AI Advantage Spotlight
Accounting · AuditInterview · Case No. 066

Full-Population Testing Is Changing What a Mid-Market Audit Can See

Assurance Partner Grace Fennbrook on moving from sampling to examining every transaction, why anomaly detection raises the bar for auditor judgment, and where human accountability stays fixed.

Interview with Grace Fennbrook, Assurance Partner

For decades the financial-statement audit has rested on a compromise: no team could examine every transaction, so auditors tested a sample and inferred the rest. That compromise is under strain. Ledgers have grown, fee pressure is real, and the profession faces a persistent shortage of experienced staff even as regulators press for higher quality. Analytics that read the entire population have moved from aspiration to routine. Grace Fennbrook, Assurance Partner at Fennbrook Audit Group, a mid-market assurance practice serving closely held companies, describes how her teams now test full transaction populations, and why the auditor's judgment matters more, not less.

Start with the problem sampling was meant to solve. Why change an approach that has worked for decades?

Sampling was never a claim that the unexamined transactions were correct. It was a concession to time and cost. If a ledger holds two hundred thousand entries, a team could responsibly test a few dozen, extrapolate, and document the basis. That works well for errors that are common and evenly spread. It works poorly for the risks that actually cause failures: a single fraudulent entry, a management override booked once at quarter-end, a rare account pairing that no sample would ever land on.

The commercial problem follows from that. When something material is missed, the cost is not marginal. It is a restatement, a regulatory inquiry, a lost client, sometimes a claim against the firm. Add fee pressure and a staff shortage, and juniors do slow manual work while the highest-risk items may never surface. Testing the full population changes the question we can answer. Instead of asking whether a sample is consistent with the whole, we ask where in the whole something looks wrong.

100%
Population tested, not just samples
Anomalies
Surfaced automatically
Shorter
Fieldwork on site

Why is this viable now, when it was not five years ago?

Several things had to line up, and only recently did they. First, the data became accessible. Most clients now run accounting systems that export a complete, structured general ledger, so we can ingest a full year of entries in a usable form rather than rekeying paper or wrestling with bespoke formats. Second, the methods matured. Unsupervised anomaly detection, which learns a dataset's normal patterns without needing pre-labelled examples of fraud, became reliable enough to trust as a first filter, and combining several techniques rather than one reduced the blind spots any single algorithm has. Third, the economics changed: scoring hundreds of thousands of transactions is now a routine overnight job.

Equally important, the tools were built for auditors. The better platforms express their tests as control points that map to audit concepts: unusual timing, round-dollar amounts, rare user or account combinations, entries just under an approval threshold. That framing matters, because a generic outlier score is hard to defend and an audit-relevant one is not.

Walk through how the system actually works on an engagement.

The first step is unglamorous and essential: we obtain the full general ledger and reconcile it to the trial balance and the financial statements, so we know the population is complete before we analyze it. Completeness is a control in itself. An analysis of the wrong data is worse than no analysis.

Then the platform scores every transaction. It applies a suite of tests, some statistical, some machine-learned, some simple rules, and combines them into a risk score for each entry. An entry booked at two in the morning by an unusual user, to a rarely paired set of accounts, for a round amount just below a sign-off limit, will score high across several tests at once. That convergence is what makes it worth an auditor's attention.

From there it is human work. A senior reviews the ranked exceptions, opens the ones that warrant it, traces each back to source documents and explanations, and decides what it means. The tool proposes; the auditor disposes. Nothing becomes an audit conclusion because a model flagged it.

You are handling a client's complete financial records. How do you govern that data?

We are handling among the most sensitive data a company holds, so governance is not an afterthought. A few principles are firm. Client data is segregated by engagement, and access is limited to the team on that job. We confirm with the vendor where data is hosted, how it is encrypted, and that our clients' figures are not used to train models other clients could benefit from.

We also treat the platform as we would any service that touches client records. It goes through the same due diligence, contractual confidentiality, and retention rules as the rest of our environment. Workpapers, including the analytics output and our review notes, are retained under the same records requirements as any other audit evidence. None of this is unique to AI. It is the standard duty of confidentiality the profession has always carried, applied to a new tool. The obligation does not change because the software is cleverer.

What do the auditing standards require, and where do the regulators stand?

The standards did not relax because the method improved. Auditing standards already require us to address the risk of management override of controls, and journal-entry testing is a core procedure for that. Full-population analysis is a stronger way to meet an existing obligation, not a new obligation of its own.

Two constraints shape how we use it. First, audit evidence must be relevant and reliable, and we must be able to explain how a conclusion connects back to source evidence. An unexplainable score is not evidence; the explanation and the underlying documents are. Second, standard-setters are still catching up. There is not yet a detailed rulebook from the regulators on what qualifies as acceptable AI-assisted evidence, so we lean on the profession's responsible-use guidance: govern the tool, understand its logic, document what it did and what we did with the output. Professional skepticism runs through all of it. If anything, we apply more skepticism to a clean result, because a tidy answer can be the most dangerous one. The opinion is still ours to sign and to defend.

How do you validate accuracy, and who is accountable for what the tool surfaces?

Accuracy has two sides, and false negatives worry me more than false positives. We validate the approach before relying on it. We run it against engagements and situations where we already know the answer, including matters with issues we previously caught by other means, to confirm the high-risk items score high. If a known problem does not surface, that tells us something about the configuration.

False positives are the cost of full coverage. A model that flags nothing is useless; one that surfaces genuine oddities alongside some benign ones is doing its job. The discipline is in the review. A senior examines every flag we choose to act on, and the engagement partner remains accountable for the opinion. No algorithm signs an audit.

The real risk is automation bias, the temptation to accept a machine's output because it is convenient. The tool narrows where we look; it does not decide what is true. The judgment, and the responsibility, stay with named people.

How did the team adapt? What went wrong first?

The first attempts were humbling. Early on the analysis surfaced far too many flags, and the reaction was reasonable fatigue: if everything is high risk, nothing is. Some of that was configuration, and some was our own data. Poor extracts, mismatched periods, and mapping errors produced noise that looked like risk. We learned to spend real effort getting the population clean before drawing any conclusions.

Staff skepticism was healthy, and I did not want to talk anyone out of it. What helped was framing it candidly: the software does not replace your judgment, it points you at the transactions most worth your judgment. We trained people on what the scores mean and, just as important, what they do not mean.

The workflow changed as well. Instead of juniors keying through binders to pull a sample, they review a ranked set of exceptions and investigate the substance. That is better development for them and a better use of the hours the client pays for. The technology was the easy part; the habits took longer.

What has actually changed in measurable terms, and how should a reader weigh those numbers?

I am careful with numbers; audit is not a setting for marketing claims. The clearest change is coverage. On engagements where we deploy it, we test the full transaction population rather than a sample, so our journal-entry procedures consider every entry rather than a few dozen. Anomalies that would once have depended on luck to appear are surfaced for us to examine.

The second change is where the time goes. Fieldwork on site tends to be shorter, because the exception review is largely done before we arrive and our on-site hours focus on the items that need conversation with management.

I would frame all of this with caveats. Full-population testing does not mean we caught everything; it means we looked at everything and directed attention well. The benefit depends heavily on the quality of the client's data. And it does not reduce total effort so much as move it from mechanical extraction toward investigation and judgment, which is where it belongs.

What would you say to a skeptical peer, and to a nervous audit committee?

To a skeptical peer, I would say this is a tool for gathering and prioritizing evidence, not a substitute for the auditor. It does not form conclusions, it does not exercise skepticism, and it is only as good as the ledger it reads and the person reading its output. It will not catch a scheme that leaves no unusual footprint in the data, and it can lull an inattentive team into false comfort. Those are real limits.

To a nervous audit committee, I make a simpler point. Under the old approach, most of your transactions were never individually examined. Under this one, all of them are considered, and the highest-risk items receive experienced human attention. That is a more thorough audit, not a more automated one. No one on the engagement has been replaced by software. The partner who signs the opinion is the same partner, held to the same standard, now able to see more of your business than a sample ever allowed. Used honestly, it raises quality.

Give me a concrete moment where this mattered.

An illustrative case, and I will keep it representative rather than tied to a specific client: on one engagement the analysis clustered a set of entries that individually looked ordinary. Each was a manual posting, each fell just under the amount that would have required a second approval, and several were booked by the same person in the final days of the period to the same revenue account.

No single entry would have been selected in a conventional sample, and none was large enough to draw the eye. Together they formed a pattern, and the pattern was the point. It turned out to be an aggressive cut-off: revenue pulled into the period that belonged in the next one. Not fraud, but a real misstatement that mattered to the results.

The tool did not conclude anything. It grouped and ranked. A senior noticed the shape of it, asked management the right questions, and traced the entries to the contracts. That is the model working as intended: the software finds the thread, and the auditor decides what it means.

What does this mean for the profession over the next few years?

The profession is moving from testing a fraction and inferring, to examining the whole and judging. That shifts what an auditor is for. Less time is spent proving you looked at a representative slice, and more on interpreting what the full picture shows, which is closer to what clients actually value. It also changes who we hire and how we train them, toward people comfortable with data and sharp questions of it.

I expect the standards and the regulators to catch up, and I would welcome that. Clearer expectations on validating and documenting these tools will raise the floor for everyone and reduce the risk of the technology being used carelessly.

What will not change is the point of the exercise. An audit is an independent, skeptical opinion that a third party can rely on. The tools make us more thorough and, used well, more useful to the businesses we serve. They do not make us less accountable. Seeing more of a company's transactions raises the standard we hold ourselves to, and that is the right direction.

That is a more thorough audit, not a more automated one. The partner who signs the opinion is the same partner, held to the same standard.

Grace Fennbrook, Assurance Partner, Fennbrook Audit Group

Results in context

Fennbrook Audit Group frames these outcomes as directional and dependent on the quality of the client's data, not as guarantees. The points below reflect the firm's own engagements.

  • Full transaction populations tested on deployed engagements, so journal-entry procedures consider every entry rather than a sampled subset.
  • Anomalies surfaced automatically through combined statistical, machine-learned, and rule-based scoring, then reviewed by a senior before any conclusion is drawn.
  • Shorter on-site fieldwork, because exception review is largely completed in advance and time on site focuses on discussions that require management's input.

About Fennbrook Audit Group

Fennbrook Audit Group provides assurance and audit services to mid-market and closely held companies.

Assurance & audit · Mid-market

Want an AI workflow like this in your firm?

Layer3Labs designs and ships practical AI for professional firms in weeks.

Book a consultation