Machine Learning for Auditing: Where It Works and Where It Doesn't
I built two audit-adjacent tools: FraudShield (fraud detection) and AuditFlow (automatic audit). Combined, they taught me where ML adds value in auditing — and where it doesn't.
Where ML Works
1. Transaction-level anomaly detection — Isolation Forest on journal entries catches outliers humans miss
2. Duplicate detection — MD5 hashing across multiple fields catches near-duplicates
3. Stratified sampling — ML can optimize sample selection for substantive testing
Where ML Doesn't Work
1. Control testing — evaluating whether a control is well-designed requires judgment
2. Estimation accuracy — ML can't determine if a warranty provision is adequate
3. Fraud motivation — ML sees patterns, not intent
The Right Mix
AuditFlow uses deterministic rules (PCG compliance, equation balancing, class coherence) rather than ML, because audit rules are known and shouldn't be probabilistic.
FraudShield uses ML because fraud patterns are unknown and evolving.
The rule: if you can write a deterministic check, don't use ML. Reserve ML for cases where the "normal" pattern is unknown or changing.
The IIA's position paper on AI in auditing reaches similar conclusions.