AboutBlogBusiness First AIFounder FreedomBook a conversation

Building an AI maturity model for audit teams and firms

May 18, 2026
Two professionals reviewing documents at a meeting room table
TL;DR

UK audit firms are past the 'should we try AI?' question: 71% are already using or piloting it. The FRC's March 2026 guidance confirms that AI tools fall inside ISQM (UK) 1 quality management obligations, and the ICO is clear that UK GDPR applies the moment personal data enters an AI system. A structured AI maturity model, running from ad-hoc experimentation to integrated capability, gives practices a regulatory-aligned path to scale AI responsibly.

Key takeaways

- The FRC's March 2026 guidance confirms that AI tools in audit engagements fall inside ISQM (UK) 1 quality management obligations, making an unmanaged AI approach a regulatory risk, not just an operational one. - Seventy-one per cent of UK and Ireland audit firms are already using or actively piloting AI, according to an April 2026 IDC/Caseware study, so the practical question for most practices is governance, not adoption. - A five-stage AI maturity model running from ad-hoc experimentation through to strategic redesign gives practices a common language for discussing AI governance with ISQM partners, insurers, and clients. - The ICO's guidance on AI and data protection confirms that UK GDPR accountability applies as soon as personal data enters an AI system, which covers payroll files, customer ledgers, and HR records routinely handled in audit work. - Practices with EU clients should map the EU AI Act's high-risk AI category requirements, including documented risk management, human oversight, and logging, into their maturity stages from Stage 2 onwards.

A partner at a small audit practice recently described how she and two colleagues had been using an AI assistant for months: summarising board minutes, drafting working-paper commentary, flagging anomalies in trial balances. There was no ISQM manager in the loop, no check on whether client data was going into a public model, and no written policy. The tools were useful. That was almost the whole story.

It is a familiar picture. According to an April 2026 IDC study commissioned by Caseware, 71% of UK and Ireland audit and accounting firms have already embedded AI into firm strategy, deployed it in selected functions, or run active pilots, ahead of the 66% global average. For most practices, AI adoption is already under way. The open question is how to govern it.

An AI maturity model is the practical scaffold for that question.

What is an AI maturity model for an audit firm?

An AI maturity model is a structured set of stages describing how systematically a firm uses and governs AI, from unmanaged individual experimentation through to integrated, regulated capability. For audit practices, each stage maps to the quality obligations already sitting in ISQM (UK) 1 and the FRC’s 2026 guidance on generative and agentic AI, which means maturity here is about regulatory alignment, not just technical ambition.

The stages typically run as follows. Stage 0 is ad-hoc experimentation: individual staff using public AI tools privately, without policy, data protection review, or any link to quality management. Stage 1 is policy and guardrails: approved tools, a short written policy, and AI added to the ISQM quality risk assessment. Stage 2 is controlled workflow pilots: bounded use cases with documented purpose, legal basis, and formal sign-off. Stage 3 is integrated capability: AI embedded in standard methodologies, with a tool register, measurable KPIs, and staff training. Stage 4 is strategic redesign: AI is assumed from engagement planning through to reporting, with external assurance potentially applied to the firm’s own AI controls.

Many independent practices in the UK sit somewhere between Stage 0 and Stage 2. The FRC guidance published in March 2026 makes Stage 1 effectively the regulatory floor.

Why does it matter for your practice right now?

The FRC published its first guidance on generative and agentic AI in audit engagements on 30 March 2026, confirming that AI tools fall inside existing ISQM (UK) 1 quality management obligations and that human auditors remain fully accountable for audit quality regardless of which AI tools they use. Staying at Stage 0 is no longer a neutral position; it is a governance gap with regulatory consequences.

The pressure arrives from several directions. The same IDC/Caseware study that reported 71% adoption also found that 80% of UK and Ireland audit leaders described the need for a harmonised AI framework as “very or extremely urgent”, and that 62% were willing to trade some AI performance for stronger security and governance controls. The sector understands the risk; it has not yet standardised how to manage it.

A maturity model gives you a shared language for that conversation, whether internally with your ISQM partner, with your professional indemnity insurer, or with clients who are beginning to ask how their data is handled when your team deploys AI tools.

Where do the stages show up in an audit workflow?

For small and mid-sized practices, AI shows up first in document-heavy, repeatable tasks: summarising board minutes, reviewing contracts for revenue recognition testing, drafting analytical commentary from trial balance data. The FRC specifically cited those as realistic early applications in its March 2026 guidance. The distinguishing question at each stage is whether the use is governed, documented, and connected to an ISQM quality objective.

Stage 1 looks like this in practice: the firm has approved a specific tool, perhaps a Microsoft Copilot deployment or a vetted contract-review assistant, and has explicitly barred client-identifiable data from public models unless formally assessed. There is a short written policy covering permitted use, prohibited use, data handling, and when to escalate to a partner or Data Protection Officer. AI has been added to the ISQM quality risk assessment and responses.

Stage 2 adds documentation for each pilot: purpose, data sources, legal basis under UK GDPR, expected benefits, tests performed, and sign-off. If the pilot involves personal data likely to be high-risk, for example employee disciplinary records or customer credit data, a Data Protection Impact Assessment is completed first. The ICO is clear that accountability obligations under UK GDPR apply as soon as personal data enters an AI system.

Stage 3 means AI has become part of the standard methodology: a register of all tools, defined KPIs such as error rates versus manual process and time saved, and mandatory staff training that frames AI outputs as starting points rather than conclusions. The 2025 techUK mapping of the AI assurance ecosystem identifies financial services firms as already running ongoing monitoring for fairness and robustness. For a small audit practice, an independent review can be as simple as a second manager re-performing key tests on a sample of AI-assisted outputs before any procedure is considered standard.

When should you formalise the model rather than wait?

If your firm has staff using AI tools on client engagements without a documented policy, you are at Stage 0. The ICO is clear that personal data is everywhere in audit work, payroll, HR files, customer ledgers, and that UK GDPR accountability applies the moment that data enters an AI system.

Waiting for a harmonised industry framework is understandable as a long-term ambition, but a written policy for the tools you already use is something a partner can produce in a working afternoon. Write down what tools you permit, what data they can touch, and who signs off. That is Stage 1, and it maps directly to the FRC’s requirement to consider AI tools within ISQM (UK) 1 quality management obligations.

The case for waiting applies at the more ambitious end. Stage 4, full strategic redesign with external AI assurance, carries a real cost and may not pay back for a practice below a certain size. Wolters Kluwer notes that many firms are still in an embedding phase, deploying AI within specific workflows rather than redesigning whole processes, and that embedding in those specific workflows is a legitimate stopping point. The economics depend heavily on how standardised your engagement work already is.

The EU AI Act adds a further consideration for practices with EU clients. The Act classifies certain AI systems used in employment, creditworthiness, and risk assessment as high-risk, requiring documented risk management, logging, and human oversight. UK firms operating in that space need to account for it when designing their maturity pathway.

What else does an AI maturity model connect to?

An AI maturity model for an audit practice connects directly to three frameworks you almost certainly already manage: ISQM (UK) 1 quality management, ICO guidance on AI and data protection under UK GDPR, and for practices with EU clients, the EU AI Act’s requirements for high-risk AI systems. Aligning your maturity stages explicitly with those three creates the evidence trail that regulators, insurers, and clients will ask for.

There is a cross-sector lesson worth drawing on. The 2025 techUK sector mapping notes that financial services, including banking and insurance, has developed systematic AI testing, bias auditing, and independent model validation further than many other sectors. The FCA’s AI Live Testing scheme and PwC’s use of the AI Verify framework are documented examples; for a small practice, independent review means a second manager running manual sample tests rather than a specialist third-party audit. The underlying concept, documented validation before embedding, is the same.

AccountingWEB’s AI maturity model for audit and finance describes a staged path from initial experimentation to integrated capability. Sage’s research on the accounting sector notes that many firms are using AI informally around the business rather than inside it, creating a hidden capacity gap. The maturity model is how you close that gap deliberately, rather than discovering it during an ISQM review or a regulatory enquiry. The UK also now has over 5,800 AI firms, a 58% increase in a single year according to the government’s 2024 AI sector study, which means more specialist tools but also more due-diligence work when selecting vendors and integrating them into a controlled audit environment. A maturity framework gives you the criteria to make those vendor decisions consistently.

Sources

- Financial Reporting Council (2026). Innovative new guidance supports audit firm adoption of emerging AI technologies. First FRC guidance on generative and agentic AI in audit engagements; confirms AI falls inside ISQM (UK) 1 obligations. https://www.frc.org.uk/news-and-events/news/2026/03/innovative-new-guidance-supports-audit-firm-adoption-of-emerging-ai-technologies - ICO (2024). Guidance on AI and data protection. Sets out UK GDPR accountability requirements when organisations use AI on personal data, including DPIAs, transparency, and controls on automated decisions. https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/guidance-on-ai-and-data-protection/ - Caseware / IDC (2026). UK and Ireland firms lead global AI adoption in audit and accounting. Reports 71% of UK and Ireland firms already embedding or piloting AI, with 80% calling for harmonised AI frameworks and 62% willing to trade performance for security. https://www.caseware.com/uk/news/uk-ireland-firms-lead-global-ai-adoption-in-audit-and-accounting-as-profession-shifts-from-planning-to-real-world-deployment - UK Government (2024). Artificial Intelligence sector study 2024. Identifies 5,862 AI firms in the UK, a 58% increase from 3,713 in 2023, with over 90% classified as micro-enterprises, illustrating proliferation of potential AI vendors for professional services. https://www.gov.uk/government/publications/artificial-intelligence-sector-study-2024/artificial-intelligence-sector-study-2024 - EUR-Lex (2024). Regulation of the European Parliament and of the Council laying down harmonised rules on Artificial Intelligence (AI Act). Classifies AI systems in employment, creditworthiness, and risk assessment as high-risk, requiring risk management, logging, and human oversight. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0206 - techUK (2025). A Maturing AI Assurance Ecosystem: Sector Specific Applications. Maps financial services AI assurance maturity, citing Virgin Money and PwC systematic testing and FCA AI Live Testing as models for smaller firms to adapt. https://www.techuk.org/resource/a-maturing-ai-assurance-ecosystem-mapping-sector-specific-applications.html - PwC UK (2024). Building trust in AI: UK's assurance roadmap and AI Verify. Commentary on the UK AI assurance roadmap, AI Opportunities Action Plan, and the £11m AI Assurance Innovation Fund; describes systematic AI testing and independent bias audits in practice. https://www.pwc.co.uk/industries/financial-services/understanding-regulatory-developments/building-trust-in-ai-uks-assurance-roadmap-and-ai-verify.html - Sage Advice UK (2025). AI maturity curve for accountants and bookkeepers. Notes that many accounting firms are using AI informally around the business rather than inside it, creating a hidden capacity gap unless operations are redesigned. https://www.sage.com/en-gb/blog/accounting-bookkeeping-ai-maturity-curve/ - AccountingWEB (2025). The AI maturity model for audit and finance: your step-by-step path to meaningful AI. Describes a staged path from initial experimentation through to integrated, optimised AI capability for audit and finance teams. https://www.accountingweb.co.uk/resources/the-ai-maturity-model-for-audit-and-finance-your-step-by-step-path-to-meaningful-ai

Frequently asked questions

Does the FRC require audit firms to have a formal AI policy?

The FRC has not mandated a specific policy document, but its March 2026 guidance on generative and agentic AI confirms that firms must consider how AI tools fit within ISQM (UK) 1 quality management obligations. In practice, that means assessing AI tools as part of your quality risk assessment and ensuring that human auditors can obtain appropriate confidence in any AI outputs they rely on. A written policy is the most defensible way to demonstrate that.

Can we use public AI tools like ChatGPT for client work?

Using public consumer AI tools on client data carries significant risk under UK GDPR. Many consumer tools log prompts for model training unless a business agreement prevents it, and public tools may involve international data transfers that require careful assessment under ICO guidance. Until you have confirmed that the tool meets your data protection obligations and sits within your ISQM quality controls, the safer position is to limit their use to internal tasks that involve no client-identifiable data.

Does the EU AI Act apply to UK audit firms?

UK audit firms that build or deploy AI for EU clients, or handle EU personal data, should account for the EU AI Act alongside UK ICO and FRC obligations. The Act classifies certain AI systems in employment, creditworthiness, and risk assessment as high-risk, requiring documented risk management, human oversight, and logging. For cross-border engagements in those categories, EU requirements belong in your maturity model from Stage 2 onwards.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A business owner reviewing a document at a desk with natural daylight, pen in hand

Using AI without letting quality slip in client work

A practical guide for owner-managed services firms on keeping quality high when the team uses AI: the review steps, one-page policy, and training that actually make the difference.

two people sitting at a meeting room table, reviewing a document on a laptop together

Practical workplace guardrails for safer AI use

How to put simple, practical AI guardrails in place before your team starts experimenting with client data.

Two people reviewing a laptop screen together in a small office

How visual regression testing protects AI product changes

Visual regression testing catches layout breaks before your customers do, protecting AI-enabled products from silent failures that can cost you bookings, credibility, and compliance standing.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd