” recklessness. The auditor’s job — under SA 200, the Companies Act 2013, and the ICAI Code of Ethics — is unchanged. AI is a tool. You decide what it does.

2 · One principle, then everything else.

AI assists. The auditor decides. Every output from a model — an anomaly score, a draft CARO clause, a sample selection, a management letter sentence — is an input to your judgement, never a substitute. Your opinion under Section 143 remains yours. Your file under SA 230 must show that you evaluated the AI’s output, didn’t merely receive it.

This single principle resolves nine out of ten difficult questions about AI in audit. Whose responsibility is a hallucinated cite that ended up in a management letter? Yours. Who answers for a sample that the AI missed a fraud in? You. Who decides when AI is the right tool for a task? You, before each engagement, documented in the audit strategy.

The remaining one in ten questions is about data — what you can put into a model, what you cannot, and how to think about it. That’s the next section.

3 · What you keep off the prompt.

An auditor is, in practice, a processor of someone else’s personal and commercial data. Your engagement letter and the Companies Act both bind you to confidentiality. Consumer AI tools — ChatGPT’s free tier, Gemini, Copilot, the public Claude interface — are not designed to receive that data. Their retention practices vary, their training-data carveouts vary, and their hosting is outside India. The safe heuristic is: treat a consumer LLM the way you would treat posting on a public forum.

You don’t need to be a privacy lawyer to make good decisions here. Three questions before any prompt:

• Would I be comfortable if this prompt ended up in a competitor’s training set or in a search result?
• Does the prompt contain anything that identifies the client, an individual, or the engagement? (Client name, PAN, GSTIN, employee name, customer master, bank account, address.)
• Could I reframe the question as a methodology question without losing what I need?

If the answer to the third question is yes, do that. Most audit AI use is methodology work disguised as data work — “how do I test the completeness of revenue at a manufacturing SME?” gives you 80% of what “test ABC Pvt Ltd’s revenue completeness” would give you, with none of the exposure.

When you genuinely need a tool to process client data — to scan a ledger, to extract figures from a PDF, to reconcile two large files — that’s no longer a consumer LLM question. That’s an audit-grade tool question (covered in Section 6).

4 · Where AI helps, by audit phase.

Not every part of the audit benefits equally from AI. Below is where the leverage actually is in 2026, broken down by the standard phases of an Indian statutory audit. The pattern: AI is strongest in language work, pattern work, and repetitive lookup work. It is weakest in judgement-heavy work, novel evaluation, and concluding work.

4.1 · Acceptance and planning

Reasonable AI assistance: drafting the engagement letter from a template, summarising the client’s industry and key risks (using public information only — not internal data), building the audit strategy memo skeleton.

What you still do yourself: deciding whether to accept the engagement (SA 220 / SQM 1 — judgement), setting materiality (judgement-heavy and engagement-specific), confirming independence (a personal and firm-level attestation, not delegable).

4.2 · Risk assessment

Reasonable AI assistance: brainstorming risks of material misstatement based on described industry and entity characteristics, generating a list of potential fraud schemes for the client’s sector to consider, drafting the risk register skeleton.

What you still do yourself: rating the likelihood and magnitude, mapping risks to control responses, writing the planned audit response. SA 315 (Revised) is explicit that risk assessment is the auditor’s professional judgement.

4.3 · Substantive testing — pattern detection

This is where audit-grade AI tools (not consumer LLMs) actually shift productivity. Anomaly-detection engines like MindBridge run risk-scored passes over a full general ledger; document-extraction tools like DataSnipper let you cross-reference dozens of supporting documents at a fraction of the manual time. The auditor evaluates the flagged items.

What you still do yourself: deciding the testing strategy, evaluating each flagged item, writing the conclusion, sampling defence. The tool produces a list; you produce the audit evidence.

4.4 · Substantive testing — vouching, reconciliations, cut-off

Reasonable assistance: AI helps reconcile two large files, identify duplicate transactions, generate cut-off testing programmes for revenue and purchases, surface unusual journal-entry patterns. Most of this work used to take days of junior time; it now takes hours of well-supervised junior time.

4.5 · CARO 2020 reporting

Reasonable assistance: drafting clause-wise observations once the underlying conclusions are in, checking that all 21 clauses have been addressed (including not-applicable reasoning), maintaining a consistent voice across all clauses for the annexure.

What you still do yourself: the underlying audit work for each clause. AI can write the clause-(iii) observation, but it cannot decide whether loans were granted to specified persons under Section 185 — that comes from your fieldwork.

4.6 · Communication and drafting

This is where AI is the strongest performer in audit, full stop. Engagement letters, management representation letters (after you’ve done the SA 580 work), communication with TCWG under SA 260, management letter findings, the basis-for-opinion paragraph in a modified audit report — all of these benefit hugely from AI drafting, because they are language work over a fact pattern you already own.

The trick: give the AI the fact pattern (anonymised) and let it produce the prose. Do not ask the AI what the conclusion should be.

4.7 · Concluding work and opinion

AI’s role here drops to zero. The audit opinion under SA 700, the going-concern conclusion under SA 570, the determination of key audit matters under SA 701, the dating of the audit report under SA 700.49 — all of these are concluding judgements that belong to the engagement partner. The Standards are clear about this; the ICAI Code of Ethics is clear about this; common sense is clear about this.

You can use AI to format the audit report. You do not use AI to write its conclusion.

5 · Documenting AI use under SA 230.

SA 230 (Audit Documentation) is the file you need to be able to defend. The standard requires that an experienced auditor, having no previous connection with the audit, can understand from your file the nature, timing and extent of the audit procedures performed; the results obtained and audit evidence obtained; and the significant matters arising during the audit and conclusions reached on them.

When AI is part of how you got somewhere, the file needs to show it. The pattern below works and should sit in your working paper template:

Audit Procedure: [e.g. Journal Entry Testing]
Date Performed: [DD-MMM-YYYY]
Performed By: [Initials], [Role]
Reviewed By: [Initials], [Role]

AI Tool Used: [e.g. MindBridge v4.2 / ChatGPT-5 / DataSnipper 6.1]
Purpose: [What we asked the tool to do — be specific]
Inputs: [What we gave it — describe in categorical terms,
         e.g. "12 months of GL exported from Tally — entries posted
         by user IDs other than the regular accountants"]
Outputs: [What we got back — counts, flagged items, draft text]
Auditor's Evaluation: [What we did with the output —
                       "We reviewed each of the 47 flagged entries
                       against the underlying document. 12 were
                       reclassifications, 30 were valid period-end
                       accruals, 5 required follow-up which is at
                       working paper [Ref]"]
Conclusion: [What we concluded — this is the auditor's judgement,
             not the AI's]

The auditor’s evaluation field is the most important. It’s what makes the working paper defensible if the file is ever reviewed by ICAI, NFRA, peer review, QRB, or a court. It demonstrates that you didn’t outsource the audit to the tool.

6 · The 2026 tool landscape, briefly.

You don’t need to learn everything. You need to know which tool exists for which job, and pick the one or two that fit your engagement type. The categories break into three rough tiers — single-job specialist tools, horizontal LLMs, and the integrated audit-AI engine built specifically for Indian CA firms.

Single-job specialist tools

Each of these does one thing well. Useful as point solutions; you stitch them together for a workflow.

• Full-population anomaly detection on GL/transactions — MindBridge, Inflo. Run a scored pass over an entire general ledger; you evaluate the flagged items.
• Document extraction and cross-referencing inside Excel — DataSnipper. Used by all four Big-4 firms and roughly 150,000 auditors globally as of 2026. Sits inside Excel as an add-in.
• Lease and revenue recognition automation — Trullion (Ind AS 116 and 115).
• Research and document Q&A over public filings — AlphaSense.
• GRC, risk and quality management documentation — AuditBoard.

Horizontal LLMs

ChatGPT, Claude, Gemini, Microsoft Copilot. Free tiers good enough for methodology questions and drafting. Enterprise tiers (which contractually do not train on inputs) reasonable for non-sensitive work. See the tool guides for tool-specific deep dives.

Indian accounting + tax stack

These are ledger and compliance tools, not audit engines — useful upstream of the audit, not as a substitute for it.

• Tally Prime with Tally AI — most CA firms’ clients live here. Audit data starts as Tally exports.
• Zoho Books with Zoho AI — gaining share with SMB clients.
• ClearTax — tax filing surface (ITR, GST, TDS). Compliance-side, not audit.

Integrated audit-AI for Indian CA firms

The category we sit in. Different shape from everything above — not a single-job tool, not a horizontal LLM, not a tax-filing surface. CORAA is an end-to-end audit engine built around the Indian SA / Ind AS / Companies Act framework. Seven hubs span the whole engagement:

• Engagement Setup — ERP connectors for Tally / Zoho / SAP / NetSuite / Busy / Marg; ledger classification done once, persisted across engagements.
• Scrutiny — 164 rules across 13 modules. SA 240 journal-entry testing, related-party rings, weekend / round-number / management-override patterns. Full-population, not sampled.
• Reconciliation — Books ↔ GSTR-2A / 2B / 3B, 26AS, AIS, 27EQ. Three-bucket classification embedded into the working paper.
• Procedures — SA 320 materiality with the ICAI band, SA 530 sampling with the formula and seed printed per working paper, SA 570 going-concern indicators, SA 510 opening balances.
• Working Papers — lead schedules, AR / AP ageing, PPE roll-forward, AS 3 / Ind AS 7 cash flow, SA 230 documentation. Every WP linked back to the underlying transactions.
• Findings — auto-classified by materiality band under SA 450. Findings above performance materiality block the SA 700 sign-off path until the partner clears them.
• Reporting — CARO 2020 (clause-by-clause), Schedule III, Form 3CD, Independent Auditor’s Report under SA 700. UDIN-gated seven-step sign-off.

The product positions itself differently from a chatbot: every output is traceable back to the transaction that triggered it. India-hosted, DPDPA 2023 compliant, ISO 27001 / SOC 2 Type II, no training on customer data.

See the AI Modules for the full hub-by-hub breakdown, or book a 20-minute walkthrough for a live tour. Specific tool walkthroughs for the other categories above live in the Tool Guides section of the Lab.

7 · Verifying AI output. The auditor’s job, every time.

Models hallucinate. They quote sections of the Companies Act that don’t exist. They mis-cite SAs. They confidently state the wrong CARO clause number. They invent ICAI announcements. They mix up Ind AS and IFRS where the two diverge. None of this is a reason to avoid them — it’s a reason to verify every output that’s going to leave your file.

Three verification habits worth building into how juniors use AI:

• Cite-check every reference. If the AI quotes Section 188(1) of the Companies Act, open the actual Section 188(1) and confirm. If it quotes SA 540 on accounting estimates, open SA 540 and confirm. Treat AI citations as you would treat a junior’s citation in a working paper.
• Diff against the source. When AI summarises a contract, a board minute, a circular — keep the source in the file and ensure the summary doesn’t introduce facts that weren’t in the source. (Adding plausible-sounding but unstated terms is a common hallucination pattern.)
• Stress-test conclusions. If the AI proposes a conclusion — “this looks like a related-party transaction” — ask it to argue the opposite. If the counter-argument is equally plausible from the same inputs, you have a judgement question, not a conclusion.

When a junior catches a hallucination, log it. The prompt library has a “hallucination log” template at the bottom — five rows per engagement is a healthy practice signal.

8 · The ICAI path.

The Lab is a practice ground, not a credential. If you want a credential in AI for audit, the authoritative path runs through ICAI:

• AICA Level 1 — AI for Chartered Accountants. Foundation programme via ICAI’s AI portal.
• AURA — ICAI’s AI programme for CA students. Worth recommending to articled assistants in your firm.
• AI Innovation Summit — annual event, runs structured CPE hours and surfaces what other firms are doing.
• CRET-revised CA curriculum — AI, ESG and data analytics being integrated into the core CA syllabus by 2028. Affects everyone training new staff from this year.

Use the Lab to build hands-on familiarity. Use ICAI’s programmes for the credential and the CPE hours. The two are complementary; nothing in the Lab is meant to replace any of them.

9 · Where to start, this week.

If you’ve read this far, the smallest next step that compounds:

• Pick one drafting task in your current engagement (the engagement letter, an SA 260 communication, a CARO clause draft). Use the prompts in the Lab’s prompt library to draft it.
• Add the SA 230 documentation block (Section 5 above) to one working paper. See how it reads to someone with no prior connection to the audit.
• Spend 20 minutes verifying the AI’s citations. Build the habit.
• Sign up your firm for AICA Level 1 if you haven’t. The credential matters; the Lab does not.

The aim of the Lab — and of CORAA more broadly — is for AI to become invisible in a good audit. Not the thing you talk about. The thing that makes the file cleaner, the juniors faster, and the partner calmer. You judge. The tools work.