The Financial Reporting Council has issued groundbreaking guidance on generative and agentic AI risks for UK audit firms. The rules address critical vulnerabilities in how auditors deploy AI systems while capturing efficiency benefits.
Agentic AI  Accountancy · Financial Services

The Financial Reporting Council's March 2026 guidance on generative and agentic AI represents the first regulatory framework globally to address the specific risks these technologies create in audit contexts. Unlike generic AI governance frameworks, the FRC's approach is calibrated to audit-specific risks: deficient AI outputs that undermine audit evidence quality, misinterpretation of AI-generated insights, and deviation from mandatory audit methodologies or regulatory obligations under ISA UK standards. The guidance directly targets system managers at audit firms—partners, directors and technology leaders responsible for deploying AI systems in client engagements—and establishes that firms cannot simply adopt off-the-shelf generative AI tools without substantial control modifications. This guidance follows the FRC's June 2025 publication on AI in Audit and signals that regulatory tolerance for uncontrolled AI adoption in audit has ended.

The substantive risks identified in the guidance reflect hard lessons from early AI adoption in audit. Generative AI systems can confidently produce plausible but inaccurate audit procedures, misinterpret accounting standards or regulatory requirements, and create audit evidence trails that appear robust but rest on deficient underlying analysis. The FRC's framing of 'agentic AI'—systems that autonomously select and execute audit procedures—introduces a new compliance layer that firms must now address through Trovix Watch monitoring of AI system outputs against ISA UK requirements. The guidance requires firms to establish substantive controls ensuring that AI-assisted audit procedures satisfy SYSC obligations under the PRA Rulebook and FCA COBS framework, with documented evidence that AI outputs have been validated by qualified auditors before being incorporated into audit files.

System managers must now implement controls addressing three specific vulnerability classes identified by the FRC. First, deficient AI outputs require firms to establish validation procedures ensuring that AI-generated audit documentation, sampling methodologies or analytical procedures meet ISA UK standards before client delivery. Second, misinterpretation risks necessitate controls ensuring that system managers and audit teams understand AI model limitations, training data biases, and the scope constraints of AI systems. Third, regulatory deviation requires firms to maintain documented controls confirming that AI system use does not violate methodology requirements under ISA UK, ICAEW professional standards, or FCA Conduct of Business rules. Trovix Brief automates the initial documentation review processes that enable auditors to validate AI outputs against these control standards, reducing the manual validation burden while maintaining audit quality assurance.

The FRC guidance fundamentally reshapes the competitive landscape for audit technology vendors and audit firms themselves. Firms that implement rigorous AI governance frameworks aligned with the FRC's recommendations will gain efficiency benefits—the expected 140 hours per auditor per year highlighted in recent research—while maintaining superior audit quality. However, firms that adopt AI systems without establishing the FRC-specified mitigations face regulatory enforcement risk through the FRC's audit quality monitoring programme. Audit partners deploying AI to meet client cost pressures must now balance efficiency expectations against the governance rigour that the FRC explicitly demands. The guidance effectively creates a new compliance obligation under Trovix Watch, requiring ongoing monitoring of audit methodology updates and FRC interpretations as this rapidly evolving regulatory framework matures.

Source: ICAEW Insights

Related Trovix product:

Book a demo →