fairlane.systems

Law & Compliance

AI in Statutory Audit: What Is Permissible, What Compromises Independence & Audit Quality

Where AI is admissible as a tool in limited and ordinary audits in Switzerland, and where judgment and responsibility must remain with the auditor.

Researched & fact-checked by: · As of: 2026-06

What this is about

Swiss audit law distinguishes between the ordinary audit and the limited audit. Art. 727 para. 1 CO names three categories of companies that are subject to the ordinary audit: (1) public-interest companies (companies with listed equity securities, outstanding bonds, or a share of at least 20 per cent of the assets or turnover of a company required to prepare consolidated accounts); (2) companies that exceed two of three thresholds in two consecutive financial years – a balance sheet total of CHF 20 million, sales revenue of CHF 40 million, and an annual average of 250 full-time positions; and (3) companies that are required to prepare consolidated accounts. Companies below these thresholds are generally subject to the limited audit under Art. 727a CO; very small companies may waive the audit under Art. 727a para. 2 CO (opting-out) if they have no more than ten full-time positions on annual average and all members or shareholders consent.

In this context, artificial intelligence is increasingly used as a tool – for data analysis, for flagging anomalies in journal entries, or to support sample selection. The key legal and professional question is where AI remains an admissible aid and where it would touch upon the auditor's independence or their own responsible formation of judgment.

This article is not legal advice. It frames the current rules; in any specific case, the assessment by the responsible audit firm and, where applicable, the supervisory authority is decisive.

Why it matters

The statutory audit is a legally regulated trust service. The audit firm's statement in the audit report rests on the audit judgments that the auditor forms under their own responsibility. If AI is deployed in a way that does not preserve that responsibility, audit quality can suffer and the audit opinion can become contestable.

The Federal Audit Oversight Authority (RAB/FAOA) licenses auditors, audit experts, and state-supervised audit firms, and supervises the audit firms of public-interest entities. It checks compliance with statutory and professional requirements, including independence and the applied auditing standards. Deficiencies can lead to reprimands, conditions, a prohibition of specific activities, or withdrawal of the licence; in serious cases the RAB may refer the matter to the criminal authorities (Art. 28 ff. of the Federal Act on the Licensing and Oversight of Auditors, RAG).

For fiduciary and audit firms wishing to integrate AI into their workflows, it is therefore essential that tools support the audit without undermining the legally required independence, confidentiality, and self-responsible formation of judgment.

Where AI is a tool – and where responsibility stays

As an admissible tool, AI can operate where it prepares data without replacing the audit judgment. Typical applications are analysing complete data sets rather than mere samples, detecting anomalies and patterns in journal entries, supporting sample selection, plausibility checks, and structuring large volumes of supporting documents. In all of these, the tool provides indications; the appraisal, weighting, and conclusion remain with the auditor.

What cannot be delegated is the self-responsible formation of judgment. The assessment of material matters, the determination of materiality, the evaluation of risks, the conclusions on estimates and valuations, and the audit opinion and audit report remain the task of the licensed person. An AI system may prepare these steps but cannot itself bear responsibility for them. The audit firm must be able to trace how an indication arose and critically question the result (professional scepticism).

Independence and confidentiality are added requirements. The audit firm must be independent in fact and in appearance – under Art. 728 CO for the ordinary audit and under Art. 729 CO for the limited audit. State-supervised audit firms that audit public-interest entities are additionally subject to the specific independence obligations of Art. 11 RAG. Where an AI tool is operated by third parties, the data flow, the confidentiality of engagement data, and the location of data processing must be clarified so that neither confidentiality obligations nor the appearance of dependence are compromised.

Introducing AI in the audit responsibly

  1. 01Determine the audit type: ordinary audit (Art. 727 CO: two of three thresholds in two consecutive financial years – balance sheet total 20m, turnover 40m, 250 full-time positions; plus public-interest companies and companies required to prepare consolidated accounts) or limited audit (Art. 727a CO).
  2. 02Delimit use cases: provide for AI only in data preparation, anomaly detection, and sample support – not for the audit opinion.
  3. 03Check independence: identify self-review risks (Art. 728/729 CO; for state-supervised audit firms additionally Art. 11 RAG) and rule them out via organisational and personnel measures.
  4. 04Clarify confidentiality and data location: secure the data flow, processing location, and confidentiality of engagement data contractually and technically.
  5. 05Ensure traceability: document the origin of AI indications, appraise them critically (professional scepticism), and record them in the working papers.
  6. 06Anchor responsibility: judgment, materiality, and the audit report remain with the licensed person; when in doubt, consult the oversight authority or a technical body.

When AI makes sense in the audit

AI makes sense where it accelerates repetitive, data-intensive analytical steps and frees the auditor's time for the judgment-based audit procedures. This includes full analysis of journal data, detecting duplicate payments or unusual entries, reconciling large volumes of documents and contracts, and pre-structuring data for risk assessment.

The precondition is that the use is documented, traceable, and verifiable, and that responsibility remains with the licensed auditor. A vendor-independent solution with a controllable own data basis and data processing in Switzerland makes it easier to comply with confidentiality and independence than tools whose data processing is opaque or tied to third-party interests.

When AI must not replace the audit

AI must not replace the audit opinion. Where the assessment of materiality, the evaluation of estimates, provisions and valuations, the final risk assessment, or the wording of the audit report are concerned, the auditor must decide and take responsibility themselves. An automatically generated opinion without critical appraisal breaches professional due care.

AI is also problematic where its use endangers independence. In a limited audit, participation in accounting and other services are permitted subject to safeguards; however, where there is a risk of reviewing one's own work, organisational and personnel measures are required. If an audit firm uses the same AI tool for bookkeeping and for auditing it, a self-review risk can arise that must be assessed separately.

Finally, the uncontrolled outflow of confidential engagement data to external AI services is not acceptable. Without a clarified data location, without a confidentiality guarantee, and without traceability of processing, such use is incompatible with confidentiality obligations and with independence requirements.

FAQ

May an audit firm use AI at all?

Yes, as a tool. AI can analyse data and surface anomalies. The audit procedures, the formation of judgment, and the audit report, however, remain the responsibility of the licensed person. The use must be documented, traceable, and compatible with independence and confidentiality.

Does using AI compromise the audit firm's independence?

Not per se. General independence under Art. 728 CO (ordinary audit) or Art. 729 CO (limited audit) must be preserved in fact and in appearance; for state-supervised audit firms, Art. 11 RAG applies in addition. It becomes risky if the same tool both produces and audits work (self-review) or if an external service processes engagement data in an uncontrolled manner.

What does AI use mean for the ordinary versus the limited audit?

The principles are the same in both cases: AI is a tool, the judgment stays with the auditor. The ordinary audit carries higher requirements for professional competence and independence. In the limited audit, certain additional services are permitted, provided self-review risks are ruled out by safeguards.

Where should the data processing take place?

Engagement data is confidential. A clearly defined data location – ideally in Switzerland – together with traceable, controllable processing, makes it easier to comply with confidentiality and independence obligations than opaque third-party services.

Related topics

ART. 957a CO · COMPLIANCEArt. 957a CO and AI bookings: audit trail, GeBüV, and 10-year retentionLaw & ComplianceEU AI Act for Swiss SMEs 2026: Obligations, Risk Classes, Roadmap ChecklistrevDSG · COMPLIANCErevDSG / revFADP and AI: what the revised Swiss Data Protection Act means for LLM useYEAR-END QA · USE CASEAI-supported quality assurance for the annual financial statement

Sources

  1. Art. 727 OR – Pflicht zur ordentlichen Revision (Fedlex)
  2. Art. 727a OR – Eingeschränkte Revision und Opting-out (Fedlex)
  3. Eidgenössische Revisionsaufsichtsbehörde (RAB)
  4. Bundesgesetz über die Zulassung und Beaufsichtigung der Revisorinnen und Revisoren (RAG, SR 221.302) (Fedlex)
  5. EXPERTsuisse – Berufsverband der Wirtschaftsprüfer (Schweizer Prüfungsstandards SA-CH)

FITS YOUR STACK?

What this looks like in your business – a 30-minute intro call.

Book a call