AI Regulation Tracker / Guidance and observations
PCAOB Staff Spotlight on Auditors Using Generative AI: What It Actually Says
Originally published July 22, 2024, this is an evergreen PCAOB staff Spotlight, not a new rule, standard, or safe harbor. The PCAOB staff Spotlight titled "Staff Update on Outreach Activities Related to the Integration of Generative Artificial Intelligence in Audits and Financial Reporting" shares what staff heard when they asked large firms how they are using generative AI. It represents staff views. It is not a rule, a standard, or a change to any auditor duty. It remains the PCAOB's principal staff publication on the subject, which is why it still frames how US audit regulators are thinking about AI.
On July 22, 2024, PCAOB staff released a Spotlight summarizing outreach they conducted to understand how generative AI is showing up in audits and in financial reporting. The staff spoke with the US global network firms and several large non-affiliated firms that each audit more than 100 issuers, a group that together audits the majority of US market capitalization. The document is a staff publication. It represents the views of PCAOB staff, not the Board, and it carries no rulemaking force.
What the staff actually heard
The headline observation is modest. As the Spotlight puts it, "the current integration of GenAI in audits conducted by the firms that the PCAOB staff spoke to appears to be focused primarily on administrative and research activities." In plain terms, the tools were being used to speed up support tasks and background work, not to form audit conclusions or replace professional judgment.
Firms told staff they are still investing while staying clear-eyed about the limits. The Spotlight records that firms "continue investing in GenAI-enabled tools, while also acknowledging the limitations of GenAI, and the need for strong supervision of its use to guard against risks, such as data privacy and security." That last phrase is the one to hold onto. Supervision is not framed as optional polish. It is framed as the control that keeps the risk in check.
On the preparer side, the picture was similar. Some public companies were exploring generative AI in accounting and financial reporting, but that work looked secondary to bigger bets in operational and customer-facing parts of the business. Nobody described handing the financial statements to a model.
Staff were candid about why they did the work. The outreach was part of the PCAOB's "ongoing work to assess whether there is a need for guidance, changes to PCAOB standards, or other regulatory actions in light of the increased use of technology-based tools." So the Spotlight is a listening exercise that feeds a live question, not the answer to it.
What this is, and what it is not
I want to be precise, because a regulator's name on a document does a lot of work in people's heads.
This is a staff Spotlight. It represents the views of PCAOB staff. It is not an auditing standard, it is not a rule the Board adopted, and it is not an inspection finding leveled at any firm. It does not approve any particular use of AI, and it does not prohibit any. It grants no safe harbor. If you use generative AI in an audit, nothing in this document lowers the bar you have to clear.
What it does not do is just as important as what it does. It does not change your responsibilities under existing PCAOB standards. The supervision requirements in AS 1201 and the documentation requirements in AS 1215 apply to AI-assisted procedures the same way they apply to any other audit work. A tool that drafts a memo or summarizes a dataset does not shrink the auditor's duty to supervise the work, evaluate the evidence, and document what was done and why. The Spotlight is a weathervane for where the regulator is looking. It is not a wind you can point to as cover.
What this means for CPAs and auditors
The practical value here is threefold. First, it tells you the regulator is paying attention and has been for a while, which means AI use in audit files is a plausible inspection topic even without a dedicated standard. Second, it tells you what the regulator flagged: supervision, data privacy and security, and the reliability of the tools. Those are your risk headings. Third, it tells you the profession's own posture, which is cautious, human-led, and concentrated on low-judgment tasks, and that posture reads well against an inspection.
The through-line is documentation and supervision, because that is where AI use turns into either a defensible file or an inspection problem. If a generative tool touched a workpaper, the questions a reviewer or an inspector will ask are old ones with a new object: who supervised the use of the tool, how was the output checked, what evidence supports the conclusion, and can you show your work. None of that is new law. It is your current duty, applied to a new instrument. The auditors who get this wrong will not be the ones who used AI. They will be the ones who cannot show how they supervised and reviewed it.
For finance teams and preparers, treat the Spotlight as a preview of the questions your auditor will bring. If you used AI in the close or in drafting disclosures, expect to be asked about data provenance, human review, and controls. Have those answers written down before the audit, not during it.
What to do now
Read the Spotlight itself rather than a summary of a summary, because the exact framing matters and the document is short. Map where generative AI already touches your audit or reporting work, since the low-judgment, administrative, and research tasks are where the profession told the regulator it is concentrating. Keep a named person accountable for supervising and reviewing every AI-assisted step, and make that supervision visible in the file under AS 1201 and AS 1215. Write down your controls on data privacy, security, and output reliability, since those are the exact risks staff called out. And do not read the Spotlight as permission. It changes no duty. Any change to your methodology should rest on the standards and your firm's quality controls, not on a staff observation paper.
Questions professionals are asking
Did the PCAOB issue a rule about auditors using AI?
No. This is a staff Spotlight published July 22, 2024 that represents the views of PCAOB staff. It shares observations from outreach to firms and companies. It does not create, change, or remove any auditing standard, rule, or legal duty, and it is not an inspection finding against any firm.
What did the staff observe?
That current use of generative AI in audits is focused mainly on administrative and research activities, that firms keep investing while acknowledging the tools' limits, and that firms stress the need for strong supervision to guard against risks such as data privacy and security. The outreach was part of the PCAOB's work to assess whether guidance or changes to standards are needed.
Does this give auditors a safe harbor for using AI?
No. The Spotlight approves no specific use and grants no safe harbor. Your responsibilities under existing PCAOB standards, including supervision under AS 1201 and documentation under AS 1215, apply to AI-assisted work exactly as they do to any other audit procedure.
Is a July 2024 staff publication still relevant?
Yes. As of July 2026 it remains the PCAOB staff's principal published statement on auditor use of generative AI. No superseding AI-specific standard or Spotlight has replaced it, so it is still the clearest read on how the audit regulator is thinking about these tools.
Should we change our audit methodology because of this Spotlight?
Only on your own terms. The Spotlight can help you benchmark and can point you to the risks staff flagged, but any change to your methodology or controls should rest on the applicable PCAOB standards and your firm's quality control system, not on a staff observation paper.
RELATED BRIEFINGS
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal, accounting, or audit advice. Confirm how any standard or requirement applies to your situation with qualified professionals in the relevant jurisdiction.