FRC publishes UK's first regulatory AI guidance for auditors as EY deploys live AI audit platform, forcing firms to confront professional liability in the age of agentic AI
The Financial Reporting Council (FRC), the UK's audit regulator, has published the first guidance in the UK specifically addressing how audit firms should govern the use of generative AI (AI that produces new content such as text, analysis, or summaries) and agentic AI (AI that takes autonomous sequences of actions without continuous human instruction) in live audit engagements. The guidance arrives as EY has already deployed a new AI audit platform in active engagements — meaning the regulatory framework is catching up with commercial practice, not leading it. The FRC's framework identifies three categories of AI-specific audit risk. First: AI output may be factually wrong, because the input data fed to the model was flawed or the model itself contains errors. Second: AI output may be technically correct but misread or misapplied by the human auditor relying on it. Third: AI may produce output that satisfies a surface-level audit test but fails to reach the depth or quality of judgment that a human auditor, applying professional scepticism, would have brought — the most legally and professionally challenging category because it is the hardest to detect and document. For law firms advising audit firms and AI technology vendors, the guidance creates an immediately actionable compliance framework. It establishes the taxonomy against which the FRC's Audit Quality Review function will assess AI use in inspections — meaning any audit firm that cannot demonstrate it has mapped its AI deployments against these three risk categories faces direct enforcement exposure. Contractual liability between audit firms and AI tool vendors — particularly indemnity provisions where tool error contributes to a deficient opinion — is now a live negotiation point rather than a theoretical one.
Why this matters
The FRC guidance is the most significant UK regulatory document on AI in professional services practice published to date, because it directly addresses the liability question that the EU AI Act defers: when AI-assisted professional work causes harm, who is responsible and under what framework are they assessed? By establishing the three-risk taxonomy, the FRC has given its enforcement function a benchmarking tool. Audit firms need lawyers to help them design compliance frameworks, update engagement letter terms to reflect AI tool usage, and negotiate technology licences with AI vendors that appropriately allocate liability for tool-generated errors. The 'why now' trigger is EY's live deployment of an AI audit platform — the FRC was forced to publish guidance or face a period of regulatory vacuum in which major audits were being conducted under AI assistance with no accountability framework. The next step to watch is whether the IAASB (International Auditing and Assurance Standards Board) adopts equivalent international standards, which would globalise this framework and affect every major firm's international audit practice.
On the Ground
A trainee supporting a team advising an audit firm on FRC AI compliance would draft a regulatory impact assessment memo — mapping each AI tool the firm deploys in audit against the three FRC risk categories and identifying gaps in current governance documentation. You would also assist with marking up AI vendor data processing agreements to ensure audit-specific liability and indemnity provisions are adequately addressed.
Interview prep
Soundbite
The FRC's AI audit framework turns professional liability from an abstract risk into a documented enforcement standard.
Question you might get
“How would you advise an audit firm negotiating a technology licence with an AI vendor if the vendor's tool produces a materially incorrect output that contributes to a deficient audit opinion — what contractual protections would you seek and why?”
Full answer
The FRC has published UK-first guidance on AI in audit, establishing three risk categories — wrong output, misinterpreted output, and output that falls below human auditor standard — just as EY goes live with an AI audit platform. This matters because the guidance is the benchmark the FRC will use in its Audit Quality Review inspections, meaning non-compliant AI deployment now carries direct regulatory exposure. For law firms, it creates advisory demand across technology licensing, professional indemnity, and regulatory compliance for audit firm clients, and forces AI tool vendors to negotiate liability clauses that directly address audit-specific risks. The structural implication is that agentic AI — AI that takes autonomous actions in an audit — requires a fundamentally different professional responsibility framework than AI as a research tool, and the FRC is the first regulator to attempt to codify that distinction.
My notes
saved