Using AI in finance? Build an audit trail ready for testingAs AI-generated outputs move into financial reporting, external auditors are honing in on traceability, controls and governance.Isobel MarkhamAI use in reports needs to be clearly identified so that auditing them becomes easierGift this article5 min read14 hours agoImagine your CFO is sitting in front of the audit committee and being asked whether the organisation can prove that its AI is not only working, but working exactly as it should be.“Today, that’s not really just a technical question,” says Stuart Rubin, a managing director with Deloitte & Touche LLP. “That’s a test of your credibility and your organisational strategy around AI.”While AI in finance used to feel like “a shiny add-on”, it is quickly becoming the “beating heart of everything from reporting to decision-making,” Rubin says.“That means quality execution is no longer technical, but a mandate.”External auditors are increasingly encountering AI-generated content embedded in reporting workflows. Rubin’s message: if AI output is in the reporting chain, it can become an audit question that requires clear documentation and understanding of human involvement.“With AI-generated information, traceability is going to be king,” Rubin says. “AI is being used today to write memos, footnotes, meeting minutes, contract summaries. Those outputs are being included in core reporting, with an aspiration of getting there without a human touch. There’s a lot of trust because the AI sounds confident in what it’s telling the user.”There are multiple AI use cases that are already relevant to financial reporting, such as tapping AI as an input to an accrual or to pick up contract terms and unstructured data, which is then used to populate the ERP (enterprise resource planning) system.“Manual monitoring and a human intervention are still required, but these use cases can bring about significant productivity gains,” Rubin says. “Unlike older optical character recognition technology that required data to be in precisely the right location on a document, AI can interpret context and find relevant information even in unstructured formats. But that flexibility creates new challenges for audit trails.”What Auditors Will Want to See It is vital to document, in detail, what has been generated by AI and the governance and verification process. What matters in an audit is not only what a tool produces, but how management demonstrates the output was controlled, reviewed and supportable.“If you can’t have a clear discussion on that topic, that might suggest you don’t have the appropriate support for management’s books and records,” Rubin says.His recommendation is to build an audit-ready trail for AI-generated reporting artefacts and disclosures.“For each AI-generated document or disclosure, it is leading practice to keep a record of the input data, the AI process involved and the evidence of any manual or automated reviews that are taking place, including the process for handling errors and exceptions that are flagged in review,” Rubin says.He extends the same logic to intelligent automation in routine finance processes, such as invoice matching, unusual-expense flagging and reconciliations, warning that automation does not eliminate the need for controls that can be tested.“Automation without oversight carries inherent risks, much like employees and contractors operating without oversight,” Rubin says. Auditors will want to see that management has robust controls in place to support their accounting determinations. Beyond that, auditors will want to test whether companies have controls over relevant automated processes and whether those controls work in practice.In early stages, Rubin expects “human in the loop” to be central, but over time, organisations may look to “automate the automation” by building repeatable monitoring and exception workflows, including versioning and testing logs for audit review.Governance: Who Owns What“AI governance can fall apart without clear accountability,” Rubin says, emphasising the need for defined roles across key functions. “It’s not just about having a model owner, it’s defining authority and responsibilities for all the key functions such as finance, risk and IT. For instance, finance might lead on understanding the implications for reporting and controls, while IT might own deployment compliance, and internal audit would weigh in with their own distinct lenses as well.”‘Documentation is not just for the sake of compliance…if issues do surface, accurate documentation enables you to work backwards and gives the necessary clarity to unpack what happened.’It is vital to document responsibilities across the model and use-case life cycle, and to keep that documentation current.“Document the roles of each party for design, data selection, tuning, deployment and ongoing oversight, and treat that as a living record,” Rubin says. “Review it, update it regularly. It’s not set and forget because things are moving too quickly not to keep pace.”Data quality, security and representativeness are foundational to whether AI outputs in finance can be trusted. If the underlying data is incomplete or biased, and those issues aren’t caught, organisations can end up with flawed decisions, reporting errors, compliance problems, or even restatements.The fix is disciplined, audit-ready data governance: vet data sources, validate completeness and accuracy on a recurring basis, protect sensitive data and document the checks. Keep evidence of what was tested and when, so the organisation can demonstrate during an audit that controls aren’t just defined but are operating.Governance structures matter too: “No matter how advanced an organisation’s AI is, segregation of duties is critical. For example, it is vital that the person building the AI isn’t the only one validating it. That will help to catch more issues and prevent unintentional biases from being built in.”The broader goal is the ability to diagnose issues and maintain confidence when something goes wrong.“Documentation is not just for the sake of compliance. Yes, it forms the audit trail, but also if issues do surface, accurate documentation enables you to work backwards and gives the necessary clarity to unpack what happened,” Rubin says.Controllers who wait until their audit to address these questions will find themselves scrambling. Key areas to document now include an inventory of the relevant AI use cases in financial reporting, the change management processes for AI-powered models, the assumptions and parameters driving those models, how AI-generated results compare to legacy processes, and procedures for handling exceptions and errors.The mindset shift required goes beyond compliance. “Anticipate the audit, don’t just survive it,” Rubin says. “Being transparent and thorough with the documentation review processes can lead to more than just smooth audits. It shows the market that the organisation is future-ready, serious about risk and committed to excellence.”Isobel Markham is senior writer, Executive Perspectives in The Wall Street Journal, Deloitte Services LP.Disclaimer     This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. About Deloitte  Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including nearly 90% of the Fortune 500® and more than 8,500 U.S.-based private companies. At Deloitte, we strive to live our purpose of making an impact that matters by creating trust and confidence in a more equitable society. We leverage our unique blend of business acumen, command of technology, and strategic technology alliances to advise our clients across industries as they build their future. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Bringing more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte’s approximately 457,000 people worldwide connect for impact at www.deloitte.com. Copyright © 2025 Deloitte Development LLC. All rights reserved.  More CoverageIs it time to reimagine risk management?Isobel MarkhamOne global shock, many different responsesKok Yong Ho and Geoff LamontFive paradoxes shaping the future of cyberLiz Douglass