Something remarkable happened in the compliance technology and audit world last month. A well-funded, well-regarded AI startup — Y Combinator-backed, valued in the hundreds of millions — found itself accused of generating nearly 500 audit reports that were, allegedly, 99.8% identical. Same paragraphs. Same grammar mistakes. Different logos. All signed off by the same auditing firm.
If the allegations hold up, this wasn’t a software glitch. It was a business model.
This is not evidence that modern software and technology has no place in audit. It’s evidence of something much older and much simpler: that when you build a company on the promise of shortcuts, eventually you will be found out.
Audit has a history worth respecting. The profession didn’t emerge from a desire to generate paperwork — it emerged from a fundamental problem: how does anyone know whether an organisation is telling the truth about itself? The answer, developed over more than a century of financial and regulatory practice, was the independent auditor. Someone with no skin in the game. No commercial interest in a favourable outcome. Someone whose entire value to the market rests on the credibility of their scepticism. Professional scepticism — the auditor’s trained instinct to question, probe, and verify rather than accept — is not a personality quirk.
It is a professional and legal obligation, baked into every major auditing standard around the world. The auditor is supposed to be the person in the room who doesn’t take anything at face value. Who asks why, checks the evidence, and is prepared to say uncomfortable things. That independence — from management, from vendors, from commercial pressure — is precisely what makes the audit opinion worth something.
The moment an “audit platform” positions itself as a shortcut around that process, it hasn’t disrupted the profession. It has simply misunderstood what the profession is actually for.
An auditor who simply validates what management tells them isn’t an auditor at all, they’re a very expensive rubber stamp.
Compliance Theatre Has Always Existed
Let’s be clear about something. Fake compliance didn’t arrive with AI. Checkbox-ticking, sample-gaming, control-washing — these have been features of the audit and GRC world for decades. The difference now is that technology makes it possible to industrialise the deception.
That’s the actual danger here. Not the technology. The intent behind it.
The auditors we speak to — and I’ve spent an enormous amount of time in conversation with IT audit and GRC practitioners across financial services, healthcare, manufacturing — are deeply aware of this risk. They’ve watched vendors promise “automated compliance” and wondered, quietly, what exactly was being automated. The evidence review? The judgement? The professional liability?
Disrupting Compliance
There’s a word that gets thrown around a lot in this space: disruption. And it’s worth being clear — compliance is not supposed to be disrupted. It exists for a reason. When a company earns a SOC 2 certification or achieves ISO 27001 accreditation, they’re making a serious promise to their customers, their partners, and their regulators: we are good stewards of your data. We take cybersecurity seriously. You can trust us. That promise underpins every vendor relationship, every enterprise contract, every insurance policy that touches sensitive information. Automating the paperwork that supports compliance is entirely legitimate. Automating the trust itself — replacing genuine evidence and professional judgement with pre-filled templates and identical boilerplate — isn’t disruption. It’s a confidence trick.
The Line That Actually Matters
Automating the repetitive parts of audit is not the same as automating the audit itself.
The repetitive parts — ingesting policy documents, mapping evidence to control frameworks, cross-referencing last year’s findings, formatting reports — these consume a staggering proportion of an auditor’s week. We’ve seen practitioners spending 40-60% of their engagement time on tasks that require no professional judgement whatsoever.
But the moment you start auto-generating conclusions — pre-filling evidence fields, issuing near-identical findings before anyone has looked at the system in question — you haven’t automated audit. You’ve abolished it.
The frameworks that govern this space — SOC 2, ISO 27001 — are not paperwork exercises. They are structured methodologies for verifying that controls are actually operating. A template cannot do that. An LLM generating boilerplate cannot do that. A qualified auditor, using good tools, can.
What We’re Building at Run Audit
We built Run Audit because IT audit practitioners deserve better tools. Not tools designed to replace them — tools designed to take the grind off their plate so they can focus on the work that actually requires their expertise.
Here’s what that looks like in practice: a practitioner uploads the organisation’s policy documents, system architecture diagrams, and prior audit reports. Run Audit maps the real evidence to the relevant controls across multiple frameworks — automatically, accurately, and with full traceability. The auditor then does what only a qualified auditor can do: review, interpret, challenge, and conclude.
The output is faster. The margins are better. The professional judgement is entirely intact.
A Word to the Practitioner Community
If you’re an IT auditor or GRC professional reading this, I suspect you’re not surprised by what happened. Your instincts were right.
The tools that will genuinely serve this profession are the ones built with your judgement at the centre — not designed to route around it.
Run Audit is an AI-native cybersecurity audit platform built for IT Auditors. Backed by Enterprise Ireland. runaudit.ai