Next Article in Journal
Financial Wellbeing and Financial Resilience: Insights from Personal Experiences and Gender Differences
Next Article in Special Issue
From Predictive Accuracy to Algorithmic Justice: Mapping the Multidimensional Impact of AI in Tax Auditing
Previous Article in Journal
Shrimp Market Under Innovation Schemes: Hidden Markov Modeling
Previous Article in Special Issue
From Adoption to Audit Quality: Mapping the Intellectual Structure of Artificial Intelligence-Enabled Auditing
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JRFM
Volume 19
Issue 3
10.3390/jrfm19030216
jrfm-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Systematic Review

The Future of External Audit: A Systematic Literature Review of Emerging Technologies and Their Impact on External Audit Practices

by
Ahmad Salim Moh’d Abderrahman
* and
Naser Makarem
Business School, University of Aberdeen, Aberdeen AB24 3FX, UK
*
Author to whom correspondence should be addressed.
J. Risk Financial Manag. 2026, 19(3), 216; https://doi.org/10.3390/jrfm19030216
Submission received: 22 January 2026 / Revised: 9 March 2026 / Accepted: 10 March 2026 / Published: 12 March 2026
(This article belongs to the Special Issue Accounting and Auditing in the Age of Sustainability and AI)
Versions Notes

Abstract

Purpose: This study systematically reviews research on six emerging technologies in external auditing, Big Data, Blockchain, Machine Learning, Deep Learning, Artificial Intelligence (AI), and Robotic Process Automation (RPA), to clarify what is currently known and to identify where the main gaps remain. Rather than treating each technology in isolation, this study brings them together under a single integrative review to provide a consolidated reference point for scholars assessing their impact on external audit practices. Design/Methodology/Approach: Following a structured systematic review protocol, searches were conducted in Scopus, ScienceDirect and SpringerLink (2000–2024) using technology-related keywords combined with “audit”, “auditor” and “auditing”. After applying explicit inclusion and exclusion criteria, 471 records were reduced to 32 ABS-listed journal articles, which were analysed thematically. Findings: The review shows that research on emerging technologies in external auditing is still fragmented, with substantial variation in the depth and maturity of evidence across the six technologies. The strongest empirical base is concentrated in Big Data analytics and ML-based predictive models (including more advanced Deep Learning variants), whereas Blockchain and RPA work remains predominantly conceptual or confined to small-scale design-science implementations. Across technologies, most studies are single-country and either rely on auditors’ self-reported perceptions of adoption and impact or evaluate model performance without tracing effects on audit strategies and engagement outcomes, which limits external validity and construct measurement. Very few articles explicitly integrate the Audit Risk Model or other formal theories, and almost no work examines multi-technology “audit stacks” or generative AI, leaving substantial gaps in understanding how these tools jointly reshape inherent, control and detection risk across the audit cycle. Originality/Value: By integrating six technologies within a single external audit framework, the review offers a technology-specific evidence map and a targeted future research agenda that can guide scholars, audit firms and regulators in designing studies and policies aligned with actual gaps in the current literature.

1. Introduction

In the era of evolution we are witnessing today, the current technological landscape, also sometimes referred to as the Fourth Industrial Revolution, has transformed economic models and business as a result of the extensive application of advanced technologies in various industries.
Characterised by a range of new technologies that are fusing the physical, digital and biological worlds, the Fourth Industrial Revolution is impacting all disciplines, economies and industries (Xu et al., 2018).
Technological tools play a crucial role in driving this transformation. For instance, Machine Learning (ML), an AI subset, develops algorithms that learn from data to anticipate outcomes or make decisions without explicit programming, while AI as a whole replicates human intelligence through technologies like NLP and robotics (Boppana, 2022).
Blockchain technology offers secure, decentralised records that improve data integrity, transparency, and efficiency. It can reduce costs and enable faster, real-time records of ownership and transactions, making it suitable for various industries (Yermack, 2017). RPA automates routine tasks, which allows human workers to focus on more strategic activities, thus increasing overall efficiency (Dey & Das, 2019). Deep Learning is a form of Machine Learning that employs the use of multiple layers of connected units so as to build from a simple into a complex concept. This makes it highly effective for tasks like image and speech recognition with little human involvement (LeCun et al., 2015).
Big Data analyses large datasets to provide useful insights that help industries make better decisions (Deniswara et al., 2020). In the context of auditing, these emerging technologies will significantly enhance the overall audit process due to their role in transforming traditional audit processes into more effective ones. However, this introduction does not go deep into the details of how these technologies apply within auditing but rather sets the stage for a deeper look into their roles in subsequent sections of this paper.
The technologies reviewed in this paper are Artificial Intelligence (AI), Machine Learning, Deep Learning, Blockchain, Robotic Process Automation (RPA), and Big Data. These technologies are expected to change the role of auditing and auditing methodologies to enable greater efficiencies and capabilities for the organisations using them.
Overall, 32 papers were identified with a detailed focus on the role these technologies play in external audit. In contrast to much of the existing literature, which is likely to focus on the impact of one technology on a broad field such as auditing, our study is more comprehensive and detailed. We have examined six various technologies and their specific implications for external auditing, a specialised and critical sub-field in the broad audit context. To our knowledge, this makes our study one of the few studies to address the convergence of a range of state-of-the-art technologies in the specific example of external auditing.
According to Boell and Cecez-Kecmanovic (2015), a well-defined scope in literature reviews enhances the quality and depth of analysis. By examining how these technologies are being adopted within external auditing, this review seeks to provide an overview that helps to identify research gaps. The paper also aims to contribute to future research by indicating further areas of investigation and highlighting potential research opportunities in the emerging audit technology domain.
The outcome of this research will be useful for several bodies such as academics and researchers who may want to pursue new studies of these technologies in external audit engagements, as well as providing guidance on the areas highlighted by the literature that therefore require further study.

2. Methodology

2.1. Research Design and Objectives

A systematic review is a well-recognised type of research review that systematically searches for, evaluates, and combines evidence from existing studies. It is designed to be transparent in its methods, making it easy for others to verify the process (Keele, 2007). Accordingly, this systematic literature review is conducted to:
  • Summarise and organise the existing research;
  • Identify gaps in this research;
  • Assist future researchers by highlighting areas for further investigation and shedding light on potential research opportunities in the evolving field of audit technology.
The main objective of this research is to examine, classify, and synthesise the existing academic literature on the use of specific advanced technologies in external audit.
The next objective is to classify the selected papers in order to better understand the existing literature and to identify current research gaps. Accordingly, this research consists of the following search procedures:

2.1.1. Review Protocol and Search Strategy

The keyword identification process involved conducting searches using the following terms: “Big Data”, “Blockchain”, “Machine Learning” or “ML”, “Deep Learning” or “DL”, “Artificial Intelligence” or “AI”, “Robotic Process Automation” or “RPA”, each combined with the terms “Audit”, “Auditor”, or “Auditing”.
The chosen technologies included in this review were guided by their conceptual relevance to the digital transformation of external auditing and by their recurring visibility in the external auditing and audit technology literature. AI was treated as a broad technological domain representing intelligent systems capable of supporting risk assessment, anomaly detection and audit decision-making. Within this broader domain, ML and DL were retained as explicit search terms because the auditing literature frequently addresses them as distinct analytical approaches rather than merely subsuming them under the general AI label. This distinction is important because ML- and DL-based applications are often discussed in relation to specific audit functions such as fraud detection, misstatement prediction and pattern recognition, which gives them an identifiable presence in the external audit literature.
Big Data represents the enabling data environment in which many AI-related audit applications operate. AI-driven techniques are inherently data-intensive, requiring large volumes of data combined with fast and iterative intelligent algorithms (Chen, 2023), which aligns with external audit analytics research linking data-rich environments to more advanced audit analytics and procedures (D. A. Appelbaum et al., 2018). Accordingly, Big Data was selected as a core search term to capture the data-rich audit settings that make AI-enabled analytics feasible and to ensure comprehensive coverage of this underpinning stream in the external audit literature.
RPA was also selected as a complementary but conceptually distinct technology because it represents a process-driven form of automation that differs from the data-driven logic of AI. The prior literature suggests that RPA is often the first step in an organisation’s AI journey, reflecting its practical role in initiating digital transformation through the automation of repetitive, rule-based tasks (Zemankova, 2019). At the same time, RPA and AI are better understood as complementary rather than substitutive technologies, since RPA is designed to automate structured, repetitive and rule-based procedures, thereby serving as a practical foundation for broader technology-enabled transformation in external auditing (Almufadda & Almezeini, 2022). This distinction is particularly relevant in external auditing, where many routine activities such as data extraction, reconciliations, file preparation and standardised testing procedures may be automated through RPA, while AI-based techniques may be applied to more complex analytical and risk-related tasks.
Blockchain was included alongside AI because it represents a distinct but complementary pathway through which external auditing is being transformed. Whereas AI-related tools primarily strengthen auditors’ analytical capability, supporting risk assessment and anomaly detection and prediction, Blockchain reshapes the evidential environment by changing how transactions are recorded, verified and traced through tamper-evident, time-stamped ledgers. As a result, these technologies influence audit risk through different mechanisms: AI affects detection risk via enhanced analytics, while Blockchain affects the reliability and traceability of underlying records and audit trails, with implications for control evaluation and evidence sufficiency. Including both in the SLR therefore enables a more complete synthesis of how emerging technologies jointly reshape audit evidence and audit risk management in external auditing.
Taken together, these six technologies capture complementary but distinct dimensions of digital transformation in external auditing: AI, ML and DL represent intelligent analytical capabilities; Big Data reflects the data environment in which many such capabilities operate; RPA represents process automation that often precedes and complements broader AI adoption; and Blockchain represents a separate infrastructural development that reshapes the reliability, traceability and verification of audit evidence.
We have used Keele’s (2007) methodology for a systematic literature review; therefore, this research consists of the following:
Selection steps for the literature review (Keele, 2007):
  • Step 1: Applying the selected keywords to systematically gather relevant sources;
  • Step 2: Excluding any invalid papers;
  • Step 3: Applying inclusion/exclusion criteria to titles, keywords and abstracts;
  • Step 4: Applying criteria to introductions and conclusions;
  • Step 5: Reviewing the entire text and applying exclusion/inclusion criteria.

2.1.2. Data Sources and Time Period

The papers selected relate to the period 2000–2024 from academic bodies such as the Scopus, Science Direct and Springer Link databases. We believe that this timeframe window will give us an overview of the evolution of research and emerging trends, providing insights into the integration of these technologies in the auditing field.

2.2. Inclusion and Exclusion Criteria

The papers selected for this study had to be published as full papers in academic journals, regardless of their online availability. Also, the papers selected for this study were chosen without applying restrictive keyword filters, allowing for a broader and more comprehensive collection of the literature.
The inclusion criteria were as follows:
  • Papers published in academic journals, regardless of whether they were published online or not.
  • Papers that mention at least one of the following technologies: Big Data, Blockchain, Machine Learning (ML), Deep Learning (DL), Artificial Intelligence (AI), and Robotic Process Automation (RPA).
  • Papers mentioning external auditing, external audit, or external auditor.
  • Listed Papers in ABS Ranking Systems.
Papers were excluded based on the following criteria:
  • Papers published in press that were practitioner journals at the time of publication;
  • Conference papers and workshop papers;
  • Incomplete papers and duplicate papers;
  • Papers related to internal audit;
  • Papers that discuss the specified technologies but do not directly relate to external auditing or audit or auditor;
  • Not Listed Papers in ABS Ranking Systems.
To be considered relevant, a paper must directly mention the technologies identified in this research together with the terms “external auditing”, “auditor”, or “audit”, regardless of the particular angle, focus, or context in which auditing is discussed. This approach ensures that all related topics are included.

Literature Screening and Selection Results

This literature survey process included a total of 471 papers, and the number decreased to 32 papers as Table 1 illustrates.
Table 2 indicates that we employed the (ABS) Ranking to ensure that the research covered in this review adheres to the minimum quality and reliability requirements of accepted scientific research (Alatawi et al., 2023; Lu et al., 2022). The ABS ranking is considered an important measure for the evaluation and rigour of academic journals, offering a systematic method for assessing the quality of the literature. While there were other papers that were relevant to our research area, we intentionally excluded them, to provide more quality and reliability for our systematic review, as we strongly believe that by focusing on recognised and the highest-ranked journals, our study maintains a solid scholarly foundation, the conclusions drawn being strongly evidenced, systematically accurate, and positively adding to existing knowledge.

3. Comparative Synthesis of Evidence Across Technologies

Building on the 32 ABS-ranked studies identified in Section 2 and summarised in Table 2, this section goes beyond describing individual papers to compare them systematically across technologies, research designs, audit phases and the strength of evidence. In doing so, it highlights where the literature on emerging technologies in external auditing is relatively mature and where it remains largely conceptual or exploratory.

3.1. Technologies Covered and Audit Tasks Studied

The 32 papers are unevenly distributed across technologies. Big Data accounts for ten studies, Machine Learning (ML) for seven, Blockchain for seven, Artificial Intelligence (AI) in a broader sense for five, Robotic Process Automation (RPA) for two, and Deep Learning for just one specialised article. Taken together, this indicates that the strongest empirical evidence base is concentrated in Big Data and predictive analytics, while RPA and Deep Learning remain comparatively under-researched in relation to external audit.
The technologies are also associated with different audit tasks. ML and the single Deep Learning study are strongly concentrated on fraud and misstatement detection, risk scoring and the prediction of restatements or enforcement actions. These models generate client- or transaction-level risk scores that can, in principle, inform risk assessment, planning and the design of subsequent substantive procedures. Big Data studies span a wider range of roles, from conceptual roadmaps and analytical procedure frameworks, including design-science implementations of analytical procedures using real ledger data, to review-based and empirical work on motivation, adoption and perceived impact on audit quality. Blockchain papers are mainly concerned with audit evidence, crypto-asset assurance and changes to audit approaches when distributed ledgers and smart contracts are present. AI and RPA research largely emphasises changes in work organisation, ethics and process automation, with only isolated large-sample studies that directly test impacts on audit outcomes.
Overall, the evidence base is densest where technologies are used as predictive analytics tools to flag risky clients, accounts or transactions and thinnest where technologies primarily reconfigure audit processes, workflows and roles.

3.2. Methodological Patterns and Strength of Evidence

The 32 studies display a clear methodological imbalance. A slight majority of the sample relies on empirical designs, including archival quantitative models, qualitative interviews, case studies, and design-science implementations, while the remaining papers are conceptual frameworks, narrative or systematic literature reviews, and practitioner-oriented commentaries. However, this aggregate picture hides important technology-specific differences.
Machine Learning and Deep Learning studies are overwhelmingly archival quantitative. They typically train and test models on financial statement data, enforcement releases, restatement announcements, general ledger transactions and disclosure text (Perols, 2011; Brown et al., 2020; Craja et al., 2020; Hunt et al., 2021; Mousa et al., 2022; Wei et al., 2024). These studies usually employ large samples, out-of-sample validation and, in many cases, benchmark multiple algorithms, so they can be regarded as providing relatively strong empirical evidence on predictive performance. At the same time, they seldom examine how auditors actually incorporate these model outputs into their judgements.
Big Data research is more methodologically diverse. Conceptual and framework papers explore the role of audit data analytics, IT audit analytics and the incorporation of Big Data into financial statement audits, outlining challenges, opportunities and research agendas rather than reporting empirical implementations (D. Appelbaum, 2016; Dzuranin & Mălăescu, 2016; Alles & Gray, 2024). Review papers also synthesise prior empirical and practitioner evidence on Big Data adoption and use (Aboagye-Otchere et al., 2021; D. A. Appelbaum et al., 2018). Interview-based grounded theory studies and documentaries and things like content analysis work investigate adoption drivers, barriers and perceived impacts on audit work (Dagilienė & Klovienė, 2019; Krieger et al., 2021; Abdelwahed et al., 2024; Jacky & Sulaiman, 2022). Design-science implementations (Fay & Negangard, 2017) combine advanced analytics with real ledger data. The strength of evidence is therefore mixed: several papers provide rich qualitative or descriptive insight but limited statistical generalizability, while only a few Big Data studies directly combine sophisticated analytics with clearly specified audit outcomes.
The research on Blockchain is largely dominated by conceptual analyses and illustrative cases, with a thinner but important qualitative empirical strand. Conceptual and framework papers set out the implications of distributed ledgers for audit evidence, governance and assurance (Gomaa et al., 2019; Smith & Castonguay, 2020; Roszkowska, 2021; Rozario & Thomas, 2019; Hsieh & Brennan, 2022), while qualitative interview studies examine how audit standards and approaches may need to evolve in practice (Dyball & Seethamraju, 2021; Gauthier & Brender, 2021). In addition, the empirical evidence base on Blockchain is relatively thin: most contributions scope issues and conceptualise risks rather than testing effects on audit outcomes using large field datasets.
Evidence on AI (beyond ML) in external audit relies mainly on qualitative case and interview designs, sometimes longitudinal, that explore auditors’ perceptions of AI, ethical concerns, work design and professional identity, complemented by a smaller number of survey-based and archival panel studies that proxy for digital investments and link them to audit outcomes (Lehner et al., 2022; Rahman & Ziru, 2023; Nguyen et al., 2024; Goto, 2023). Taken together, these studies provide medium-strength evidence on how AI is understood and embedded within firms, offering rich detail on organisational change but only limited statistical generalisability and relatively few direct measures of changes in audit risk or audit quality.
For Robotic Process Automation (RPA) and closely related workflow-oriented tools, the evidence base is thinner and remains largely exploratory. The core RPA studies are small-scale design-science and framework implementations within one or a few firms, where bots are piloted for deterministic planning checks, reconciliations, compliance procedures, control tests and workpaper generation (Eulerich et al., 2022; Zhang et al., 2022). Reported benefits such as efficiency gains, error reduction and more standardised execution of routine tasks are typically inferred from process descriptions, scenario comparisons and participant evaluations rather than large-scale field datasets, so the strength of evidence for RPA is best characterised as low-to-medium.

3.3. Technologies and the External Audit Phases

Most studies address risk assessment, a large number cover planning, a smaller subset explicitly examines substantive testing and tests of controls, and around a third discuss implications for reporting. A noticeable number also adopt an explicitly cross-phase perspective, considering how technologies reshape workflows across the entire engagement rather than at a single stage.
Machine Learning and Deep Learning are primarily noted to be deployed at the risk assessment and planning stages, where models are used to predict fraud, misstatements, restatements or heightened inspection and enforcement risk (Perols, 2011; Brown et al., 2020; Hunt et al., 2021; Craja et al., 2020; Wei et al., 2024; Hayes & Boritz, 2021; Mousa et al., 2022). One study extends into substantive testing by using anomaly detection in transactional data, but the dominant focus remains on client- or account-level risk scoring. These risk scores are intended to inform materiality judgements, the identification of significant accounts and the allocation of audit effort.
Big Data appears across a broader range of phases. Conceptual and review-based work describes data analytics as enhancing analytical procedures, continuous auditing and exception monitoring throughout the engagement (D. Appelbaum, 2016; D. A. Appelbaum et al., 2018; Dzuranin & Mălăescu, 2016; Alles & Gray, 2024; Jacky & Sulaiman, 2022), and several papers explicitly span multiple phases, from engagement acceptance and planning to reporting and quality review. Empirical and design-science studies indicate that current use is still concentrated in planning, risk assessment and selected aspects of substantive testing and control evaluation, notably journal-entry testing and anomaly detection in general ledger data (Fay & Negangard, 2017; Dagilienė & Klovienė, 2019; Krieger et al., 2021; Abdelwahed et al., 2024; Aboagye-Otchere et al., 2021).
Blockchain research, by contrast, usually asks how distributed ledgers and crypto-assets will reshape audit planning, risk assessment and evidence gathering. Conceptual work in this area suggests that validated on-chain records could reduce auditors’ reliance on traditional confirmations and some forms of reperformance, but it also highlights persistent challenges around valuation, rights and obligations, and the integration of off-chain data (Gomaa et al., 2019; Rozario & Thomas, 2019; Smith & Castonguay, 2020; Roszkowska, 2021; Hsieh & Brennan, 2022). Empirical interview studies on the other hand confirm that auditors perceive implications for planning, control testing and reporting, particularly in engagements involving Blockchain systems and crypto-assets (Dyball & Seethamraju, 2021; Gauthier & Brender, 2021). Across these articles, Blockchain is typically linked to risk assessment, design of procedures and evaluation of audit evidence across the full audit cycle.
AI (beyond ML) and RPA studies often seem to adopt cross-phase lenses, examining how intelligent tools and automation alter workflows from client acceptance and planning through evidence collection and documentation to reporting and consultation (Goto, 2023; Lehner et al., 2022; Rahman & Ziru, 2023; Nguyen et al., 2024; Eulerich et al., 2022). One RPA paper focuses specifically on automating deterministic planning tasks while keeping auditors in the loop for judgemental risk assessments (Zhang et al., 2022), whereas the other selects and prioritises audit tasks for automation across planning, compliance testing, control testing and workpaper generation (Eulerich et al., 2022). However, few of these studies measure phase-specific changes in audit outcomes; the dominant emphasis is on perceived effects on efficiency, work design, skill requirements and ethical challenges rather than on observed shifts in detection risk or reporting.
Overall, the current literature is clearly skewed towards planning and risk assessment, with relatively less systematic evidence on how emerging technologies affect substantive procedures, engagement review processes and reporting decisions throughout the external audit cycle.

3.4. Cross-Cutting Effects on Audit Risk and Audit Quality

Across technologies, the findings point to several recurring patterns in how emerging tools affect audit risk and audit quality.
First, ML, DL and Big Data analytics have clear potential to reduce detection risk by improving the identification of high-risk clients, transactions and accounts. At the same time, fraud detection models, topic-based misreporting screens and anomaly detection frameworks often provide additional or superior predictive power compared with traditional red-flag or logistic-based approaches (Perols, 2011; Brown et al., 2020; Craja et al., 2020; Bertomeu et al., 2021; Wei et al., 2024). Big Data analytics further support the highlighting of unusual transactions and more comprehensive risk coverage (Aboagye-Otchere et al., 2021; Fay & Negangard, 2017; D. Appelbaum, 2016). At the same time, the strongest gains are concentrated in predictive performance; most studies stop short of tracing how these models change overall audit risk, and several recent contributions emphasise the need to address model fairness, explainability and auditor use of complex analytics (D. Appelbaum, 2016; D. A. Appelbaum et al., 2018; Bertomeu et al., 2021). Concerns about documentation, transparency and the defensibility of judgements therefore remain central when analytics are used to justify detection risk reductions.
Second, adoption studies and AI-related organisational research highlight that technological capabilities alone are insufficient to improve audit quality. In addition, factors such as motivation, resource availability, digital expertise, and institutional and competitive pressures shape whether analytics are meaningfully embedded into audit methodologies and fieldwork (Dagilienė & Klovienė, 2019; Krieger et al., 2021; Nguyen et al., 2024; Abdelwahed et al., 2024). Big firms with stronger digital infrastructures and cross-disciplinary skills appear better placed to convert tools into improved coverage and richer evidence, whereas smaller firms and regulators often lag behind. Archival evidence suggests that higher client digitalisation and greater audit firm digital expertise are associated with higher audit fees, interpreted as higher audit quality in more technologically complex engagements (Rahman & Ziru, 2023). Overall, the dataset portrays substantial implementation heterogeneity: similar technologies can coexist with very different levels of audit risk coverage across firms and markets.
Third, Blockchain research by contrast suggests the potential of the distributed ledgers to reallocate rather than eliminate audit risk. Furthermore, immutable transaction histories and transparent trails can strengthen certain existence and completeness assertions and reduce opportunities for manipulation (Roszkowska, 2021; Rozario & Thomas, 2019; Smith & Castonguay, 2020), yet unresolved challenges around valuation, governance, off-chain data integration and evolving assurance standards mean that auditors still face significant inherent and control risks, particularly in crypto-asset and Blockchain-intensive engagements (Gomaa et al., 2019; Dyball & Seethamraju, 2021; Hsieh & Brennan, 2022; Gauthier & Brender, 2021). Rather than making auditors obsolete, the literature consistently frames Blockchain as shifting the focus of audit risk assessment towards system-level IT governance, access management and the design and monitoring of controls over distributed records.
Finally, when it comes to AI and RPA, the studies surrounding them state that automation does not automatically lower audit risk. On the one hand, automated routines and intelligent tools can enhance the consistency, coverage and timeliness of procedures by standardising deterministic planning tasks and expanding the volume of transactions that can be analysed (Eulerich et al., 2022; Zhang et al., 2022; Goto, 2023; Nguyen et al., 2024). On the other hand, ethical concerns about bias, accountability and skill erosion, together with governance risks around bot design and monitoring, introduce new behavioural and organisational vulnerabilities (Lehner et al., 2022; Rodgers et al., 2023). The RPA papers themselves acknowledge that bot errors and weak governance structures could undermine audit quality if not carefully controlled. Overall, the empirical literature supports a multidimensional view of audit risk in which technologies influence inherent, control and detection risk through different mechanisms, but only a small minority of studies explicitly frame their analyses using the Audit Risk Model or related risk-of-material-misstatement frameworks.

4. Integrative Theoretical Framework and Future Research Agenda

The comparative synthesis above shows that existing research tends to treat Big Data, AI, ML/DL, RPA and Blockchain as separate streams with uneven methodological maturity. This section develops a more integrated conceptual framework that links these technologies to the Audit Risk Model and the phases of the external audit and then uses that framework to structure a prioritised research agenda.

4.1. Linking Emerging Technologies to the Audit Risk Model and Audit Phases

Emerging technologies can be positioned along two key dimensions: (1) which component of audit risk they primarily influence (inherent, control or detection risk) and (2) which audit phases they most strongly affect (planning, risk assessment, substantive testing and reporting).
A first group—comprising most ML, DL and predictive Big Data analytics—primarily targets detection risk. These techniques improve auditors’ ability to detect misstatements by scoring transactions, accounts or clients based on their likelihood of misreporting or fraud (Perols, 2011; Brown et al., 2020; Craja et al., 2020; Wei et al., 2024; Fay & Negangard, 2017). They are mainly embedded in risk assessment and planning, where they inform resource allocation and the nature, timing and extent of subsequent procedures, with some applications extending into substantive testing via anomaly detection in general ledger data. However, the literature seldom evaluates how these risk scores translate into changed substantive testing strategies or reporting decisions in practice.
A second group—dominated by Big Data adoption studies and AI-enabled decision support—jointly targets the influences on inherent and detection risk. By providing richer information about clients’ operations, industries and control environments, analytics can refine auditors’ understanding of inherent risk and the plausibility of management assertions (Dagilienė & Klovienė, 2019; Aboagye-Otchere et al., 2021; Abdelwahed et al., 2024; Krieger et al., 2021). At the same time, advanced analytical procedures and full-population tests can lower detection risk by scrutinising entire datasets rather than small samples and by highlighting rare but high-impact anomalies (D. Appelbaum, 2016; D. A. Appelbaum et al., 2018). These technologies cut across planning, risk assessment and substantive testing, with some implications for reporting when they bring to the surface pervasive or systemic issues that affect audit effort and perceived audit quality.
A third group—Blockchain and crypto-asset technologies—strongly affects control risk and the nature of audit evidence. The explanation behind this is simply because all participants can view the same validated transaction log, so auditors can place greater confidence in existence and completeness assertions. But auditors still face inherent and control risks relating to valuation, rights and obligations, governance and off-chain data (Rozario & Thomas, 2019; Smith & Castonguay, 2020; Dyball & Seethamraju, 2021; Hsieh & Brennan, 2022; Roszkowska, 2021; Gomaa et al., 2019; Gauthier & Brender, 2021). These technologies are well connected with other audit stages such as planning, risk assessment, control testing and reporting, particularly in engagements where crypto-assets or Blockchain-based processes are material. The studies consistently move away from the idea that Blockchain will eliminate the need for auditors and instead emphasise a shift towards assessing system-level risks, IT governance and the design and monitoring of controls over distributed records.
A final group—RPA and workflow-oriented AI tools—mainly influences detection risk and process-level control risk by standardising how procedures are executed. RPA can increase coverage and reduce human error in data extraction, reconciliations and basic tests, while keeping auditors in the loop for judgemental assessments (Eulerich et al., 2022; Zhang et al., 2022; Goto, 2023; Nguyen et al., 2024). These tools have a cross-phase impact, from automating structured planning tasks and risk-indicator checks through routine matching and control testing to the generation of documentation and workpapers. At the same time, the literature notes that poorly designed bots or opaque AI systems could embed systematic mistakes or weaken opportunities for sceptical inquiry, so process-level control risk and behavioural risk must be actively managed rather than assuming they will fall automatically.
Table 3 consolidates these insights by contrasting technologies in terms of their dominant research focus, methodological profile, audit-phase and audit-risk emphasis, theoretical grounding and the most salient gaps and priorities. This high-level synthesis reinforces that the evidence base is strongest for predictive Machine Learning applications and broad Big Data analytics and more emergent and conceptually driven for Blockchain and RPA.

4.2. Theoretical Lenses and Mechanisms of Influence

Despite the clear relevance of established theories such as the Audit Risk Model, agency-based views of assurance, institutional theory and technology-adoption models, the 32 studies seldom engage explicitly with these frameworks. Only one Big Data paper is explicitly grounded in the Audit Risk Model, and a Blockchain study draws on ASA 315’s risk-of-material-misstatement framework, while most others treat audit risk concepts implicitly. Big Data and AI adoption work more commonly uses innovation and adoption perspectives, contingency ideas and institutional mechanisms. For example, Dagilienė and Klovienė (2019) build a contingency-based framework for linking Big Data analytics tasks, controls and audit quality. An extension of the Diffusion of Innovations in a process theory of data analytics adoption has been conducted by Krieger et al. (2021), and Nguyen et al. (2024) explicitly apply New Institutionalism, highlighting coercive, normative and mimetic pressures on firm-level digital transformation.
Other contributions, however, organised economic and capital market arguments to connect analytics and digital capabilities along with audit quality and investor protection. Mousa et al. (2022) explicitly draw on agency, signalling and legitimacy theories to explain how misreporting is perceived by investors and how enforcement actions interact with audit quality, while Aboagye-Otchere et al. (2021) emphasise signalling and information asymmetry in their synthesis of Big Data research. Roszkowska (2021) implicitly adopts an agency- and fraud risk-based view of investor protection, and Rahman and Ziru (2023) use an audit-quality supply–demand perspective to argue that client digitalisation and auditors’ digital expertise shape audit effort and fees. Yet the Audit Risk Model itself is rarely the explicit organising framework; it tends to sit in the background of discussions of fraud risk, misstatement probabilities and continuous auditing rather than being used to structure research questions and hypotheses.
Machine Learning and Deep Learning papers are largely method-driven. They focus on algorithmic performance, developing and comparing predictive models for fraud, misreporting and high-risk engagements, with very limited theorisation of how risk scores are interpreted by auditors, how they affect professional judgement, or how they interact with incentive structures and independence (Perols, 2011; Brown et al., 2020; Hunt et al., 2021; Wei et al., 2024; Mousa et al., 2022). In a different manner, the studies of Blockchain and crypto-assets typically rely on conceptual reasoning grounded in governance, risk and standard-setting debates rather than formal organisational or economic theory. Conceptual frameworks and practitioner-oriented papers discuss how standards such as ISA/ASA requirements on risk of material misstatement should be adapted to Blockchain systems (Smith & Castonguay, 2020; Hsieh & Brennan, 2022; Gomaa et al., 2019), while qualitative work explores how auditors and regulators perceive the risks and responsibilities that Blockchain introduces (Dyball & Seethamraju, 2021; Gauthier & Brender, 2021).
Bringing these observations and stands together, the 32 studies suggest that emerging technologies are best understood as mediating mechanisms within an extended Audit Risk Model rather than as isolated technical tools. At the engagement level, technologies alter information asymmetry and monitoring costs, linking naturally to agency-based views of auditor–client relationships and to supply–demand perspectives on audit quality (Mousa et al., 2022; Rahman & Ziru, 2023). At the organisational field level, technologies are adopted, diffused and legitimised through institutional and innovation mechanisms, as audit firms respond to regulatory expectations, peer practices and professional norms (Krieger et al., 2021; Nguyen et al., 2024; Rodgers et al., 2023). In contrast, and precisely at the individual level, perceptions of usefulness, ease of use and risk aversion—captured by technology-adoption models such as TAM, UTAUT and related frameworks, which currently appear only in a small subset of Big Data work (Jacky & Sulaiman, 2022)—provide a natural lens for explaining when auditors actively rely on AI-enabled tools rather than treating them as peripheral aids. At the technical level, ML/DL, Big Data analytics and Blockchain architectures directly shape the mapping between underlying economic events, recorded transactions and audit evidence, feeding into the inherent, control and detection risk components of the Audit Risk Model.
This multi-level theoretical framing moves beyond treating each technology as an isolated innovation and instead conceptualises them as interlocking drivers of audit risk, auditor behaviour and institutional change. It also highlights a clear theoretical opportunity: very few of the 32 studies currently integrate these lenses explicitly, suggesting scope for future work that combines risk-based auditing theory with agency, institutional and technology-adoption perspectives in a more systematic way.

4.3. Structured and Prioritised Research Gaps

Based on the technology–phase–risk matrix and the theoretical framing above, the research gaps identified in the 32 studies can be reorganised into five interrelated categories. For each category, the discussion points to a broad priority level and indicates how the gap translates into concrete future study designs (data types, methods, samples and variables).

4.3.1. Data and Sampling Gaps (High Priority)

A pervasive limitation across the sample is the reliance on single-country, cross-sectional and often self-reported data. Big Data and AI adoption studies are typically based on interview-based qualitative designs, case studies in a single jurisdiction and specific firm types, or on systematic literature reviews that synthesise such evidence (Dagilienė & Klovienė, 2019; Aboagye-Otchere et al., 2021; Abdelwahed et al., 2024). RPA and workflow-automation research likewise draws on design-science implementations and, in one case, a single-country survey component, rather than cross-country evidence (Eulerich et al., 2022; Zhang et al., 2022). ML/DL papers rely heavily on archival datasets rooted in particular enforcement or reporting environments, often focusing on one national market or regulatory regime (Perols, 2011; Brown et al., 2020; Craja et al., 2020; Hunt et al., 2021; Wei et al., 2024; Mousa et al., 2022). This constrains external validity and the ability to study institutional variation in how technologies affect audit risk and audit quality.
Future research should therefore prioritise multi-country, longitudinal designs that combine objective outcome measures (such as misstatements, restatements, enforcement actions, going-concern opinions or fee changes) with detailed information on technology use. One promising avenue is to construct panel datasets linking audit firms’ analytics and AI capabilities (for example, the presence of dedicated data teams, investments in AI infrastructure, or use of specific tools and platforms) to subsequent changes in misstatement rates, material-weakness disclosures or audit-report modifications across jurisdictions with different enforcement regimes and regulatory pressures.
Another high-priority direction is the collection of behavioural and process data within firms—such as system logs, decision trails, consultation records and documentation changes—that capture how auditors interact with AI/ML and analytics tools in real time, moving beyond self-reported perception or intention measures. Apart from isolated think-aloud and case-based work, such data are almost completely absent in the current sample. Designs that combine process tracing with outcome measures would enable finer tests of whether technologies are genuinely changing risk assessments, test design and review processes, rather than simply generating additional documentation.

4.3.2. Methodological and Modelling Gaps (High Priority)

When it comes to the methodological issues, two major ones were mainly observed. First, many ML/DL and related predictive analytics studies rely on relatively narrow outcome proxies—typically binary misstatement or restatement labels, sometimes linked to enforcement-related cases, and, in one AI study, audit fees as a proxy for audit quality (Perols, 2011; Brown et al., 2020; Hunt et al., 2021; Mousa et al., 2022; Rahman & Ziru, 2023). While these proxies are useful, they risk conflating client complexity, auditor expertise, risk appetite and litigation risk, and they provide only a partial view of constructs such as audit quality, independence or governance. Second, there is a tension between predictive performance and interpretability. High-performing black-box models (for example, deep architectures and complex ensembles) are difficult to explain and document, whereas more interpretable models may be perceived as less powerful. The surveyed literature on audit analytics and recent methodological work explicitly highlight the need to address fairness, explainability and usability in ML designs for auditing (D. A. Appelbaum et al., 2018; Bertomeu et al., 2021; Wei et al., 2024).
Addressing these gaps requires research that explicitly varies model specifications, feature sets and explanation techniques within audit contexts. Future studies could, for instance, compare more interpretable approaches (for example, tree-based models with post hoc explanation layers or inherently interpretable anomaly detection frameworks) against deep neural networks in detecting misstatements, evaluating not only accuracy and false-positive rates but also auditors’ trust, reliance and ability to justify decisions based on each model’s outputs. Experimental or field-experiment designs in which auditors are randomly assigned to different AI support tools—or to different explanation formats for the same model—would be particularly valuable for understanding behavioural responses.
Beyond ML/DL, there is also a need for process-oriented, mixed-methods studies that follow technologies through the entire audit lifecycle. Rather than focusing only on planning or analytical procedures, such work would trace how an AI- or analytics-flagged issue travels from risk assessment into changes in substantive testing, partner review, consultations and ultimately the audit report, combining system data, interviews and document analysis. This would directly respond to the current gap whereby many technologies are evaluated at the level of tools or models, but their effects on end-to-end audit processes remain largely speculative.

4.3.3. Theoretical Integration Gaps (Medium–High Priority)

Many studies report insightful findings without clearly anchoring them in formal theory. As a result, it remains unclear why some technologies diffuse rapidly in certain contexts while others stagnate or how exactly they alter relationships between auditors, clients and regulators. The limited use of explicit theoretical frameworks is particularly evident in ML/DL and Blockchain research, where method and technology design often take precedence over theory, but it also characterises much of the Big Data and RPA work. Only a small subset of papers explicitly mobilises formal lenses such as the Audit Risk Model; agency, signalling or legitimacy theory; institutional theory or audit-quality supply–demand perspectives, and technology-adoption models appear only in selected Big Data adoption work.
Future work should therefore make more systematic use of the Audit Risk Model, Agency Theory, institutional theory and technology-acceptance frameworks to formulate explicit hypotheses. These could concern how different technologies shift inherent, control and detection risk components across client types and industries; how changes in risk assessment and evidence collection feed into agency relationships, fee negotiations and effort allocations; how institutional pressures and professional norms encourage or constrain the use of non-traditional evidence sources such as Blockchain records or AI-generated analytics; and how auditors’ perceptions of usefulness, ease of use, fairness and risk influence their reliance on AI tools. Studies that combine surveys, interviews and archival data to test such theoretically grounded propositions would move the literature from descriptive mapping towards explanatory and predictive theory building and would help consolidate the currently fragmented set of constructs and mechanisms.

4.3.4. Contextual and Organisational Gaps (Medium Priority)

The mid-tier, small- and medium-sized practices and firms along with systematic comparisons across institutional contexts are paid little attention in the current literature. While some studies explicitly examine developing or emerging markets—for example, analytics and AI adoption in MENA and African settings and digital transformation in Vietnam (Abdelwahed et al., 2024; Rahman & Ziru, 2023; Nguyen et al., 2024)—much of the empirical evidence still comes from large international firms operating in developed capital markets or from single-country case studies. Moreover, there is only a partial examination of the internal dynamics of technology adoption within audit firms—such as tensions between IT specialists and engagement teams or between global methodologies and local offices. Big Data and AI research shows that several studies note differences between Big Four and smaller firms, and case work illustrates how AI projects are negotiated within large firms (Krieger et al., 2021; Goto, 2023), but the systematic organisational analysis remains sparse.
This suggests a need for comparative organisational case studies that follow technology adoption in different firm segments (Big Four, mid-tier and small firms) and across regulatory and cultural environments. Such studies could identify which combinations of governance structures, training programmes and incentive systems actually lead to effective risk-based use of AI, Big Data and RPA in practice and where structural constraints inhibit their impact. Including perspectives from audit committees, regulators and clients would further enrich understanding of how technology-enabled audits are perceived, contested and negotiated in the broader governance ecosystem and would help explain why similar tools may support very different levels of audit quality across firms and countries.

4.3.5. Technology-Coverage and Interaction Gaps (High Priority)

Finally, the evidence map reveals substantial coverage gaps. Deep Learning is represented by a single fraud detection study (Craja et al., 2020) and RPA by two design- and framework-oriented articles (Eulerich et al., 2022; Zhang et al., 2022). Moreover, most research examines one technology in isolation, typically labelling studies as “Big Data”, “ML”, “Blockchain” or “RPA”, even though in practice, audit engagements are increasingly supported by combinations of analytics, AI, RPA and, for some clients, Blockchain or crypto-asset infrastructures.
Future work should therefore prioritise multi-technology designs that examine how tools interact within a coherent “audit technology stack”. For example, researchers could study engagements where Big Data platforms feed ML anomaly detectors, which in turn trigger RPA-based testing routines and structured documentation, and assess how this integrated stack affects detection risk, documentation quality and audit fees relative to more traditional approaches. Similarly, there is an urgent opportunity to investigate emerging generative AI applications—such as automated workpaper drafting, risk-factor summarisation, explanation of complex judgements or client communication—and their implications for audit risk, independence, staff development and regulatory scrutiny.
In framing such studies, researchers should articulate clear, testable questions and link them to specific design choices. For instance, studies might specify whether they intend to use archival data, survey data, process logs or experimental data; whether they focus on Big Four or non-Big Four firms; and how they will operationalise audit risk, audit quality, independence or governance outcomes. This responds directly to the need for a more hierarchically organised and actionable research agenda rooted in the limitations of the 32 studies, rather than a general list of speculative gaps. To make this agenda as concrete as possible, the five gap domains can be translated into indicative, testable research questions. For example:
  • RQ 1 (Data and sampling): To what extent do audit firms’ analytics, AI and RPA capabilities explain cross-country and inter-firm variation in misstatements, restatements, enforcement actions, going-concern opinions and audit fees, after controlling for client risk and governance characteristics?
  • RQ 2 (Methodological and modelling): How does the use of interpretable versus black-box ML models for fraud and misstatement detection influence auditors’ reliance on model outputs, their documented justification of judgements, and the incidence of false positives and false negatives?
  • RQ 3 (Theoretical integration): How do audit technologies, viewed through the Audit Risk Model, shift inherent, control and detection risk components across different client types, and how are these effects moderated by agency relationships, institutional pressures and technology-adoption factors?
  • RQ 4 (Contextual and organisational): Which combinations of governance structures, training programmes and incentive systems enable Big Four, mid-tier and small audit firms to translate investments in AI, Big Data and RPA into observable improvements in detection risk and audit quality?
  • RQ 5 (Technology coverage and interaction): How do multi-technology “audit stacks” that combine Big Data platforms, ML anomaly detectors, and RPA testing routines tools affect detection risk, documentation quality, staff development and regulatory scrutiny compared with more traditional audit approaches?

5. Implications

5.1. Theoretical Implications

The comparative synthesis of the 32 ABS-ranked studies shows that emerging technologies are not simply add-ons to existing audit techniques but mechanisms that reshape how audit risk is constructed, assessed and managed throughout the engagement. The technology–phase–risk matrix and the multi-level framing in Section 4 highlight three main theoretical implications.
First, the evidence suggests that the Audit Risk Model remains a highly relevant but underutilised lens. Across technologies, the clearest empirical impacts are on detection risk, especially through ML/DL and predictive analytics, while Big Data, AI decision support and Blockchain also affect inherent and control risk in more diffuse ways. Yet only a small subset of studies explicitly develop propositions in Audit Risk Model terms, and most treat risk components as background concepts rather than as the core theoretical engine. A key implication is that future work should treat technologies as mediating mechanisms within an extended Audit Risk Model, explicitly theorising how they alter the mapping from economic events to recorded transactions to audit evidence and, ultimately, to the residual risk of material misstatement.
Second, the review shows that existing theory use is fragmented across levels of analysis. At the engagement level, there are several studies that implicitly invoke agency, signalling, legitimacy and audit quality supply–demand perspectives when linking digital capabilities, enforcement environments and misreporting outcomes (e.g., Mousa et al., 2022; Roszkowska, 2021; Rahman & Ziru, 2023), However, what can be seen is that these theoretical lenses are rarely brought together in a systematic way. At the organisational-field level, Big Data and AI studies document coercive, normative and mimetic pressures, digital divides between Big Four and smaller firms, and the influence of professional bodies (Krieger et al., 2021; Nguyen et al., 2024; Rodgers et al., 2023), which sits naturally within New Institutional and innovation/diffusion perspectives. At the individual level, auditors’ perceptions of usefulness, ease of use and risk clearly influence how they work with analytics and AI tools. However, technology-adoption models such as TAM, UTAUT and TPB are only mentioned occasionally (Jacky & Sulaiman, 2022) and are rarely applied in a structured way. Overall, there is still plenty of scope to combine micro-, meso- and macro-level theories into a clearer, multi-level explanation of technology-mediated auditing.
Third, the pattern of findings underscores the importance of explicitly theorising human–technology interaction rather than treating tools as exogenous. ML/DL studies demonstrate that high predictive performance is achievable but say little about how risk scores influence judgement, scepticism or independence. Blockchain studies show that control and evidence structures are reconfigured yet do not fully theorise how responsibility and trust are redistributed between auditors, clients and technology providers. AI and RPA work documents ethical concerns, skill shifts and new workflows but only begins to unpack how these dynamics translate into changes in audit risk and audit quality. Taken together, the review implies that future theorising should move beyond “technology as input” toward explicit models of how technologies, incentives, norms and professional identities jointly shape audit decisions, using agency, institutional and socio-technical perspectives alongside the Audit Risk Model.

5.2. Methodological Implications

The structured gap analysis in Section 4.3 reveals several methodological implications for how future research on audit technologies should be designed, executed and interpreted.
First, the evidence base is dominated by single-country, cross-sectional designs and, in adoption work, by self-reported perceptions from specific subsets of firms. This limits generalisability and makes it difficult to disentangle institutional, regulatory and market-structure effects. Methodologically, this implies a need for multi-country, longitudinal and multi-source designs that combine archival outcomes (misstatements, restatements, enforcement actions, going-concern opinions, and fee changes) with richer measures of technological capability and use (e.g., existence of analytics units, specific AI tools, and Blockchain-enabled services). Panel designs, ideally spanning different enforcement and regulatory regimes, would allow for stronger causal inference about how technologies affect audit risk and audit quality over time.
Second, the ML/DL cluster illustrates both the strengths and limitations of current modelling practice. Studies provide sophisticated predictive performance evaluations but rely on relatively narrow proxies for complex constructs (e.g., binary misstatement indicators, audit fees, and restatement flags) and rarely conduct systematic sensitivity analyses against alternative model specifications or feature sets. The interpretability–performance tension identified in Section 4.3.2 implies that future work should explicitly compare families of models—for example, interpretable anomaly detection frameworks, tree-based ensembles with explanation layers and deep neural networks—and evaluate not only prediction metrics but also auditors’ understanding, trust and ability to document and defend model-assisted judgements.
Third, the review points to a methodological gap in process data and behavioural evidence. With a few exceptions, the literature lacks system logs, decision trails, consultation records or within-firm process data that show how auditors actually interact with technologies in real time. This weakens the link between tool-level performance and engagement-level outcomes. Methodologically, the implication is that future research should combine mixed-methods process tracing (e.g., logs, document analysis, and interviews) with experimental or quasi-experimental designs (e.g., random assignment of different AI support tools or explanation regimes) to identify how technologies reshape risk assessment, test design, review and reporting over the full audit lifecycle.
Finally, the dominance of tool- or phase-specific studies, for example focusing only on risk assessment or only on analytical procedures, implies that we have limited evidence on end-to-end effects. The technology–phase–risk mapping in Section 4.1 suggests that future designs should be explicitly process-oriented, following issues flagged by analytics or AI from planning into substantive testing, partner review and audit reports, rather than inferring process effects from single-phase snapshots.

5.3. Policy and Practice Implications

The findings also carry important implications for standard setters, regulators, audit firms and the wider profession.
For standard-setting bodies and regulators, the review shows that technologies are already affecting how evidence is generated, evaluated and documented, yet formal guidance is lagging. Big Data analytics and ML/DL models challenge traditional notions of sampling and sufficient appropriate evidence and documentation when risk assessments rely on complex, sometimes opaque algorithms. Blockchain and crypto-asset engagements raise questions about on-chain versus off-chain evidence, IT governance and the sufficiency of existing ISA/ASA guidance. Regulators and standard setters therefore face the task of clarifying expectations around the use of analytics and AI in risk assessment and testing, the documentation and explainability of model-based conclusions, the treatment of non-traditional evidence sources (e.g., distributed ledgers) and the governance of automated routines and bots.
For audit firms, the synthesis reinforces that technology adoption is not a purely technical upgrade but a strategic and organisational change problem. Evidence on adoption, digital divides and implementation heterogeneity indicates that benefits accrue unevenly: large firms with strong digital infrastructures and cross-disciplinary teams are better positioned to integrate analytics and AI into methodologies, while smaller and mid-tier firms risk falling behind. The review therefore underscores the need for firms to invest in governance structures, training and incentives that support risk-based, sceptical use of technologies rather than superficial deployment. This includes clear responsibility for model validation and monitoring, integrating IT specialists into engagement teams without diluting audit judgement, and designing performance metrics and training programmes that encourage auditors to interrogate, rather than unquestioningly accept, model outputs.
For individual auditors and engagement teams, the findings imply that professional judgement and scepticism remain central but are exercised in a more technology-mediated environment. Auditors must be able to understand, challenge and explain the outputs of analytic and AI tools, recognise their limitations, and integrate them with other forms of evidence. This heightens the importance of data literacy, basic AI literacy and ethical awareness in professional education and continuing development. The review also suggests that engagement-level documentation and consultation processes may need to evolve to capture how technology-generated risk indicators, anomalies and explanations are considered in planning, testing and reporting.
Finally, for academia and professional education providers, the clear gaps in multi-technology designs, process data and cross-country evidence indicate opportunities for research–practice partnerships. Collaborations that provide access to anonymised process logs, experimental platforms or pilot implementations of AI/RPA tools would support the more rigorous designs outlined in Section 4.3, while simultaneously informing firms’ internal policies and regulators’ expectations. Updating curricula to reflect the technology–phase–risk relationships identified in this review would help prepare future auditors for a world in which ML/DL, Big Data, AI decision support, RPA and Blockchain are part of the normal audit toolkit rather than exceptional innovations.

6. Conclusions

This review synthesised evidence from 32 ABS-ranked studies on five main clusters of emerging technologies in external auditing—Big Data and audit analytics, ML/DL predictive models, AI decision support, Blockchain, and RPA/workflow automation. The analysis mapped how these technologies relate to audit tasks, research designs, audit phases, risk components and theoretical frameworks.
Three overarching conclusions follow. First, the evidence base is uneven across technologies and audit phases. The most mature empirical work concerns ML/DL and predictive analytics for fraud and misstatement detection and Big Data applications in planning, risk assessment and selected substantive procedures. In contrast, Blockchain and RPA have relatively few field studies and limited outcome data. Across technologies, the literature is skewed towards risk assessment and planning, with comparatively little systematic evidence on how technologies affect substantive testing, engagement review and reporting.
Second, the review shows that emerging technologies are best understood as mediating mechanisms within an extended Audit Risk Model, rather than as standalone tools. ML/DL and analytics primarily affect detection risk by changing how high-risk clients, accounts and transactions are identified; Big Data and AI decision support also shape inherent risk assessments; and Blockchain and RPA reconfigure control risk and evidence generation by changing systems, workflows and process-level controls. However, most studies stop short of explicitly theorising these mechanisms, and theoretical engagement with the Audit Risk Model and agency, institutional and technology-adoption frameworks is still limited.
Third, the structured agenda in Section 4.3 identifies five interrelated gap domains, data and sampling, methodological and modelling issues, theoretical integration, contextual and organisational variation, and technology coverage and interaction; together they define a forward-looking research programme. Addressing these gaps will require multi-country and longitudinal designs, richer process and behavioural data, experimental and mixed-methods approaches, explicit theory-driven hypotheses and multi-technology studies that reflect the reality of integrated “audit technology stacks”.
The review has several limitations. It focuses on ABS-ranked journal articles and on external audit, which may exclude relevant insights from practitioner publications, non-indexed outlets, internal audit research and very recent work that has not yet appeared in journals. Nevertheless, by systematically mapping what is known, where the strongest evidence lies and where key gaps remain, this review provides a robust foundation for subsequent empirical and theoretical work.
Overall, the contribution of this study is twofold. Conceptually, it offers an integrated framework that brings together six major emerging technologies in external auditing and treats AI as an umbrella concept that includes key family members such as ML-based and other data-driven analytics. The framework links these technologies to specific audit phases, risk components and theoretical lenses, moving beyond separate technology streams to a single, specialised focus on how external auditors manage audit risk. Empirically, the review combines prior work on Big Data, AI/ML, Blockchain, RPA and related tools into one coherent account of how these technologies are used in external audits.
By presenting earlier research on Big Data and Blockchain alongside more recent studies on AI-driven analytics, it allows readers to see in one place what each stream has contributed to external audit and what new capabilities AI adds to the existing audit toolkit. In doing so, it distils the fragmented literature into a clear set of patterns and priorities that can guide both future research and practice. If the research agenda articulated here is pursued, the next wave of studies will be better positioned to explain not just whether technologies “work” in external auditing, but when, how and for whom they improve audit risk management, audit quality and trust in financial reporting.

Author Contributions

Conceptualization, A.S.M.A.; methodology, A.S.M.A.; data curation, A.S.M.A.; investigation, A.S.M.A.; formal analysis, A.S.M.A.; visualization, A.S.M.A.; writing—original draft preparation, A.S.M.A.; project administration, A.S.M.A.; writing—review and editing, N.M. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding. The APC was funded by the authors.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new data were created or analysed in this study. Data sharing is not applicable to this article.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Abdelwahed, A. S., Abu-Musa, A. A., Moubarak, H., & Badawy, H. A. (2024). The use of big data and analytics in external auditing: Does audit firm size matter? Evidence from a developing country. South African Journal of Accounting Research, 38(2), 113–145. [Google Scholar] [CrossRef]
  2. Aboagye-Otchere, F., Agyenim-Boateng, C., Enusah, A., & Aryee, T. E. (2021). A review of big data research in accounting. Intelligent Systems in Accounting, Finance and Management, 28(4), 268–283. [Google Scholar] [CrossRef]
  3. Alatawi, I. A., Ntim, C. G., Zras, A., & Elmagrhi, M. H. (2023). CSR, financial and non-financial performance in the tourism sector: A systematic literature review and future research agenda. International Review of Financial Analysis, 89, 102734. [Google Scholar] [CrossRef]
  4. Alles, M., & Gray, G. L. (2024). The marketing on Big 4 websites of Big Data Analytics in the external audit: Evidence and consequences. International Journal of Accounting Information Systems, 54, 100697. [Google Scholar] [CrossRef]
  5. Almufadda, G., & Almezeini, N. A. (2022). Artificial intelligence applications in the auditing profession: A literature review. Journal of Emerging Technologies in Accounting, 19(2), 29–42. [Google Scholar] [CrossRef]
  6. Appelbaum, D. (2016). Securing big data provenance for auditors: The big data provenance black box as reliable evidence. Journal of Emerging Technologies in Accounting, 13(1), 17–36. [Google Scholar] [CrossRef]
  7. Appelbaum, D. A., Kogan, A., & Vasarhelyi, M. A. (2018). Analytical procedures in external auditing: A comprehensive literature survey and framework for external audit analytics. Journal of Accounting Literature, 40(1), 83–101. [Google Scholar] [CrossRef]
  8. Bertomeu, J., Cheynel, E., Floyd, E., & Pan, W. (2021). Using machine learning to detect misstatements. Review of Accounting Studies, 26, 468–519. [Google Scholar]
  9. Boell, S. K., & Cecez-Kecmanovic, D. (2015). On being ‘systematic’ in literature reviews in IS. Journal of Information Technology, 30(2), 161–173. [Google Scholar] [CrossRef]
  10. Boppana, V. R. (2022). Machine learning and AI learning: Understanding the revolution. SSRN. [Google Scholar] [CrossRef]
  11. Brown, N. C., Crowley, R. M., & Elliott, W. B. (2020). What are you saying? Using topic to detect financial misreporting. Journal of Accounting Research, 58(1), 237–291. [Google Scholar] [CrossRef]
  12. Chen, Z. (2023). Ethics and discrimination in artificial intelligence-enabled recruitment practices. Humanities and Social Sciences Communications, 10(1), 567. [Google Scholar] [CrossRef]
  13. Craja, P., Kim, A., & Lessmann, S. (2020). Deep learning for detecting financial statement fraud. Decision Support Systems, 139, 113421. [Google Scholar] [CrossRef]
  14. Dagilienė, L., & Klovienė, L. (2019). Motivation to use big data and big data analytics in external auditing. Managerial Auditing Journal, 34(7), 750–782. [Google Scholar] [CrossRef]
  15. Deniswara, K., Handoko, B. L., & Mulyawan, A. N. (2020). Big data analytics: Literature study on how big data works towards accountant millennial generation. International Journal of Management, 11(5), 376–389. [Google Scholar]
  16. Dey, S., & Das, A. (2019). Robotic process automation: Assessment of the technology for transformation of business processes. International Journal of Business Process Integration and Management, 9(3), 220–230. [Google Scholar] [CrossRef]
  17. Dyball, M. C., & Seethamraju, R. (2021). The impact of client use of blockchain technology on audit risk and audit approach—An exploratory study. International Journal of Auditing, 25(2), 602–615. [Google Scholar] [CrossRef]
  18. Dzuranin, A. C., & Mălăescu, I. (2016). The current state and future direction of IT audit: Challenges and opportunities. Journal of Information Systems, 30(1), 7–20. [Google Scholar]
  19. Eulerich, M., Pawlowski, J., Waddoups, N. J., & Wood, D. A. (2022). A framework for using robotic process automation for audit tasks. Contemporary Accounting Research, 39(1), 691–720. [Google Scholar]
  20. Fay, R., & Negangard, E. M. (2017). Manual journal entry testing: Data analytics and the risk of fraud. Journal of Accounting Education, 38, 37–49. [Google Scholar] [CrossRef]
  21. Gauthier, M. P., & Brender, N. (2021). How do the current auditing standards fit the emergent use of blockchain? Managerial Auditing Journal, 36(3), 365–385. [Google Scholar] [CrossRef]
  22. Gomaa, A. A., Gomaa, M. I., & Stampone, A. (2019). A transaction on the blockchain: An AIS perspective, intro case to explain transactions on the ERP and the role of the internal and external auditor. Journal of Emerging Technologies in Accounting, 16(1), 47–64. [Google Scholar] [CrossRef]
  23. Goto, M. (2023). Anticipatory innovation of professional services: The case of auditing and artificial intelligence. Research Policy, 52(8), 104828. [Google Scholar] [CrossRef]
  24. Hayes, L., & Boritz, J. E. (2021). Classifying restatements: An application of machine learning and textual analytics. Journal of Information Systems, 35(3), 107–131. [Google Scholar] [CrossRef]
  25. Hsieh, S. F., & Brennan, G. (2022). Issues, risks, and challenges for auditing crypto asset transactions. International Journal of Accounting Information Systems, 46, 100569. [Google Scholar] [CrossRef]
  26. Hunt, J. O., Rosser, D. M., & Rowe, S. P. (2021). Using machine learning to predict auditor switches: How the likelihood of switching affects audit quality among non-switching clients. Journal of Accounting and Public Policy, 40(5), 106785. [Google Scholar] [CrossRef]
  27. Jacky, Y., & Sulaiman, N. A. (2022). The use of data analytics in external auditing: A content analysis approach. Asian Review of Accounting, 30(1), 31–58. [Google Scholar] [CrossRef]
  28. Keele, S. (2007). Guidelines for performing systematic literature reviews in software engineering, version 2.3 (EBSE Technical Report EBSE-2007-01). EBSE. [Google Scholar]
  29. Krieger, F., Drews, P., & Velte, P. (2021). Explaining the (non-) adoption of advanced data analytics in auditing: A process theory. International Journal of Accounting Information Systems, 41, 100511. [Google Scholar] [CrossRef]
  30. LeCun, Y., Bengio, Y., & Hinton, G. (2015). Deep learning. Nature, 521(7553), 436–444. [Google Scholar] [CrossRef]
  31. Lehner, O. M., Ittonen, K., Silvola, H., Ström, E., & Wührleitner, A. (2022). Artificial intelligence based decision-making in accounting and auditing: Ethical challenges and normative thinking. Accounting, Auditing & Accountability Journal, 35(9), 109–135. [Google Scholar] [CrossRef]
  32. Lu, Y., Ntim, C. G., Zhang, Q., & Li, P. (2022). Board of directors’ attributes and corporate outcomes: A systematic literature review and future research agenda. International Review of Financial Analysis, 84, 102424. [Google Scholar] [CrossRef]
  33. Mousa, G. A., Elamir, E. A., & Hussainey, K. (2022). Using machine learning methods to predict financial performance: Does disclosure tone matter? International Journal of Disclosure and Governance, 19(1), 93–112. [Google Scholar] [CrossRef]
  34. Nguyen, P. T., Kend, M., & Le, D. Q. (2024). Digital transformation in Vietnam: The impacts on external auditors and their practices. Pacific Accounting Review, 36(1), 144–160. [Google Scholar] [CrossRef]
  35. Perols, J. (2011). Financial statement fraud detection: An analysis of statistical and machine learning algorithms. Auditing: A Journal of Practice & Theory, 30(2), 19–50. [Google Scholar]
  36. Rahman, M. J., & Ziru, A. (2023). Clients’ digitalization, audit firms’ digital expertise, and audit quality: Evidence from China. International Journal of Accounting & Information Management, 31(2), 221–246. [Google Scholar]
  37. Rodgers, W., Al-Shaikh, S., & Khalil, M. (2023). Protocol analysis data collection technique implemented for artificial intelligence design. IEEE Transactions on Engineering Management, 71, 6842–6853. [Google Scholar] [CrossRef]
  38. Roszkowska, P. (2021). Fintech in financial reporting and audit for fraud prevention and safeguarding equity investments. Journal of Accounting & Organizational Change, 17(2), 164–196. [Google Scholar]
  39. Rozario, A. M., & Thomas, C. (2019). Reengineering the audit with blockchain and smart contracts. Journal of Emerging Technologies in Accounting, 16(1), 21–35. [Google Scholar] [CrossRef]
  40. Smith, S. S., & Castonguay, J. J. (2020). Blockchain and accounting governance: Emerging issues and considerations for accounting and assurance professionals. Journal of Emerging Technologies in Accounting, 17(1), 119–131. [Google Scholar] [CrossRef]
  41. Wei, D., Cho, S., Vasarhelyi, M. A., & Te-Wierik, L. (2024). Outlier detection in auditing: Integrating unsupervised learning within a multilevel framework for general ledger analysis. Journal of Information Systems, 38(2), 123–142. [Google Scholar] [CrossRef]
  42. Xu, M., David, J. M., & Kim, S. H. (2018). The fourth industrial revolution: Opportunities and challenges. International Journal of Financial Research, 9(2), 90–95. [Google Scholar] [CrossRef]
  43. Yermack, D. (2017). Corporate governance and blockchains. Review of Finance, 21(1), 7–31. [Google Scholar] [CrossRef]
  44. Zemankova, A. (2019, December 8–10). Artificial intelligence in audit and accounting: Development, current trends, opportunities and threats-literature review. 2019 International Conference on Control, Artificial Intelligence, Robotics & Optimization (ICCAIRO) (pp. 148–154), Athens, Greece. [Google Scholar]
  45. Zhang, C., Thomas, C., & Vasarhelyi, M. A. (2022). Attended process automation in audit: A framework and a demonstration. Journal of Information Systems, 36(2), 101–124. [Google Scholar] [CrossRef]
Table 1. Selection process.
Table 1. Selection process.
Total Number of Papers471
Unrelated Papers(118)
No Mention of EXTERNAL Audit, Auditing, or Auditor/phrase(246)
In Press (Not Issued Final)(23)
Papers Related to Internal Audit(37)
Not Listed Papers in ABS Ranking(15)
Final Inclusions32
Table 2. Journal selection criteria based on the ABS Academic Journal Guide.
Table 2. Journal selection criteria based on the ABS Academic Journal Guide.
Journal TitleABS RankingNumber of Studies%
Journal of Accounting Research4 *13%
Research Policy4 *13%
Contemporary Accounting Research413%
Review of Accounting Studies413%
A Journal of Practice & Theory3 *13%
Accounting, Auditing and Accountability Journal3 *13%
Decision Support Systems3 *13%
IEEE Transactions on Engineering Management3 *13%
Journal of Accounting and Public Policy3 *13%
Journal of Accounting Literature3 *13%
Asian Review of Accounting2 *13%
International Journal of Accounting & Information Management2 *13%
International Journal of Accounting Information Systems2 *312%
International Journal of Auditing2 *13%
International Journal of Disclosure and Governance2 *13%
Journal of Accounting & Organizational Change2 *13%
Journal of Accounting Education2 *13%
Managerial Auditing Journal2 *26%
Intelligent Systems in Accounting, Finance and Management1 *13%
Journal of Emerging Technologies in Accounting1 *412%
Journal of Information Systems1 *412%
Pacific Accounting Review1 *13%
South African Journal of Accounting Research1 *13%
Total 32100%
Note: The Academic Journal Guide (AJG/ABS) rates journals on a 4 *–1 scale (4 *, 4, 3, 2, 1); 4 * denotes the highest (“world elite”/journal of distinction) category.
Table 3. Summary of evidence, audit focus and research priorities by technology. The table summarises, for each technology cluster, the dominant research focus and audit tasks, the typical methodology and evidence strength in the current literature, the main audit phases and audit risk components addressed, the main theoretical lenses used (where applicable), and the key research gaps and priorities emerging from the 32 studies.
Table 3. Summary of evidence, audit focus and research priorities by technology. The table summarises, for each technology cluster, the dominant research focus and audit tasks, the typical methodology and evidence strength in the current literature, the main audit phases and audit risk components addressed, the main theoretical lenses used (where applicable), and the key research gaps and priorities emerging from the 32 studies.
Research ThemeDominant Focus and Audit TasksMethodology and
Evidence Strength		Audit Phases and Risk ComponentsTheoretical
Framework		Key Gaps and Priorities
Big DataAdoption of analytics; full-population testing; fraud detection; continuous auditing; conceptual roadmaps.Medium maturity; mix of conceptual, qualitative interviews, and small-scale design-science implementations.Full engagement; planning, risk assessment, and substantive testing; affects inherent and detection risk.Contingency, AIS frameworks, design-science, UTAUT/TAM/TPB.Multi-country/longitudinal studies; linkage to hard audit outcomes; field-based risk assessment changes.
Machine Learning/Deep LearningPrediction of fraud, misstatements, and high-risk clients using structured and textual data.High (Predictive)/Low (Behavioural); predominantly archival quantitative; large datasets; focus on model calibration.Risk assessment and planning; emphasis on detection risk (probability of detecting existing misstatements).Method-driven/Atheoretical; tangential use of Audit Risk Model and Agency Theory.Interpretable/Explainable models (XAI); behavioural impact on auditor scepticism; non-U.S. datasets.
AI (Non-ML)Auditors’ perceptions, readiness and ethical concerns around AI; work design, skills, and professional identity.Medium maturity; qualitative case/interview studies; longitudinal work; some archival panel regressions.Cross-phase; primarily planning and risk assessment; affects inherent and detection risk.New Institutionalism; professionalisation; socio-materiality; audit quality supply–demand.Field experiments on real AI use; evidence from mid-tier/smaller firms; governance and liability analysis.
BlockchainAssurance of crypto-assets; smart contracts; impact on audit evidence continuous assurance design.Low–medium maturity conceptual frameworks; technical articles, explanatory qualitative interviews.Planning, risk, and controls; focus on control risk (IT governance) and inherent risk.Governance and regulatory perspectives; ISA/ASA frameworks.Field evidence; evaluation of on-chain vs. off-chain evidence; cross-jurisdictional regulatory responses.
Robotic Process Automation (RPA)Automation of routine tasks (reconciliations, data extraction); workflow redesign; keeping “human in the loop.”Low–medium maturity; design-science prototypes (DSR) and frameworks; limited generalizability.Cross-phase; focus on planning, control testing, and documentation; reduces detection and control risk.Socio-Technical Systems (STSs); Technological Process Reframing (TPR).Field evidence on efficiency/quality; analysis of “failure modes” (bot errors); RPA impact on human scepticism.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Abderrahman, A.S.M.; Makarem, N. The Future of External Audit: A Systematic Literature Review of Emerging Technologies and Their Impact on External Audit Practices. J. Risk Financial Manag. 2026, 19, 216. https://doi.org/10.3390/jrfm19030216

AMA Style

Abderrahman ASM, Makarem N. The Future of External Audit: A Systematic Literature Review of Emerging Technologies and Their Impact on External Audit Practices. Journal of Risk and Financial Management. 2026; 19(3):216. https://doi.org/10.3390/jrfm19030216

Chicago/Turabian Style

Abderrahman, Ahmad Salim Moh’d, and Naser Makarem. 2026. "The Future of External Audit: A Systematic Literature Review of Emerging Technologies and Their Impact on External Audit Practices" Journal of Risk and Financial Management 19, no. 3: 216. https://doi.org/10.3390/jrfm19030216

APA Style

Abderrahman, A. S. M., & Makarem, N. (2026). The Future of External Audit: A Systematic Literature Review of Emerging Technologies and Their Impact on External Audit Practices. Journal of Risk and Financial Management, 19(3), 216. https://doi.org/10.3390/jrfm19030216

Article Metrics

Back to TopTop