

For many organizations, generative artificial intelligence (GenAI) is a game changer among the digital tools that have improved how people work. Unlike other AI systems or deployments, GenAI goes beyond traditional AI by creating content such as text, images, and code. GenAI is also capable of enabling human-like interaction using natural language prompts. These prompts are referred to as “conversation starters,” and they contain the instructions—the what and the how—that one submits to the AI program to generate useful responses.1 GenAI has the potential to improve the audit function’s efficiency and effectiveness. However, the use of GenAI does not come without risk, and organizations should be aware of that risk when implementing GenAI. It is of the utmost importance to identify and mitigate risk before implementing GenAI or any emerging technology. The overall safety and security of the organization depends on it.
Using GenAI in Audit
A recent report from McKinsey noted that 92% of organizations plan to increase their AI investments; however, the effectiveness of using AI in their work processes to drive substantial business outcomes is still lacking.2 For the audit function, GenAI has the potential to provide auditors with an opportunity to support and enhance their work efficiency and effectiveness at different stages of their audit engagements. Tasks that often require substantial time, such as performing fieldwork testing by identifying unusual transactions among a large pool of unstructured data, analyzing the transactions for patterns and anomalies, and even processing large amounts of data, can be facilitated many times faster by leveraging AI.3 Audit reports could also be drafted even faster with GenAI by generating specific sections, such as executive summaries or detailed findings with raw writing and notes. GenAI can support an auditor’s work as a researcher, drafter, or even peer reviewer, from audit planning and fieldwork testing to report writing.
GenAI has the potential to improve the audit function’s efficiency and effectiveness. However, the use of GenAI does not come without risk, and organizations should be aware of that risk when implementing GenAI.Effective Prompts to Obtain Quality Outputs
While GenAI can be seen as an easy-to-use tool, generating an insightful and desirable output is far from simple. Poorly designed prompts will lead to irrelevant or misleading outputs. Poorly designed prompts are typically one-liner prompts such as “how to audit an application,” “what are key areas of risk for a particular system,” or “generate a list of IT risk to audit.” These lacklustre prompts could potentially waste time and negatively impact an audit, such as misrepresenting risk and audit scope. To successfully use GenAI, auditors should have a thorough plan of action, followed by training workshops and trial runs of the technology to ensure that users understand how to use prompts to generate meaningful output.
Prompt engineering is the practice of designing effective prompt structures to communicate with GenAI.4 A sample prompt could be framed as: act as a [Role] to perform a [Task] in [Specific Format]. Crafting a prompt in this way provides the AI model with a task and how it should be accomplished. This allows the presented output to be more specific and cater to the user's intents.
By understanding the basics of prompt structures, auditors can then utilize more well-defined frameworks, such as the CO-STAR framework.5 The CO-STAR Framework facilitates better decision making by identifying the key elements of a proposed project and articulating them clearly. Organizations can sharpen the quality of AI outputs by utilizing the framework to clarify prompts. As seen in figure 1, the CO-STAR framework consists of 6 areas of consideration: Context and Objective provide the AI model with background information and instructions to perform a specific task. Style, Tone, Audience, and Response help to specify the format and length, allowing the user to get a response closer to what they intended. This includes providing better data to GenAI on how the output should be generated.
Figure 1—Elements of CO-STAR Framework
CO-STAR framework Area | Role |
---|---|
Context | Provide the necessary background information that will help the AI understand the topic you want to discuss. |
Objective | Clearly state the goal or objective that you want the AI to perform. What response should the AI output? Be as specific as possible. |
Style | Specify the style in which you want the AI to craft the response. This can make the difference between a generic response vs. a specific one. For example, should the AI mimic a particular person’s style of writing or speaking? |
Tone | Decide the tone of the output. AI can also be prompted to respond in a particular tone. For example, should the AI response be casual or professional? |
Audience | Choose the audience for the output. Are you writing to a general audience or a specific group of people? Specifying your audience will help the AI tailor its response and choose words and phrases that the audience can understand or resonate with better. |
Response | Visualize how the response should look. For example, is a short answer preferred or a detailed explanation? Should the output be formatted in a wall of text, numbered, or tabular form? |
For example, a prompt that may be overly generic, such as “What are the potential risk areas of a system?” can be modified, as demonstrated in figure 2, using the CO-STAR Framework.
Figure 2—Prompt Enhanced Through CO-STAR Framework
Context, Objective | “Act as an auditor, you are required to perform a risk assessment for a system hosted on-premises used to process customer data.” |
Style, Tone, Audience | “The tone of the output should be professional, easily incorporated into audit planning memorandum, and easily understandable for any auditor reading it.” |
Response | “The output of the risk assessment will consist of a summary of key pointers and all risk identified and listed in a table format with 2 columns. The first column should state the type of risk, and the second column should state the likelihood and impact of the risk.” |
By applying the COSTAR framework, auditors can craft precise and context-rich prompts that drive more accurate and relevant AI outputs—ultimately enhancing the efficiency, reliability, and depth of audit work.
GenAI Challenges
Effective prompting can help auditors enhance efficiency in audit work. However, it is important to remember that while prompting offers significant advantages, it also comes with challenges that auditors must carefully navigate.
- Learning and proficiency—Similar to all technologies, there is a learning curve to the effective use of GenAI in audits. Crafting high-quality prompts involves a combination of domain knowledge and technical understanding of AI capabilities and limitations. This can be particularly challenging for auditors unfamiliar with prompting frameworks or structures. CO-STAR, for instance, encourages users to provide clear context and objectives while tailoring prompts to specific tasks. While this approach enhances AI-output performance, the application will require time, effort, experimentation, and practice.
Organizations can ease this transition by investing in training programs, developing prompt templates for recurring tasks, and promoting iterative refinement to improve results over time.
- Data privacy and security—Due to the nature of the auditor's job, confidential or sensitive information may be involved in audit work. As such, there is always the possibility of data leakage when using cloud-based AI solutions if proper due diligence and safeguarding measures are not observed.6
Auditors should always conduct risk assessments, limit data usage, and implement the proper guardrails for handling confidential or sensitive data when using GenAI solutions.
- Bias and hallucinations—The outputs of GenAI are not always perfect, and no output should be relied upon without validation. Depending on how the GenAI system is being trained, for example, with an incomplete or biased training dataset, the output could potentially be skewed.7 Separately, hallucination is also not uncommon.8 AI hallucination occurs when a large language model (LLM) or computer vision tool generates false or nonsensical outputs by perceiving patterns or objects that do not exist or are imperceptible to humans.9 The result could be disastrous if auditors use GenAI outputs without validation, as that could impact their ability to deliver quality audit work.
Therefore, auditors should have a process in place to ensure the outputs of GenAI are factual. This includes validating AI-generated responses with trusted sources before relying on them and treating GenAI as an assistive tool rather than a sole authority when using the technology. Auditors can also consider performing tests on the GenAI models they intend to use before adopting them for their audit work to ascertain model suitability.
If not used properly, the risk of using GenAI will outweigh the benefits. The ineffective use of GenAI may render auditors unable to provide the needful assurance expected through their audit work and may potentially lead to sensitive data leakage.
Conclusion
Auditing work can be improved using effective GenAI prompting. As this technology continues to evolve, auditors must expand their knowledge of emerging technologies to understand how to leverage them to stay relevant and efficient. Organizations should also remember that when adopting any new technology, they incur the added responsibility of ensuring that employees understand how to use the technology in a manner that does not harm organizational security. To this end, auditors should stay current on industry news and regulations to decrease potential legal and reputational risk.
With the advancements in GenAI, it is prudent for auditors to explore its adoption and harness the potential benefit while assessing the risk involved. This means that auditors and organizations should critically plan and assess how to effectively leverage GenAI in various aspects of audit work and business processes. Through proper planning, auditors can integrate GenAI into their processes to enhance efficiency in audit engagements and mitigate associated risk.
Endnotes
1 MIT Sloan Teaching & Learning Technologies, “Effective Prompts for AI: The Essentials,” 16 September 2024,
2 Mayer, H.; Yee, L.; et al.; “Superagency in the Workplace Empowering People to Unlock AI’s Full Potential,” McKinsey Digital, 28 January 2025
3 Dennis A.; “What AI Can do For Auditors,” Journal of Accountancy, 1 February 2024
4 GeeksforGeeks, “What is Prompt Engineering – Meaning, Working, Techniques,” 4 June 2023
5 Zentennial, F.; “Unlocking the Power of COSTAR Prompt Engineering: A Guide and Example on Converting Goals Into System of Actionable Items,” Medium, 19 January 2024
6 Gomstyn, A.; Jonker, A.; “Exploring Privacy Issues in the Age of AI,” IBM, 24 September 2024
7 Holdsworth, J.; “What is AI Bias?,” IBM, 22 December 2023
8 Zhao, W.; Goyal, T.; et al.; “WildHallucinations: Evaluating Long-form Factuality in LLMs with Real-World Entity Queries,” 24 July 2024, arXiv
9 IBM, “What are AI hallucinations?,” 1 September 2023
Chelson Chong
Is a driven individual with a strong passion for cybersecurity and artificial intelligence, aspiring to build a career in these fields. He previously interned in the internal audit function of a leading global airline, where he contributed to digital transformation initiatives, including automation and generative AI.
Meng Fai Chan, CISA, CDPSE, CISSP, GRID
Is a seasoned technologist with more than 15 years of experience in the technology risk and cybersecurity field. Throughout his career, he has worked extensively across both private and public sector organizations, bringing a wealth of knowledge and expertise to each role he undertakes. His passion for staying up to date on emerging trends and best practices in the field enables him to deliver exceptional results for his stakeholders. As a trusted advisor, he is committed to improving business opportunities and minimizing risk in today's rapidly evolving technology landscape.