CORAA University · Tool
AI Risk Assessment Matrix for Auditors
When your client uses AI in their business, what risks should you assess? Map AI risks to SA 315 risk assessment procedures.
Client AI Profile
Risk Assessment — 15 Questions
Rate each risk factor from 1 (Low risk) to 5 (High risk)
Model Risk
Avg: 3/51. Is the AI model a black box (unexplainable)?3/5
Low RiskHigh Risk
2. How frequently is the model retrained/updated?3/5
Low RiskHigh Risk
3. Has the model been independently validated?3/5
Low RiskHigh Risk
Data Risk
Avg: 3/51. Is the training data biased or unrepresentative?3/5
Low RiskHigh Risk
2. Are data inputs validated before feeding the model?3/5
Low RiskHigh Risk
3. Is there proper data governance (lineage, quality, access)?3/5
Low RiskHigh Risk
Operational Risk
Avg: 3/51. Is there human oversight of AI decisions?3/5
Low RiskHigh Risk
2. Are there fallback procedures if the AI system fails?3/5
Low RiskHigh Risk
3. Is there monitoring for model drift or degradation?3/5
Low RiskHigh Risk
Compliance & Regulatory Risk
Avg: 3/51. Does the AI system comply with applicable regulations (RBI, SEBI, etc.)?3/5
Low RiskHigh Risk
2. Is there documentation of the AI system's design and operation?3/5
Low RiskHigh Risk
3. Are there ethical guidelines for AI use?3/5
Low RiskHigh Risk
Financial Statement Impact
Avg: 3/51. Could AI errors materially affect financial statements?3/5
Low RiskHigh Risk
2. Are AI-derived estimates (provisions, valuations) material?3/5
Low RiskHigh Risk
3. Is the AI system part of the client's internal controls?3/5
Low RiskHigh Risk
3
Overall Risk Score (out of 5)
High
Overall Risk Rating
0
High-Risk Categories
Risk Heat Map
Model Risk3/5 · High
Data Risk3/5 · High
Operational Risk3/5 · High
Compliance & Regulatory Risk3/5 · High
Financial Statement Impact3/5 · High
Low (≤2) Moderate (2-3.5) High (>3.5)
Recommended Audit Procedures
Model Risk
High Risk- •Test model outputs against manual calculations
- •Review model validation reports and methodology
- •Assess explainability documentation and audit trail
Data Risk
High Risk- •Test input controls and data validation procedures
- •Verify data completeness and representativeness
- •Review data governance framework and access controls
Operational Risk
High Risk- •Test override controls and human review procedures
- •Review incident logs and business continuity plans
- •Evaluate model monitoring and alerting mechanisms
Compliance & Regulatory Risk
High Risk- •Review regulatory filings and compliance certifications
- •Test compliance monitoring procedures
- •Assess ethical AI policy and governance framework
Financial Statement Impact
High Risk- •Perform substantive procedures on AI-generated amounts
- •Test reasonableness of AI-derived accounting estimates
- •Evaluate design and implementation of AI-related controls
SA 315 Risk Assessment Mapping
Model Risk
Understand the entity's AI models as part of the information system (SA 315.18-19)
Data Risk
Evaluate IT general controls over data integrity (SA 315.21)
Operational Risk
Assess control activities over AI operations (SA 315.26)
Compliance & Regulatory Risk
Identify regulatory compliance risks affecting financial reporting (SA 315.11)
Financial Statement Impact
Identify and assess risks of material misstatement from AI systems (SA 315.25-30)
Key Insight: Auditing AI Systems
The client's AI system presents high risk. Significantly expand substantive procedures for AI-affected balances. Consider engaging an IT audit specialist or AI expert. Test AI outputs against independent calculations and assess whether management's oversight is sufficient.
Need help auditing AI-powered clients?
CORAA helps auditors navigate AI risks with automated testing and documentation.