The audit trail is one of the oldest concepts in accounting. Every entry must be traceable to its source. Every change must be recorded. Every number must be verifiable. When AI enters the accounting process, the audit trail does not become less important. It becomes fundamentally more complex.
The Traditional Audit Trail
Traditional accounting audit trails are straightforward. A journal entry is created by a specific person at a specific time. If someone modifies the entry, the system records who made the change, when, and what the previous value was. An auditor can follow this trail from financial statement to journal entry to source document, verifying each step.
This trail answers simple questions: Who recorded this transaction? When was it recorded? Was it modified after initial entry? Can I see the original document that supports it?
Software like Sage, QuickBooks, and Xero have implemented these trails for decades. They are well understood by auditors, accepted by regulators, and form part of the professional standards governing accounting practice.
What Changes When AI Is Involved
When an AI system reads an invoice and creates an accounting entry, the trail becomes multi-dimensional. The relevant questions expand dramatically:
- What document did the AI process?
- What data did the AI extract from that document?
- How confident was the AI in each extracted field?
- What model version performed the extraction?
- What classification did the AI assign, and what alternatives did it consider?
- What rules were applied to determine the accounting treatment?
- Did a human review the AI's output? If so, who, and what did they change?
- If the AI made an error, when was it discovered and how was it corrected?
A traditional audit trail records a linear chain of events. An AI audit trail records a decision tree with probabilities, rules, and review points at every node.
The Black Box Problem
Many machine learning systems are effectively black boxes. A deep neural network with millions of parameters produces an output, but explaining why it produced that specific output is technically challenging. The model does not apply rules that can be read and understood. It has learned statistical patterns across millions of training examples, and its "reasoning" exists as numerical weights distributed across layers of neurons.
This is a genuine problem for accounting. When an auditor asks "why was this transaction classified as office supplies?", the answer cannot be "because the weights in layers 47 through 52 of the neural network produced an activation pattern that most closely corresponded to the office supplies class." That answer, while technically accurate, is meaningless for audit purposes.
The field of Explainable AI (XAI) addresses this challenge. Techniques like LIME (Local Interpretable Model-agnostic Explanations) and SHAP (SHapley Additive exPlanations) provide post-hoc explanations of model predictions. For a transaction classification, SHAP might reveal: "This transaction was classified as office supplies primarily because the merchant name contains 'Office', the amount (EUR 47.50) falls within the typical range for office supply purchases, and this merchant has been previously classified as an office supply vendor."
That explanation is auditable. An auditor can assess whether the reasoning is sound and whether the classification is correct.
GDPR and the Right to Explanation
GDPR's Article 22, combined with Recitals 71 and 72, establishes the right not to be subject to automated decision-making that significantly affects individuals, and the right to obtain meaningful information about the logic involved.
For financial AI systems, this has practical implications. If an AI system flags a transaction as potentially fraudulent and that flag triggers an investigation of an individual, the individual has the right to understand how the AI reached that conclusion. If an AI system determines that a contractor should be classified as an employee for tax purposes, the affected person can demand an explanation.
The EU AI Act, which entered into force in August 2024 with a phased implementation through 2027, adds further requirements. AI systems used in contexts that affect people's access to financial services or tax obligations may be classified as high-risk, triggering obligations around transparency, documentation, and human oversight.
Financial AI providers must design their systems with these regulatory requirements in mind from the outset. Retrofitting explainability into a black box system is significantly harder than building it in from the beginning.
What Auditors Look For
The accounting profession is actively developing guidance on auditing AI-involved processes. The International Auditing and Assurance Standards Board (IAASB) released a paper on the audit implications of AI, and the major professional bodies (ACCA, ICAEW, AICPA) have all published guidance on how auditors should approach AI in the accounting process.
Key areas of auditor focus include:
Input validation. Can the auditor verify that the AI received the correct source documents? Is there a clear link between the original document (the receipt, the invoice, the bank statement) and the AI's input?
Processing transparency. Can the auditor understand, at a reasonable level of abstraction, what the AI did with the input? This does not require understanding every neural network weight, but it does require understanding the process: document was received, OCR extracted text, NLP identified fields, classification model assigned category, rules engine determined tax treatment, human reviewed and approved.
Output verification. Can the auditor independently verify that the AI's output is correct? This means being able to trace from the financial statement back through the AI's processing to the original source document, with each step documented.
Error handling. How are AI errors identified, corrected, and prevented from recurring? An auditor wants to see that the system tracks its own accuracy, that corrections are logged, and that systematic errors trigger model retraining or rule updates.
Model governance. How is the AI model managed? When was it last updated? What testing was performed before deployment? Who approved the model for use in production? These questions parallel the IT general controls that auditors already evaluate for traditional accounting systems.
Building Trust Through Transparency
Trust in AI-driven accounting is not built through marketing claims. It is built through demonstrated transparency. A system that can show exactly how it arrived at every number, at every step, with every confidence level and decision point documented, earns the trust of auditors, regulators, and the businesses that use it.
This transparency has practical requirements:
Immutable logging. Every AI decision must be logged in a tamper-proof record. Cloud providers offer append-only storage (like AWS QLDB or Azure Immutable Blob Storage) that ensures logs cannot be altered after the fact.
Version tracking. When the AI model is updated, the system must record which model version processed each document. If a model update introduces a systematic error, it must be possible to identify exactly which transactions were affected.
Confidence visibility. Users and auditors should be able to see, for any transaction, what the AI's confidence was in its extraction and classification. A transaction classified with 99% confidence tells a different story than one classified with 82% confidence that happened not to be flagged for review.
Decision documentation. For each transaction, the system should record not just the final classification but the alternatives considered and why they were rejected. "Classified as office supplies (95% confidence) rather than client entertainment (3%) or marketing (2%)" provides context that a simple classification label does not.
The Difference That Matters
There is a meaningful difference between "the AI did it" and "here is exactly how the AI arrived at this number." The first is a delegation of responsibility to an opaque system. The second is a documented process that happens to use AI as one of its components.
The distinction matters because accountability in accounting has not changed. The business owner remains responsible for the accuracy of their tax returns. The auditor remains responsible for their audit opinion. The accountant remains responsible for the advice they give. AI changes the tools, not the accountability.
A well-implemented AI audit trail actually strengthens accountability compared to traditional processes. When a human bookkeeper enters a transaction, the audit trail shows who entered it and when. When an AI system processes the same transaction, the audit trail shows the source document, every extracted field with confidence scores, the classification rationale, the rules applied, and any human review. The AI-augmented trail contains more information, more context, and more verifiability than the traditional one.
The firms and systems that embrace this transparency will earn the confidence of regulators, auditors, and clients. Those that treat AI as a black box that magically produces correct answers will eventually face uncomfortable questions when the answers turn out to be wrong.
Michael Cutajar, CPA — Founder of Accora.