- 23
- February
Internal Audit is a critical mechanism that ensures an organization's operations, budget expenditures, and regulatory compliance are conducted properly. However, for decades, internal audit has faced a fundamental limitation: auditors can only examine samples from the total pool of transactions — there is simply no way to achieve 100% coverage with human effort alone. Today, AI is changing that picture entirely.
Traditional Internal Audit — Unavoidable Limitations
In traditional internal audit, auditors rely on Sampling — selecting only a portion of data for examination. For example, auditing 30 purchase orders out of 10,000, or reviewing only 3 out of 20 departments. This approach has several inherent limitations:
- Incomplete coverage — anomalous transactions may fall outside the selected sample
- Time-consuming — collecting data, preparing working papers, and writing reports takes weeks per issue
- Retrospective — by the time issues are found, months or even years may have already passed
- Dependent on judgment — different auditors may have different perspectives, leading to inconsistent audit results
Given these limitations, many organizations are seeking technologies to elevate their internal audit capabilities — and AI is the answer attracting the most attention.
How Can AI Assist Internal Audit?
AI can enhance internal audit work across multiple dimensions, from analyzing massive volumes of data to detecting fraud in real-time:
1. Continuous Auditing — Real-Time Verification of Every Transaction
Instead of random sampling once a year, AI can continuously audit every single transaction (Continuous Auditing). The moment a transaction occurs in the system, AI automatically analyzes whether it complies with regulations, exceeds approved limits, or exhibits anomalous patterns.
The advantage of Continuous Auditing is that no transaction slips through the cracks — whereas traditional methods could only examine 1-5% of all transactions, AI enables 100% coverage without increasing the number of auditors.
2. Fraud Detection — Identifying Fraud and Anomalous Transactions
AI excels at detecting anomalous patterns invisible to the human eye, such as Duplicate Payments, transactions processed at unusual hours, or suspiciously frequent round-number amounts — which may indicate number manipulation.
3. Compliance Monitoring — Verifying Regulatory Adherence
AI can enforce rules based on organizational regulations and automatically verify that every transaction complies with policies — whether all procurement items have completed the proper approval steps, whether disbursements fall within authorized limits, and whether retroactive data modifications are properly justified.
4. Data Analytics — Analyzing Large Volumes to Uncover Hidden Patterns
AI can analyze millions of records within minutes to uncover patterns invisible to humans, such as relationships between vendors and procurement staff (Conflict of Interest), unusual spending trends during specific periods, or departments with abnormally high transaction modification rates.
5. Document Analysis — AI Reads and Summarizes Large Document Sets
Internal auditors must review vast quantities of documents — from contracts and procurement regulations to internal policies and meeting minutes. AI can read and summarize key findings from hundreds of documents in a short time, allowing auditors to focus on analysis and decision-making rather than spending time reading documents.
6. Risk Assessment — AI Ranks and Prioritizes Risks
AI can analyze and rank risks for each department or business process by considering multiple dimensions — such as historical audit findings, number of anomalous transactions, staff turnover rates, and process complexity. This enables auditors to allocate resources to the highest-risk areas with data-driven confidence.
Summary: How AI Transforms Internal Audit
- From Sample-based to 100% coverage
- From Retrospective review to Real-time monitoring
- From Judgment-based to Data-driven decision
- From Piles of documents to Automated summaries
Examples of AI-Powered Fraud Detection
The table below shows examples of fraud signals that AI can detect automatically:
| Signal | AI Detection Method | Example |
|---|---|---|
| Duplicate Payment | Hash matching — comparing invoice number, vendor, amount, and date | Same invoice paid twice on different days with the same invoice number |
| Round Numbers | Statistical analysis — analyzing the frequency of round numbers | Disbursement amounts ending in ,000 at abnormally high frequency, e.g., 50,000 / 100,000 / 200,000 |
| Weekend/Holiday | Timestamp analysis — examining transaction processing times | Transaction created at 2:00 AM on Saturday when the office is closed |
| Benford's Law | First-digit analysis — examining the distribution of leading digits | Amounts starting with digits 8 and 9 at abnormally high rates (Benford's Law predicts these should be rare) |
| Split Transactions | Threshold analysis — detecting split transactions designed to circumvent approval limits | Purchases from the same vendor split into 5 POs at 99,000 each (approval threshold: 100,000) |
| Ghost Vendors | Entity matching — detecting duplicate or shell company vendors | 3 vendors share the same address and bank account but have different names |
Important: Benford's Law is a statistical principle that states in naturally occurring numerical datasets (such as invoice amounts), first digits are not evenly distributed — the digit 1 should appear approximately 30% of the time, while the digit 9 should appear only 4.6%. If the distribution deviates from this law, it may signal number manipulation.
AI Tools for Audit Work
Several tools are currently available to bring AI and Data Analytics into internal audit work:
| Tool | Key Strengths | Best For |
|---|---|---|
| ACL Analytics / Galvanize (Diligent) | Data Analytics tool built specifically for auditors, supporting Continuous Auditing, Fraud Detection, and Compliance Testing | Large organizations, government agencies |
| IDEA (Interactive Data Extraction and Analysis) | Data analysis software for auditors, supporting Benford's Law Analysis, Gap Detection, and Duplicate Testing | Audit firms, certified public accountants |
| Power BI + AI Insights | Real-time data dashboard with AI-powered Anomaly Detection and Key Influencers features | Organizations using the Microsoft ecosystem |
| ChatGPT / Claude | Document summarization, draft audit reports, regulatory analysis, assist in writing SQL queries for data extraction | Auditors seeking to boost productivity |
| Python + Pandas | Write custom analysis scripts with full flexibility, low cost (free) | Auditors with coding skills |
Noteworthy trend:
The Institute of Internal Auditors (IIA), the global professional association for internal auditors, states that Data Analytics is an essential skill for modern internal auditors — not just a "nice to have" but a "must have" for the profession's future.
Risks and Limitations of AI in Internal Audit
Despite AI's tremendous potential, there are risks and limitations that must be acknowledged:
1. False Positives — Frequent False Alerts That Waste Time
AI may flag normal transactions as anomalous (False Positive). For example, two identical payments may not be a Duplicate Payment but rather installment 1 and installment 2 under a contract. If false positives are too frequent, auditors waste time reviewing normal transactions and may develop "Alert Fatigue" — ignoring alerts because they have grown accustomed to most being benign.
2. Black Box — Inability to Explain Reasoning
Some AI models (especially Deep Learning) operate as a "Black Box" — they provide answers but cannot clearly explain their reasoning. For internal audit, this is a critical problem because audit reports must articulate the rationale and supporting evidence — you cannot simply write in a report that "AI says it is anomalous" without accompanying explanation.
3. Data Quality — Poor Data, Poor Results
AI performs only as well as the data it is fed. If the data in the system is incomplete, inaccurate, or inconsistent, AI's results will be unreliable. For example, if the ERP system does not record transaction timestamps correctly, AI cannot analyze whether transactions occurred outside business hours.
The "Garbage In, Garbage Out" (GIGO) principle: If the input data is garbage, the output will be garbage as well — no matter how sophisticated the AI may be.
4. Over-Reliance — Depending Too Heavily on AI
The most critical concern is that auditors may rely on AI so heavily that they lose Professional Skepticism — the questioning mindset that is the very heart of audit work. AI should serve as an assistive tool, not a decision-maker — auditors must continue to apply professional judgment, experience, and contextual understanding of the organization in every decision.
5. Data Security and Privacy
Sending financial and sensitive organizational data for AI analysis (especially cloud-based AI) poses data security risks and may conflict with the organization's data management policies or PDPA regulations. Organizations must ensure data is adequately protected before submitting it for analysis.
| Risk | Impact | Mitigation |
|---|---|---|
| False Positive | Wasted time, Alert Fatigue | Adjust thresholds, create whitelists for recurring normal transactions |
| Black Box | Cannot explain findings in reports | Use Explainable AI (XAI), select interpretable models |
| Data Quality | Unreliable analysis results | Perform Data Cleansing before analysis, use ERP that enforces data entry |
| Over-reliance | Loss of Professional Skepticism | Establish an "AI-assisted, Human-decided" policy |
| Data Privacy | Data leakage, PDPA violations | Use on-premise AI, do not send data to public cloud |
Government Case Study — Office of the Auditor General of Thailand (OAG)
In the Thai public sector, the Office of the Auditor General of Thailand (OAG), an independent body responsible for auditing government expenditures, has begun seriously adopting Data Analytics in its audit work, with several noteworthy approaches:
- Connecting data from the GFMIS (Government Fiscal Management Information System) to analyze budget disbursements of government agencies
- Using Data Analytics to audit procurement, such as checking whether purchases are split to circumvent competitive bidding requirements
- Relationship analysis between procurement officers and vendors to detect Conflicts of Interest
- Using Visualization to display budget expenditure overviews, revealing areas requiring deeper examination
Beyond the OAG, other regulatory bodies such as the Securities and Exchange Commission (SEC) (for auditing listed companies) and the Anti-Money Laundering Office (AMLO) have also begun increasingly adopting AI and Data Analytics in their audit work.
Trend: In the near future, government agencies may require information systems managing budget funds to maintain complete audit trails to support AI-powered auditing — organizations that prepare their data now will have a significant advantage.
Saeree ERP and Internal Audit
Saeree ERP is designed with internal audit requirements in mind from the architectural level:
- Audit Trail for Every Transaction — every creation, modification, approval, and deletion is fully recorded, identifying the user, timestamp, and details of each change
- Approval Workflow — multi-level approval processes based on amounts and transaction types, preventing steps from being bypassed
- Role-Based Access Control — granular access permissions down to menu and button level, supporting the principle of Segregation of Duties
- Complete and Consistent Data — the system enforces required fields, ensuring data quality is maintained and ready for analysis
- Reports for Auditors — includes commonly used audit reports such as retroactive data modification logs, transaction reports by time period, and approval reports
Note: Saeree ERP does not yet include built-in AI features. However, the system stores data in a structured and comprehensive manner, ready for analysis with external AI tools such as ACL Analytics, Power BI, or Python — because quality data is the most essential starting point for AI.
Getting Started with AI in Internal Audit
For organizations looking to begin using AI in internal audit, we recommend starting with these steps:
| Step | Details | Timeline |
|---|---|---|
| 1. Get Your Data Ready | Use an ERP system with complete audit trails that enforces quality data entry | 3-6 months |
| 2. Start with Data Analytics | Use simple tools like Excel or Power BI to extract and analyze data from ERP | 1-3 months |
| 3. Build Rules-Based Alerts | Set up automated rules, such as alerts when transactions exceed limits or when data is retroactively modified | 1-2 months |
| 4. Integrate AI Enhancement | Use AI for Anomaly Detection, Fraud Scoring, and Benford's Law Analysis | 3-6 months |
| 5. Continuous Auditing | Connect AI to ERP in real-time for automatic verification of every transaction | 6-12 months |
AI will not replace internal auditors — but auditors who use AI will replace those who do not. The era of "pencils and working papers" is coming to an end. What organizations need to prepare is not just tools, but quality data and an openness to embrace technology.
- Grand Linux Solution Consulting Team
If your organization needs an ERP system with complete audit trails, ready to support AI-powered analysis in the future, you can schedule a demo or contact our consulting team to discuss further.
