CORAA University · Tool· विद्यालय

When your client uses AI, what should you audit?

Map AI risks to SA 315 risk-assessment procedures. 15 questions across 5 categories, model, data, operational, compliance, financial statement impact.

All university tools →

Client AI profile

Client industry

AI use case

AI maturity

Data sensitivity

Risk assessment, 15 questions

Rate each risk factor: 1 (Low risk) to 5 (High risk)

Model Risk

Avg 3/5

1. Is the AI model a black box (unexplainable)?3/5

Low RiskHigh Risk

2. How frequently is the model retrained/updated?3/5

Low RiskHigh Risk

3. Has the model been independently validated?3/5

Low RiskHigh Risk

Data Risk

Avg 3/5

1. Is the training data biased or unrepresentative?3/5

Low RiskHigh Risk

2. Are data inputs validated before feeding the model?3/5

Low RiskHigh Risk

3. Is there proper data governance (lineage, quality, access)?3/5

Low RiskHigh Risk

Operational Risk

Avg 3/5

1. Is there human oversight of AI decisions?3/5

Low RiskHigh Risk

2. Are there fallback procedures if the AI system fails?3/5

Low RiskHigh Risk

3. Is there monitoring for model drift or degradation?3/5

Low RiskHigh Risk

Compliance & Regulatory Risk

Avg 3/5

1. Does the AI system comply with applicable regulations (RBI, SEBI, etc.)?3/5

Low RiskHigh Risk

2. Is there documentation of the AI system's design and operation?3/5

Low RiskHigh Risk

3. Are there ethical guidelines for AI use?3/5

Low RiskHigh Risk

Financial Statement Impact

Avg 3/5

1. Could AI errors materially affect financial statements?3/5

Low RiskHigh Risk

2. Are AI-derived estimates (provisions, valuations) material?3/5

Low RiskHigh Risk

3. Is the AI system part of the client's internal controls?3/5

Low RiskHigh Risk

Overall risk score

out of 5.0

Risk rating

High

High-risk categories

Risk heat map

Model Risk3/5 · High

Data Risk3/5 · High

Operational Risk3/5 · High

Compliance & Regulatory Risk3/5 · High

Financial Statement Impact3/5 · High

Low (≤2)Moderate (2–3.5)High (>3.5)

Recommended audit procedures

Model RiskHigh risk

Test model outputs against manual calculations
Review model validation reports and methodology
Assess explainability documentation and audit trail

Data RiskHigh risk

Test input controls and data validation procedures
Verify data completeness and representativeness
Review data governance framework and access controls

Operational RiskHigh risk

Test override controls and human review procedures
Review incident logs and business continuity plans
Evaluate model monitoring and alerting mechanisms

Compliance & Regulatory RiskHigh risk

Review regulatory filings and compliance certifications
Test compliance monitoring procedures
Assess ethical AI policy and governance framework

Financial Statement ImpactHigh risk

Perform substantive procedures on AI-generated amounts
Test reasonableness of AI-derived accounting estimates
Evaluate design and implementation of AI-related controls

SA 315 risk-assessment mapping

Model Risk

Understand the entity's AI models as part of the information system (SA 315.18-19)

Data Risk

Evaluate IT general controls over data integrity (SA 315.21)

Operational Risk

Assess control activities over AI operations (SA 315.26)

Compliance & Regulatory Risk

Identify regulatory compliance risks affecting financial reporting (SA 315.11)

Financial Statement Impact

Identify and assess risks of material misstatement from AI systems (SA 315.25-30)

Key insight, auditing AI systems

High risk. Significantly expand substantive procedures. Consider engaging an IT-audit specialist. Test AI outputs against independent calculations.

Audit AI-powered clients

Need help auditing AI? - automated testing and documentation.

CORAA helps auditors navigate AI risks with continuous monitoring and SA 315 mapped procedures.

Next

Run defensible procedures across the engagement.

Start the free trial →Explore CORAA University