Audit and assurance: AI in the workflow that signs off on financial statements

Audit and assurance is the workflow that produces the opinions financial markets rely on. The financial statements of every public company, every regulated entity, every entity subject to grant funding or debt covenants — all of it is audited by external auditors who form opinions based on evidence they gather and assess.

AI has been integrated into audit workflows at an accelerating pace in the past three years. The Big Four firms invested heavily early. Midmarket firms followed. Smaller firms are now catching up. The work is information-intensive, the data is among the most sensitive in business, and the regulatory framework — PCAOB for public companies, AICPA for nonpublic, IAASB for international — is strict.

We touched on accounting more broadly in the previous post. This post focuses specifically on audit and assurance work, which has its own characteristics that make the local-SLM case especially strong.

The work

Audit AI workloads span the audit lifecycle.

Risk assessment: analyzing the client's business, identifying significant risks, drafting risk assessment documentation. The work draws on client documents, industry data, prior audits, and the auditor's professional judgment.

Audit planning: drafting audit plans, identifying procedures to be performed, allocating work across the engagement team. The plans need to demonstrate that the audit will address the identified risks.

Evidence review: examining the evidence the audit team collects — contracts, invoices, board minutes, management representations, third-party confirmations. AI helps classify, summarize, and identify exceptions.

Control testing: documenting the design and operating effectiveness of internal controls. The work involves analyzing process documentation, walkthrough narratives, and test results.

Substantive testing: testing transactions and balances, drafting workpapers documenting the testing, summarizing results.

Audit adjustments: drafting audit adjustments, preparing reconciliations, documenting the basis for adjustments.

Report drafting: producing the audit report itself, plus the management letter, the report to those charged with governance, and the various other communications the audit produces.

Quality review: senior partners and quality review functions review the work product before report issuance. AI helps summarize the audit file, identify potential issues, and draft review notes.

The math

A representative midsize audit firm — say, three hundred professionals serving a portfolio of midmarket public companies and private companies — generates substantial AI workload during the audit cycle.

Each audit engagement involves dozens to hundreds of AI operations across the lifecycle. For a Sarbanes-Oxley audit of a midmarket public company, the AI workload is in the thousands of operations per engagement. Aggregate across the firm's portfolio is in the tens of thousands of AI operations per month during busy season.

At frontier pricing, the bill is in the low to mid five figures per year for a midmarket firm. For the Big Four firms, which audit thousands of companies including the largest entities in the world, the AI bills are in the high seven figures or eight figures per year.

These numbers exclude the specialized audit software, the audit management systems, the data analytics platforms. The general-purpose AI layer on top is the line item we're examining.

Why audit is structurally a local-SLM case

Every property that favors local inference is present, with several at the maximum.

The work is narrow within the audit context. A model fine-tuned on the firm's audit methodology, working paper standards, and engagement patterns outperforms a general model on the firm's specific work.

The work is repetitive in structure. Audit programs follow predictable structures. Working papers follow predictable formats. Reports follow predictable templates. Specialization compounds.

The privacy story is at the maximum. Audit work product includes the client's most sensitive information — financial details, internal control issues, management representations, strategic plans, sometimes information about fraud or misconduct. Sending all of this to a third-party cloud LLM creates exposure that the firm's professional responsibility framework, the client's confidentiality expectations, and the public's reliance on audit integrity all have positions on.

The PCAOB and AICPA frameworks are explicit. Public company audits are inspected by the PCAOB; nonpublic audits are subject to peer review and AICPA standards. Both frameworks have specific positions on how technology is used in audits, with increasing attention to AI specifically. The architectural choice matters for inspection readiness.

The independence framework is its own argument. Auditors operate under strict independence rules with respect to their clients. A cloud-LLM provider that has access to the client's audit data may, depending on the provider's other relationships, create independence implications that the firm's professional ethics function would want to evaluate. Local deployment avoids this consideration entirely.

The audit evidence framework matters. The audit file is, by professional standards, the evidence the auditor used to form the opinion. AI-augmented evidence needs to be documented in a way that supports the audit conclusion. Local deployment with structured audit trails produces evidence in the form the standards expect; cloud deployment creates a dependency on the vendor's evidence preservation that may or may not match audit standards.

What changes with local inference

An audit AI workflow on a local SLM looks like this.

A model is fine-tuned on the firm's audit corpus — historical workpapers, methodology guides, internal training materials, sample reports. The fine-tune captures the firm's specific approach and voice.

The model runs on infrastructure the firm controls — typically in the firm's existing audit technology environment. The deployment is documented, validated, and approved by the firm's quality control function and methodology team.

Audit work flows through the inference pipeline within the firm's controlled environment. Risk assessments, planning documents, working papers, evidence summaries, reports — all produced locally, all without crossing the security boundary.

The cost flips from per-engagement to fixed. Engagement growth doesn't scale the AI bill.

The professional responsibility story is preserved. The audit evidence is in the firm's control. The independence considerations are resolved by the architecture.

The PCAOB and peer review conversations get easier. The firm can demonstrate that AI-augmented procedures meet the firm's methodology, that the evidence is preserved appropriately, and that the audit conclusion is supported by reviewable documentation.

What the PCAOB is watching

The PCAOB has been increasingly focused on AI use in audits. Inspection reports, standard-setting initiatives, and staff commentary all suggest that the regulatory framework is moving in directions that favor local inference.

Specifically, the PCAOB has expressed interest in: how AI tools are validated for use in audits, how the audit evidence produced by AI tools is preserved, how the auditor's professional judgment is documented when AI is involved, and how the firm's quality control system addresses AI use.

For each of these questions, the firm using local inference has structurally better answers than the firm relying on cloud LLM vendors. As PCAOB attention intensifies, the architectural choice becomes increasingly material to inspection outcomes.

Where the cloud LLM is still acceptable

A narrow set of cases.

For research and training workflows that don't touch client data — methodology research, internal training content, professional development materials.

For analysis of public information — public filings, industry benchmarks, regulatory commentary — without crossing into engagement-specific work.

For practice management workflows that don't touch engagement work.

For the bulk of audit work — risk assessment, planning, evidence review, control testing, substantive testing, report drafting — the local-SLM case is overwhelming.

The pattern, in the most regulated professional services

Avery NXR is not an audit tool. It scaffolds Next.js applications. The architectural pattern repeats, with the regulatory and professional responsibility dimensions at unusual strength.

Audit and assurance AI is a narrow, repetitive, volume-meaningful, extreme-privacy, extreme-regulatory, extreme-professional-responsibility workload. Every dimension favors local inference. The PCAOB attention adds an inspection-readiness argument that compounds with the cost, privacy, and audit evidence arguments.

The audit technology vendors that build on local infrastructure — with appropriate fine-tuning, integration with audit management systems, and evidence packages that satisfy PCAOB and AICPA expectations — will own the institutional audit AI market. The cloud-LLM-default products will face structural friction with the regulatory environment.

The pattern continues. Audit is one of the workflows where the architectural shift to local inference is being driven primarily by the professional responsibility framework and the regulatory expectations, with cost and privacy as reinforcing arguments. Firms that move first will be ahead on inspection readiness and on cost simultaneously.