FRC publishes first-ever guidance for audit firms on generative and agentic AI use, setting a three-risk framework as EY deploys new AI audit platform
The Financial Reporting Council (FRC) — the UK's audit and corporate governance regulator — has published what it describes as the first guidance specifically designed for audit firms on the use of generative and agentic AI (AI systems capable of taking autonomous sequences of actions, not just generating text). The guidance arrives as major audit firms including EY are actively deploying AI audit platforms in live engagements. The FRC framework organises AI audit risk into three categories. First, AI output may be wrong because the input data was flawed or the underlying model was faulty. Second, output may be correct but misinterpreted by the auditor relying on it. Third, AI may produce technically compliant output that nonetheless fails to meet the standard of work a human auditor would have performed — a subtler risk that goes to the heart of what professional auditing judgment means when delegated partially to a machine. The guidance is significant because it is the first time a UK regulator has directly addressed the professional responsibility question in AI-assisted audit: when an AI tool makes an error that passes into a signed audit opinion, who bears regulatory and legal liability — the firm, the engagement partner, or the tool provider? The FRC's framework does not answer that question definitively but establishes the risk taxonomy against which future enforcement actions or professional discipline proceedings will likely be assessed. For law firms advising audit firms and their technology vendors, the guidance creates an immediate compliance gap-analysis mandate.
Why this matters
The FRC guidance activates regulatory advisory work across several practice areas: audit firms need counsel on implementing compliance frameworks aligned with the three-risk categories; technology vendors supplying AI audit tools need advice on their contractual exposure if tool errors generate a negligent audit opinion; and insurers writing professional indemnity policies for audit firms need to assess how AI-assisted audit changes the risk profile they are underwriting. The 'why now' trigger is the pace of AI deployment in audit outrunning the regulatory framework — firms like EY were already live with AI platforms before any guidance existed, creating a period of legal uncertainty that the FRC has now partially addressed. The guidance also sets a benchmark against which the FRC's Audit Quality Review team will assess inspections, meaning non-compliance carries direct enforcement risk. This is a UK-first development with likely EU and IAASB (International Auditing and Assurance Standards Board) follow-on, making it a template for global audit AI governance.
On the Ground
A trainee supporting a regulatory advisory team helping an audit firm implement the FRC guidance would draft a compliance gap-analysis memo — mapping the firm's current AI tool usage against each of the three FRC risk categories and identifying where additional controls, documentation, or training are required. You would also assist with updating the firm's technology licence review for any AI tools deployed in audit engagements, checking indemnity and liability allocation provisions.
Interview prep
Soundbite
The FRC's three-risk AI audit framework is now the benchmark — every audit firm's AI deployment is measured against it.
Question you might get
“Under the FRC's new AI audit guidance, if an AI tool produces a materially wrong output that leads to an incorrect audit opinion, how would you analyse the allocation of regulatory liability between the audit firm, the engagement partner, and the AI tool vendor?”
Full answer
The FRC has published the UK's first regulatory guidance on generative and agentic AI in audit, establishing three categories of risk: wrong output, misinterpreted output, and output that is technically correct but falls below the standard a human auditor would have met. This matters legally because it creates the framework against which professional discipline and enforcement proceedings will be assessed when AI-assisted audits produce deficient opinions. EY is already deploying AI audit platforms, meaning the guidance is immediately operational rather than prospective. For law firms, this generates compliance advisory work for audit firms, liability clause negotiation for AI tool vendors, and professional indemnity advice for insurers. The structural shift is that audit liability — which has historically attached to the engagement partner — must now be re-examined when material judgments are AI-assisted rather than purely human.
My notes
saved