The audit profession in Malaysia is changing faster than its public discourse suggests. AI is already inside the working files of every Big Four firm and most of the larger mid-tier practices. The question for partners and audit managers in 2026 is not whether to use AI, but where in the audit cycle it actually adds value, and where it must stay out for professional and regulatory reasons.
This article is the working framework I use with audit teams at YYC and in conversations with peers across the profession. It maps AI use cases against the audit cycle, with the lines drawn clearly between what is appropriate and what crosses into territory that the MIA By-Laws and the ISA do not permit.
1. Risk assessment and analytical procedures
The clearest first win for AI in audit. At the planning stage, AI tools can ingest the previous year's working papers, the current year's preliminary trial balance, and external industry data, then surface anomalies that warrant attention. What previously took a senior associate two days now takes a senior associate two hours, with broader coverage.
The pattern: an LLM-based tool reads the trial balance, computes ratio analyses across multiple periods, and produces a draft analytical-procedures memo highlighting accounts with material year-on-year variance, unusual seasonality, or behaviour inconsistent with industry benchmarks. The auditor reviews, accepts, rejects, or expands.
2. Journal entry testing
One of the highest-volume tasks in any audit, traditionally handled with sample-based testing or rules-based queries (entries posted on weekends, by the CFO, with round-number amounts). AI extends this materially. Rather than fixed rules, an AI agent can be tuned to the client's specific operations and surface entries that look anomalous in context — unusual approver, atypical narration patterns, account combinations the client does not normally use.
The discipline matters. The AI is not signing off on the entries; it is producing a ranked list of items the auditor reviews. Documentation of the methodology, the prompt, and the auditor's judgement on each flagged item is what makes this defensible.
3. Document understanding
Reading contracts, supplier invoices, lease agreements, and complex correspondence — and extracting structured data from them — is where AI delivers the cleanest value in 2026 audit work. Combined with workflow automation (n8n + Claude is the stack we use), document-intensive tasks like lease accounting under MFRS 16, complex revenue recognition under MFRS 15, and impairment indicator review can be substantially accelerated.
Critical caveat: client confidential data should not be sent to public LLMs without an enterprise contract. Anthropic, OpenAI, and Google all offer enterprise tiers that meet the bar. Consumer ChatGPT does not, and its use on client data is a clear breach.
4. Audit narrative drafting
Drafting management letters, audit findings memos, and the narrative sections of audit reports is now substantially faster with AI assistance. The pattern is the same as in our broader accountant playbook: AI for first draft, human (always) for the final draft. The audit partner remains the author and reviewer; AI is the typist that does not get tired.
5. The lines that must not be crossed
Five specific things AI cannot do in a Malaysian audit:
- Form audit opinions. The opinion in an audit report is the engagement partner's judgement, full stop. AI can support; AI cannot conclude.
- Replace independence considerations. If a service is prohibited under MIA independence rules, it remains prohibited when delivered with AI assistance. The technology does not change the rule.
- Bypass audit trail requirements. Every AI-assisted audit step must be documented in the workpapers — what tool, what prompt, what output, what the auditor's judgement was. Audit trail requirements under ISA 230 apply equally to AI assistance.
- Handle evidence on prohibited platforms. Client data on consumer LLM platforms breaks confidentiality and PDPA. Approved enterprise platforms only.
- Sign workpapers. Reviewer sign-offs remain a human responsibility.
6. The MIA dimension
The MIA has been increasingly active in providing practical guidance on AI use in the profession, including webinars on Practical AI for Finance Teams and AML/CFT obligations under the AMLA. Member firms should track MIA publications quarterly and adjust internal policies accordingly. The regulatory floor is moving, and assuming what was permitted in 2024 is still permitted in 2026 is a defensible-position risk most firms cannot afford.
7. A sensible 90-day starting plan for a Malaysian audit firm
- Days 1–30: Vocabulary alignment across partners. One-day workshop on AI fundamentals, agent capabilities, and governance. Establish the firm's approved-platform list and prohibited-platform list.
- Days 31–60: Pilot AI on one specific use case — usually risk assessment or journal entry testing — on one client portfolio with full documentation. Track hours saved against the comparable prior-year engagement.
- Days 61–90: Partner review of pilot outcomes. Decide which use cases to extend, which to pause, and what governance updates are needed. Establish the cadence for ongoing review.
For Malaysian audit firms ready to formalise this, our AI Agentic Automation programme covers the n8n + Claude workflow stack, and our AI Vibe Coding programme equips audit staff to build their own internal tools. Both are HRDC SBL-KHAS claimable for eligible employers.
