By Abdulrahman Ibrahim Al-Zarouni, Secretary General
The UK Financial Reporting Council (FRC) has recently issued professional guidance governing the use of generative AI and agentic AI tools in audit engagements. This is a development worth pausing on — not because it introduces anything unexpected, but because it lays out a clear framework for a question every audit firm now has to confront: how do we benefit from these tools without compromising the core of the profession?
The distinction the guidance draws between the two categories matters in practice. Generative AI produces text, analysis, summaries, or drafts based on direct user prompts. Agentic AI goes a step further: executing semi-autonomous chains of tasks, from document analysis to proposing full audit procedures. The wider the margin of autonomy a tool has, the greater the need for rigorous control.
The guidance’s central message is unambiguous: using these tools must not weaken professional scepticism, the quality of evidence, documentation, or the auditor’s accountability. The firm and the audit team remain fully responsible for the work performed, and there is no room to argue that “the system reached the conclusion.” This principle is not a technical footnote — it is the first line of defence for the credibility of the profession itself.
The risks the guidance addresses capture precisely what every firm should be thinking about today: outputs that appear convincing but are inaccurate or insufficiently evidenced; weak documentation that leaves the audit file unable to demonstrate the work actually done; overreliance that narrows the space for professional judgment, particularly among less experienced teams; confidentiality risks when client data is entered into ungoverned tools; and, specific to agentic tools, additional risk arising from their ability to take multiple actions without direct human intervention at each step.
Sound governance, per the guidance, is not achieved by subscribing to a tool — it requires a complete framework: clearly defining permitted and prohibited uses, testing the tool before applying it to live engagements, strict controls to protect client data, training teams on the tool’s limitations and risks, mandating human review before any output is relied upon, precisely documenting inputs, outputs, and the basis for relying on them, and continuously monitoring the tool’s impact on audit quality — not merely on speed.
My conclusion to colleagues and members of the association is this: AI is a powerful tool, and we are in the midst of a comprehensive digital transformation that rightly pushes us to adopt it with confidence. But its true value only emerges when it is governed by clear oversight that keeps professional judgment and ultimate accountability exactly where they belong: with the auditor, not with the tool.







