On the Frontlines: Lessons From a Year of AI

Despite the growing buzz around AI, the uptake of generative AI (GenAI) and AI tools by internal audit functions remains modest. For example, a 2025 survey by AuditBoard found that only 41% of audit teams report using GenAI, and in many functions, the use is infrequent (just 13% in planning, 6% in fieldwork, and 11% in reporting).

Why the lag in internal audit? Besides auditors’ famously risk-averse attitude, a lack of clear guidelines or training around AI use made many audit teams hesitant. Without an approved internal process or comfort with data security and governance implications, many internal auditors were understandably reticent to use AI.

This is now improving. More organizations are issuing basic guidelines. And enterprise tools, such as Microsoft Copilot, have eased some of the data-protection concerns. Audit functions are also beginning their first reviews of AI governance, which helps formalize usage, reduce shadow experimentation, and support wider adoption.

My team began with simple tasks like research, benchmarking, and summarizing. Over time, we found that GenAI could also support more complex work — drafting objectives, risks, and controls; helping with root-cause analysis and recommendations; summarizing long interviews or documents; reviewing draft policies; and even aligning our guidelines with the new Standards.

After a year of active use, we have built a solid base of experience. Here are my key recommendations.

Not All Bots Are the Same

I started with ChatGPT, though in a limited way due to data-security restrictions. Once I received a Copilot license, I could use GenAI more broadly. At the time, it was my observation that Copilot’s performance was not even close to ChatGPT; however, that has changed dramatically. Compared with a year ago, Copilot has improved substantially, and anyone who dismissed it early should take another look. The corporate version now offers far more flexibility and much better output quality.

Its biggest advantage is the ability to work entirely within your organization’s Microsoft environment. Copilot can access the same information you can — your emails, Teams chats, SharePoint files, and internal news, and it is remarkably effective at extracting and summarizing relevant content. Interestingly, the browser-based version (in Edge or Bing) still tends to produce better results than the embedded versions in Word or Excel, though the gap is closing quickly.

As for other tools, Claude (by Anthropic) is worth mentioning; it works very well with factual reports or data and adapts nicely to your personal writing style. In my experience, Claude also has strong ethical guardrails — it refuses inappropriate or misleading tasks more consistently than some others.

Well-Written Does Not Necessarily Mean Correct

This is one of my strongest observations after a year of working with GenAI chatbots. In our profession, how you write matters greatly; clarity, tone, and precision are essential. And this is exactly where GenAI tools excel. They make everything sound convincing.

When you receive a result, it is so well-phrased that you are tempted to read it quickly and paste it directly into your report. This can be risky, especially when your task involves drawing conclusions, for example, identifying root causes or formulating risks and recommendations. Something may appear logical at first glance, precisely because it’s beautifully written — but actually make no sense in your specific context.

So, keep your professional skepticism sharp. If you ask ChatGPT to draw conclusions, double-check whether those conclusions truly follow from your evidence.

Review Its Work in a Particular Way

Imagine a team leader or head of audit reviewing work-papers, draft observations, or a report. They always know who wrote it and can anticipate where to look for common errors. Some colleagues are overly generous with adjectives (“important,” “crucial,” “significant”), which adds subjectivity. Others are too brief or too verbose.

ChatGPT has its own recognizable style, too. When reviewing something drafted with GenAI, be aware of its known flaws, overuse of em dashes, excessive adjectives, occasional “logical-sounding hallucinations,” and filler phrases that add no substance. Even if the bot provides a reference to support its conclusion, it’s worth verifying because the data in the text and the referenced source don’t always match. Review it as you would a junior colleague’s draft: with appreciation for structure, but alert to substance and reasoning.

Prompting: The Art of Asking the Right Questions

We have learned that how you ask something is often presented as critically important, so much so that we now hear grand terms like “prompt engineering.” In my experience, this is somewhat overstated. As long as you provide the basic background and clearly explain what you need, the tool is usually smart enough to understand and respond correctly.

What truly works well, however, is breaking your request into stages rather than doing everything in one go. Provide context, add explanations, and then ask the tool to work step-by-step (first one task, then to wait for further instructions, and so on). This iterative approach consistently produces higher quality results.

Final Thoughts

One year later, my view is that GenAI is not replacing auditors, but it is reshaping how we work. It helps us think faster, write more clearly, and access information buried in volumes of documents and emails. But the true value comes when human judgment and AI capability meet halfway, with auditors using their critical thinking, curiosity, and skepticism to guide the tool, not be guided by it.