CORAA
CORAA University · Tool· विद्यालय

When your client uses AI, what should you audit?

Map AI risks to SA 315 risk-assessment procedures. 15 questions across 5 categories, model, data, operational, compliance, financial statement impact.

Client AI profile
Risk assessment, 15 questions
Rate each risk factor: 1 (Low risk) to 5 (High risk)
Model Risk
Avg 3/5
1. Is the AI model a black box (unexplainable)?3/5
Low RiskHigh Risk
2. How frequently is the model retrained/updated?3/5
Low RiskHigh Risk
3. Has the model been independently validated?3/5
Low RiskHigh Risk
Data Risk
Avg 3/5
1. Is the training data biased or unrepresentative?3/5
Low RiskHigh Risk
2. Are data inputs validated before feeding the model?3/5
Low RiskHigh Risk
3. Is there proper data governance (lineage, quality, access)?3/5
Low RiskHigh Risk
Operational Risk
Avg 3/5
1. Is there human oversight of AI decisions?3/5
Low RiskHigh Risk
2. Are there fallback procedures if the AI system fails?3/5
Low RiskHigh Risk
3. Is there monitoring for model drift or degradation?3/5
Low RiskHigh Risk
Compliance & Regulatory Risk
Avg 3/5
1. Does the AI system comply with applicable regulations (RBI, SEBI, etc.)?3/5
Low RiskHigh Risk
2. Is there documentation of the AI system's design and operation?3/5
Low RiskHigh Risk
3. Are there ethical guidelines for AI use?3/5
Low RiskHigh Risk
Financial Statement Impact
Avg 3/5
1. Could AI errors materially affect financial statements?3/5
Low RiskHigh Risk
2. Are AI-derived estimates (provisions, valuations) material?3/5
Low RiskHigh Risk
3. Is the AI system part of the client's internal controls?3/5
Low RiskHigh Risk
Overall risk score
3
out of 5.0
Risk rating
High
High-risk categories
0
Risk heat map
Model Risk3/5 · High
Data Risk3/5 · High
Operational Risk3/5 · High
Compliance & Regulatory Risk3/5 · High
Financial Statement Impact3/5 · High
Low (≤2)Moderate (2–3.5)High (>3.5)
Recommended audit procedures
Model RiskHigh risk
  • Test model outputs against manual calculations
  • Review model validation reports and methodology
  • Assess explainability documentation and audit trail
Data RiskHigh risk
  • Test input controls and data validation procedures
  • Verify data completeness and representativeness
  • Review data governance framework and access controls
Operational RiskHigh risk
  • Test override controls and human review procedures
  • Review incident logs and business continuity plans
  • Evaluate model monitoring and alerting mechanisms
Compliance & Regulatory RiskHigh risk
  • Review regulatory filings and compliance certifications
  • Test compliance monitoring procedures
  • Assess ethical AI policy and governance framework
Financial Statement ImpactHigh risk
  • Perform substantive procedures on AI-generated amounts
  • Test reasonableness of AI-derived accounting estimates
  • Evaluate design and implementation of AI-related controls
SA 315 risk-assessment mapping
Model Risk
Understand the entity's AI models as part of the information system (SA 315.18-19)
Data Risk
Evaluate IT general controls over data integrity (SA 315.21)
Operational Risk
Assess control activities over AI operations (SA 315.26)
Compliance & Regulatory Risk
Identify regulatory compliance risks affecting financial reporting (SA 315.11)
Financial Statement Impact
Identify and assess risks of material misstatement from AI systems (SA 315.25-30)
Key insight, auditing AI systems
High risk. Significantly expand substantive procedures. Consider engaging an IT-audit specialist. Test AI outputs against independent calculations.
Audit AI-powered clients

Need help auditing AI? - automated testing and documentation.

CORAA helps auditors navigate AI risks with continuous monitoring and SA 315 mapped procedures.

Next

Run defensible procedures across the engagement.

Start the free trialExplore CORAA University