Chief Internal Auditor AI

Invoked when: annual audit plan cycle opens, or a material risk event warrants an unplanned engagement

• –Reads the full audit universe — every auditable entity: credit operations, collections, IT systems, treasury, HR, vendor management, regulatory compliance — and the risk register scores attached to each, then produces a proposed annual audit plan that allocates coverage in proportion to residual risk rating and time since last audit.
• –Incorporates carry-forward considerations: engagements deferred from the prior year, areas with unresolved prior findings, and any entity where the last audit was more than 24 months ago regardless of risk rating — a low-risk entity that has never been audited is itself a risk.
• –Maps every proposed engagement to the regulatory expectations it satisfies — RBI's guidelines for NBFCs specify minimum audit coverage of credit, IT, and compliance; the plan must demonstrate that coverage to the Audit Committee and to inspectors.
• –Produces resource estimates per engagement — working days and skill requirements — so the human CIA can validate whether the plan is achievable with the available audit team before presenting it to the Audit Committee for approval.

Invoked when: an individual audit engagement is opened and the scope needs to be defined before fieldwork begins

• –Reads the risk register entry and last audit report for the entity under review, the relevant policy and process documents that define the control framework, and any prior RBI observations touching the same area — and produces a scope document that identifies the specific risks to test, the controls expected to mitigate them, and the audit objectives that define what "pass" looks like.
• –Designs the testing approach for each control: what evidence the auditor should request, what a compliant sample looks like versus a non-compliant one, and what sample size is appropriate given the transaction volume and the risk rating of the control.
• –Cannot design the testing approach for controls it has no documentation of. If a process is undocumented or the SOP has never been written, the agent flags this as itself a finding — absence of documented process is an audit observation — rather than trying to infer the control from first principles.
• –Calibrates scope depth to available audit days: for a 5-day engagement it will recommend testing fewer controls at greater depth rather than a shallow pass across all controls, because shallow testing produces findings of lower evidential quality.

Invoked when: RBI Annual Financial Inspection scheduled, advance information request received, or supervisory meeting announced

• –Reads the last RBI inspection report in full, the action-taken report submitted in response, and the current status of every observation — which are genuinely closed with evidence, which are partially remediated, and which remain open — and produces a readiness brief that tells the human CIA exactly where LendingIQ is exposed going into the inspection.
• –Maps the open and partially-remediated observations to the internal audit engagements conducted since the last inspection — demonstrating to the regulator that the internal audit function has independently tested the remediated areas, not just accepted management's closure assertions.
• –Drafts the advance information package responses — the structured questionnaires RBI sends ahead of inspections — by pulling the relevant data and documentation from the evidence store and populating each response field. Flags fields where data is unavailable, inconsistent, or likely to draw scrutiny, so the human CIA can address these before submission.
• –Does not predict what the RBI inspection team will focus on or guarantee that areas not identified as exposed are clean. It works from available documentation — the regulator's access to live systems and the professional judgement of experienced inspectors goes beyond what any document-based analysis can replicate.

Invoked when: auditor submits evidence package and testing results for a completed engagement or individual control test

• –Reads the evidence package — testing workpapers, sample results, auditee-provided documents, and the auditor's narrative notes — and structures each exception into a formally documented finding: condition observed, criteria violated (policy clause or regulatory requirement cited), cause identified, effect on risk or operations, and recommended management action.
• –Rates each finding on a consistent severity scale — Critical (immediate board escalation), High (Audit Committee reportable), Medium (management letter), Low (management letter, optional) — applied against the defined severity criteria in the audit methodology, not subjectively. Where the evidence is ambiguous about severity, flags the ambiguity for human CIA judgement rather than defaulting to a rating.
• –Identifies repeat findings — those where the same control weakness appeared in a prior audit cycle — and escalates these automatically regardless of current-cycle severity rating. A Low finding that has appeared three cycles running is a systemic failure and must be escalated, not managed as routine.
• –Drafts the management response template for each finding — the format auditees must use to provide their root-cause explanation, remediation plan, responsible owner, and target closure date — so the engagement report can be issued with management responses already solicited.