Host
- Philippa Lamb
Guests
- Ramana McConnon, Head of Assurance Technology at the FRC
- Jon Morris, Director of Audit and Professional Standards for Grant Thornton
- Martin Brown, Gen AI lead in Deloitte’s Audit technical team
Producer
- Natalie Chisholm
Transcript
Philippa Lamb: Welcome to Behind The Numbers. Today, we're looking at how AI can be put to work in audit and the best way is to regulate it. Back in the summer, the Financial Reporting Council (FRC) issued guidance on exactly those points, but questions remain, particularly about the regulatory framework. Regulators and firms are doing their best to navigate very rapid technological change. But what still needs to happen to make sure that guidance is fit for purpose firms of all sizes, and crucially, that it stays that way?
[Teaser audio] Jon Morris: You probably started with a really big hype curve of how AI is going to come in, and it's going to take everyone's job and it's doing all the click of a button. I think we're probably now getting a bit more realistic about what it can do.
[Teaser audio] Martin Brown: I think there are so many user cases for AI, and the idea that you need to go to that nth level of using it in the most complex situation doesn't need to be the case. There are ways that firms are developing their own internal chat bots and things like that, whether it's research, whether it's summarisation. So actually, it’s just helping to get your teams and your people get kind of familiar with how the technology works,
PL: Our three guests today are eminently qualified to answer those questions. Ramana McConnon is head of assurance technology at the FRC. We're joined by two of the audit forum representatives who helped develop this new guidance. John Morris, Director of Audit and Professional Standards for Grant Thornton, and Martin Brown, who leads on Gen AI at Deloitte. Welcome everyone. Thank you for having us. Ramana, we hear a lot about this. It's everywhere right now. What is your sense of how fast take-up is actually happening?
Ramana McConnon: We've been hearing about this for years now, and it is quite hard, I think, to get a sense from the outside of how much of that kind of discussion and hype has actually been implemented on the ground. And we as a regulator, in fact, have that have that same question in some respects. And that's why having colleagues like John and Martin on our working group, who very openly and collaboratively share what they're doing and have really constructive conversations with us, is a really useful resource for us in terms of letting us know what's happening.
But in answer to your question, I would say AI is now being used on audits. To give a bit more detail on that, it might be helpful to talk about different kinds of AI – traditional machine learning, generative AI, and, in the future, agentic AI. I would say machine learning and Gen AI are being used today to some extent.
PL: I'm not sure everyone would know what agentic AI is.
RM: [To JM and MB] Sure feel free to jump in, you guys are the ones actually sort of building it and implementing it. But my sense is that agentic AI is an AI system which is used to somewhat autonomously pursue a task or a goal. With Gen AI, there’s a human prompt, it gets an output and then takes it and uses it. With agentic AI, you can kind of give it a task and it can decide, to some extent, how it wants to do that.
PL: And that's what's coming down the road?
RM: Indeed, quite quickly.
PL: But in terms of take up, as you say, it's in use by the bigger firms, your firms, obviously. You're adopting this, but what about further down the profession?
RM: So we do see smaller firms data using AI, often by working with third party technology providers. So they're not really building it in house, necessarily, but that they're buying it in which is a good thing. That's a really useful dynamic for the market, that the presence of those third party providers. But it does come with some extra sort of questions, or – I don't want to say challenges – but things to consider, I would say, for those firms.
PL: So, off-the-shelf solutions? I want to get into the ins and outs of that, because, as you say, there's some points there. But just to cover this first point, the tipping point for adoption, beyond cost, what is your sense?
RM: I would say – and this is just my sense – I don't think AI has yet transformed audit, but it is definitely being used, and definitely has the potential to transform it, potentially in the near future.
PL: Does that chime with what you both feel? You've been looking closely at this.
JM: Yeah, I think so. I think it's probably understanding what AI is, and you've probably started with a really big hype curve of AI is going to come in and it's going to take everyone's jobs.
PL: Yeah, lots of anxiety.
JM: So it's going to do an audit, a click of a button. I think we're probably now getting a bit more realistic about what it can do. And I think one of the key things for me is understanding what AI really is. I think I had to go for a bit of a learning curve, thinking about what it's doing. It's not like traditional technology, where it's sort of got a set of rules and parameters, and it follows it the same way every single time. It's more based on sort of a statistical type model.
PL: I think that's where a lot of the anxiety comes from, isn't it?
JM: Yeah, I think so. But I think once you sort of get your head around that you're not going to get a perfect answer, then maybe what you're getting out from AI is more like what you'd get from more junior colleagues, so from a first year colleague. Then maybe, if you think of it like that, and then you put controls around that – but it's been properly reviewed – I think that's where you’ll start seeing it used more often.
04’50”: Discovering the AI use cases and benefits of the new technology for smaller firms
PL: But Martin, does that level of outcome work for firms. And as you say, like a first year colleague, how useful is that if the level of oversight from senior colleagues is still going to be so high? Does that work for smaller firms?
MB: I think there's still efficiencies to be had with the use of AI. I think it is that assistant to prepare, that’s how we're looking at the moment. So you know, there's a lot of use cases where actually, whether it is helping with research, whether it's helping with extraction from documents, still with that, that human oversight, actually there are benefits.
And just going back to the question about where we are, I think John's right. I think we are at a point where we're at the start of this, I think there's huge interest. Obviously, there's a lot of investment that's going in at the moment. I think what we're going to see over the next year or so is an increase in the use in the profession, and that may be through internal capabilities being developed by firms themselves.
But actually, increasingly, when you look at some of the third parties out there, and you think about the technology that even some of our smaller or medium sized firms are using, you're seeing AI capabilities being built in there as well.
PL: We should probably be clear at this point, this is guidance we're talking about, Ramana, it's not standards.
RM: That's right.
PL: How did you set your objectives? Because it's a moving target, isn't it?
RM: It is. And I would say we had a few objectives, and they came from different sources. Some of that was, as I mentioned, our working group, which John and Martin are both on. We discussed all sorts of issues in relation to technology, including AI, and that generated some areas that the firms would like either a consensus on, or a bit of a bit of a steer from the regulator.
So, that gave us a starting point of a few issues we wanted to issue our view on or clarify some our expectations on. So, that was some of it. Some of it was even more broadly than that – we wanted to issue guidance on AI, simply for the sake of showing that we were okay in principle, with firms using AI, which, if anything, I would say that's potentially our overarching goal
PL: Is it to validate exact firms in the sense of, you know, actually, this isn't going to be a problem. They should explore it.
RM: Yeah, as long as it's done sensibly. And then we had a few more granular objectives about specific topics where we wanted to give a view.
PL: We keep using this term, fast moving, but it's almost inescapable, isn't it? The other thing that kind of occurs to me is that the terminology just keeps on coming, doesn't it? The more you get across it – and then there's more. I came across it too. I didn't understand, the other day, [the terms] black box and explainability. Martin, tell me, what do they mean?
MB: When I think about black box, I suppose I think about it's something where the tool or machine is doing a task, and it's understanding how that's working, and being able to see how that is working under the lid. So, the code that's been used, the methodologies that have been used, it may be involved in a calculation, but actually, can we see how it's getting to that end point?
And I think at the moment, actually it's something that probably exists today, when some firms are using third party technology and having to understand how that technology works. I think the challenge is, when you move into AI and Gen AI, is that the level of complexity just increases significantly.
So, with Gen AI, you think about you put in a prompt or something, you're getting an output, and how has it got to that? There may be billions of ways that actually could get to an answer. So, how can you recreate that? And that gets into that explainability point. How can you explain, how can you show the steps that have gone through? And that's a real challenge when you start to think about the use of AI and Gen AI.
PL: I want to ask you about training data, actually. For guidance, it calls for appropriate authorisation, doesn't it, from entities whose data is used? It seems to me, in practice, not all clients are going to say yes to that, are they? So, what happens then?
JM: We've had some examples where clients are nervous about what we're going to do with their data. Is it going to be trained in a model? Where's the data being kept? So I think the key point to me is having really clear terms and conditions in your engagement letter to say this is what we're going to use AI for, to give everyone confidence about what it's being used for. I think there are certain situations where the client just doesn't want to sign up. But that doesn't mean that AI can't be used. And we've still had some specific examples where we've been able to sort of ringfence what we're doing with AI. It's not being used to train other models. It's being used to create a specific, bespoke solution for that client. So, I think it's about talking to your clients and making them confident, but having sort of a general policy behind it.
PL: But realistically, isn't that going to be the option most clients would go for? Because it sounds like the safest option, doesn't it, for their data. Martin?
MB: I mean, I think I would agree with John that transparency, firstly, is really important. Talking to your clients about where you're using today and how you're using it. I mean, I think from our experience to date, I wouldn't say we've had that many clients, a very limited number who've actually specifically asked us not to use Gen AI on an audit.
PL: So, most are relaxed about you doing it, are they?
MB: I think as long as, when we have those conversations with them around how we're using the Gen AI, about how we're using the data, the tools that we're using at the moment involve Gen AI.
PL: And the benefits to them, presumably?
MB: Yes, that's clearly really important. But you know, there's some really fundamental points here around the data, where it's going, and if all the data is held in secure environments [and] the fact that we're not training the tools with informational data from them either. So, you know, there's some really core points and really important points that we need to help them understand. And actually it's that education piece and that transparency piece with clients which is really important.
PL: There's a lot there isn't there because, particularly this year, for people who are who don't work in tech, who aren't that technically literate, when you hear about cyber breaches and the misuse of data and that rolling threat, we've talked about it a lot in the podcast, it plays into a really understandable commercial reluctance to have anything to do with this, doesn't it? In the sense of, why would you release your data? So, I guess it is going to have to be all about, ‘Yeah, but if you do that, here's the win for you.’
JM: We're at the very start of the AI journey, and people may be a bit nervous about what's happening. I think as you've got more and more use cases and can share those examples, as Martin said, sort of talking them through exactly what we would be using data for. I think it just builds that confidence, and in a few years time, you'll see a massive step change.
PL: Yeah, I mean, there's going to need to be a lot of rigour, isn't there? Because a single issue could be extraordinarily damaging.
JM: I think so, but that's what I think, where the guidance is really useful here, that at least gives a sort of framework about what we can do, and gives us that permission from a regulator that AI is an appropriate thing to do. It's not going into loads and loads of granular detail. I think that permission piece is really important.
MB: I agree with that. And I think there are questions that we are all dealing with in terms of how we use the AI, the considerations around documentations, the quality assurance around it, interaction with the ISQ 1 [standard]. So, what was really good about the guidance is that it gives us that starting point to think about how we might address them. It's always going to come down to different user cases, I think that's very clear in the guidance as well. But actually starting to think about how you approach approving tools within a firm, how you might do that, what that balance is between what's expected from the central functions of a firm versus what engagement teams are expected to do. I think it's a really good starting point for us in terms of how we start to approach these questions.
PL: It's building industry confidence.
RM: Hopefully, yeah, that's one of our objectives for sure.
PL: So we all talked a bit about smaller firms earlier in the fact that they are going to obviously reach for off-the-shelf solutions, no option but to do that. Going back to the guidance, significant professional judgment was required – I'm quoting here – to calibrate how much weight each routine should contribute to a journal entry being identified as riskier. I looked at that and I thought, how can auditors be comfortable with that? Because obviously, how much do they know about the AI tool to apply that professional judgment in a real way?
RM: The first thing I would say is that kind of judgment has been going on for years, long before AI was a potential way of testing journals. They would combine different data analytics routines, and they would have to wait for them accordingly, and have a threshold for following things up. So, that's just an audit judgment. That's professional judgment.
PL: But didn't they have a clearer sense of where the data was coming from?
RM: Sure. So, now some of those routines may be leveraging machine learning, and that does require at least a sort of high level conceptual understanding of what it's doing. But I think, more importantly than that, is the understanding of how it's performed in testing. If you know, not to a sort of extraordinarily granular degree, but if you know that it's been at this level, predictively powerful at finding frauds compared to this other procedure, then you can have a an informed judgment of how to weight them without knowing all of the programming and computer science that's gone into designing the machine learning algorithm.
13’49”: Understanding explainability and the need for human oversight with AI solutions
PL: So looping back to explainability, if a tool provider is providing partial information and the audit firm doesn’t have the expertise, how can they form a judgment about explainability [and] the risk of inconsistency? I mean, all those things feel very intangible.
RM: First thing I'd say about explainability, which would apply to both tools built in house or third party tools, is that, I think traditional sort of computer programmes, where you've coded them on a line-by-line basis, you could, if you wanted to, always go in and understand exactly why a computer programmer had done something. I think that's kind of anchored our expectations about what we can expect from software, from technology. And I'm not really sure that that's the right expectation to have here.
I think the comparison with a human is maybe more appropriate. You wouldn't know exactly how a human has performed a judgement. You might be able to have a good sense or form a sort of probabilistic estimate of why they've done something based on the things that you told them to do, and your knowledge about roughly how they go about things. But you're not going to know exactly what's going on in their brain. And I think the same can be true here if you know conceptually what the algorithm is doing. And you know in testing, this is how it is performed in these different kinds of cases. I think that's enough for many use cases.
PL: But the outcomes matter, don't they? It's going to be all about oversight, human oversight.
JM: Yeah, I think human oversight is key in lots of this, especially at the beginning. I think as technology moves on, you may get to a position where you've got AI reviewing, but I think that's probably a few years down the line, but that's the direction of travel.
PL: That would require a high degree of confidence, wouldn't it?
JM: Yes, it would be.
RM: Although, in some ways it can mitigate some of the risks. We spoke about the sort of probabilistic nature of AI, and it can do different things at different times. If you give it exactly the same prompt, if you let multiple AIs tackle a problem and then compare the answers, or have AI do that, you can actually mitigate some of that variability – and then still have a human at the end of the process.
PL: In practice, if smaller firms are feeling they have to get independent assurance, but an AI tool is actually operating as it should, because they know they don't have the expertise to do it themselves, who would provide that?
RM: It’s a fragmented market, the AI assurance market. At the moment, there's lots of different types of providers. I know some audit firms are getting involved in that space, some boutique assurance providers. I kind of think it's a bit similar to the sustainability assurance market a few years ago, maybe where it's quite fragmented, lots of different providers.
PL: Is it regulated in any way?
RM: No, not in the traditional sense. And there are sort of international frameworks and standards, but that's not regulation in the sort of oversight sense.
PL: So very like sustainability in many ways?
RM: A few years ago, yeah.
PL: Do you feel those anxieties could be a barrier to small firms adopting AI?
JM: I think maybe at the beginning. My recommendation to small firms is maybe not trying to do something really big to start with, to think about more granular things that they can do. So, I used AI the other day. Someone had created a really long manual process where they went and downloaded a load of documents from Companies House, summarised them, and put them all on the file. I use a Copilot equivalent to just do that in 30 seconds. I think start small and get your confidence up with these sorts of things. You're not trying to completely change your whole audit approach at the beginning. I'd be starting small, getting your confidence up and going from there.
PL: And something you feel you can readily check because you can set someone to actually benchmark that, can't you? And [then you] get a sense of if it did a good job, I guess? The first steps would be great. What would you suggest?
MB: Yeah, I think John's right. I think there are so many user cases for AI, and the idea that you need to go to that nth level of using it in the most complex situation doesn't need to be the case. There are AI capabilities. A number of [Microsoft’s] native products now have the capabilities in there. There are ways that firms are developing their own internal chat bots and things like that. They can help with research, summarisation. And just helping to get your teams and your people kind of familiar with how the technology works, what some of the risks and limitations might be with it as well, and starting small, I think is sensible.
PL: To use it as a willing drudge for the grunt work? And we'll hear a lot about this, about people using it for the grunt work, but I guess that is the safest place to start.
JM: I think it's like your low hanging fruit, isn't it, to start with. You can get yourself comfortable. And lots of this is around change management, because the technology is there, it's bringing people on a journey.
18’25”: Are off-the-shelf solutions enough and will firms need to make big investments?
PL: Thinking about off the shelf solutions, on last month’s podcast, we were looking at the reliability of some of them, and obviously it can be very, very variable, as we've said. And we talked to Simon Thorn at Cardiff Metropolitan University, who'd been doing some very interesting cross-testing to see which ones actually performed well. And it was fascinating, because in his testing, Gemini Pro came out best in terms of accurate outcomes. Then ChatGPT Copilot – interestingly, you know that one, I think it's probably the name everyone knows – that performed very poorly across all his tests. This is the thing, isn't it? Because the names people know are not necessarily the ones they should reach for. They don't have in-house expertise. They're going to have to pay, aren't they? They're going to have to buy advice for this. Is that not how it's going to work in reality, to get any sort of sense that they're making the best steps and the best use of their budget?
JM: I think it will be the market that decides that. There are lots of opportunities for AI assurance out there. I think people start voting with their feet. If smaller firms are worried about it, I suspect they'll probably take more assurance from the fact that a provider is partnered with a large firm or someone else has used it, rather than a firm getting a SOX report or something to say that the controls are right. But I don't know. It's still, as I keep saying, such early days that it could go in lots of different directions. But I suspect the path of least resistance is going to be, ‘Oh, we know this big firm has used it. I'm going to take confidence [in that].’
PL: You make an excellent point. Yes, it's that whole sense of you've actually done the work because you could afford to do the work and so they can feel confident.
MB: Yeah, I think the testing as well might start to become important. So, actually talking to these third party providers about, ‘Well, what testing have you done? Have you done evaluation around the user case with Gen AI?’.
As John says, It is early days out there at the moment, but there will be work that third parties will be doing, or should be doing as part of this. And actually, those are some of the conversations you may want to have with them as well.
PL: There’s a long way to go, Ramana. What's next for the FRC on this?
RM: So, we're working on another piece of AI guidance at the moment, this time, looking at generative and agentic AI. There's kind of two parts to it, looking at some of the theory, some of the risks and mitigations that firms might think about putting in place, and then having a few illustrative examples as well to explore some use cases.
PL: Thanks very much all of you for coming in and explaining what you've done so far. Really interesting. Needless to say, we will be back to this subject repeatedly as AI and audit evolves. Next time, it's the autumn statement. Which way will the chancellor jump on taxation? Can she avoid more negative outcomes for business? Our regular A-list experts will be here to dig into the detail of what she says and what it could mean in reality. Make a date to join Santander Chief Economist Francis Haak, Chief Political commentator at the Express, David Williamson and ICAEW’s own politics and business guru Ian Wright on 1 December for the inside track for business and finance. And a quick reminder to log this podcast as CPD. You can log every single one you listen to as CPD too, including the back catalogue. Thanks for being with us.