
How to Do a T&E Audit in the Age of AI: Key Challenges and Contemporary Approaches
Every Internal Audit team has to do T&E audits. They’re an inevitable part of the audit plan. T&E audits aren’t rocket science, but they still take up more of our time than they should — time we’d prefer to spend on more interesting or high-priority audits. Our executive stakeholders feel the same. Whether Tina or Tony submitted their expenses on time genuinely is the last thing on their minds. They have bigger priorities.
How to Do a T&E Audit in the Age of AI: Key Challenges and Contemporary Approaches
So, how can we get T&E audits done faster and with fewer resources — while still ensuring we’re protecting our organizations from the violations and bad behaviors that actually matter?
We’re focusing several upcoming newsletters on “how to” guidance for core audits and new priorities (e.g., AI governance, go-to-market [come to the roundtable!]). We kicked things off with a roundtable on T&E auditing strategies and challenges. Below are six approaches to consider.
Many thanks to Thad McKinnon for leading the session, and Abbas Badami, Michelle Bradley, Robert Burnham, Jonathan Burns, Jessie Chew, Patrick Devine, Justin Fox, Oleg Malkin, Jennifer Perry, Sean Samp, Jenifer Steger, Suzanne Sullivan, Jim Tarantino, for sharing their experiences, perspectives, and questions.
1. Experiment With AI Agents
Several roundtable participants shared ideas, challenges, and success stories about using AI agents. Everyone agreed: At this point, it’s all about trial-and-error experimentation — seeing what works and what doesn’t. Below are a few of their use cases.
Surface New, Easy-to-Use Testing Approaches
Patrick, an analytics lead at his organization, helped build out its T&E program dashboards and continuous testing and monitoring capabilities; the current tally is ~20 tests. They decided to build a SharePoint agent, bringing in their existing tests, T&E policy, T&E data from Oracle, and “explicit instructions on what to do with the information and how to react to it.” Then they asked AI to “take a fresh look at our data to see if it can come up with any tailored alternatives,” explained Patrick. “You often hear great solutions or ideas, but it’s not specific to your setup. We’re finding good solutions for new tests that are specific to our data.”
Previously, they’d loaded T&E data into their dashboards to run monitoring and auditing-based tests. But as Patrick shared, “We’re finding it’s a lot easier just to skip the technical dashboard building and stick to standard plain-English writing.”
The team may ultimately roll out the tool as a Copilot agent. As Patrick called out, however, starting with a simpler SharePoint agent enabled an “easy quick win to get a rough draft going,” given “everyone has access to agents, so it’s a very user-friendly tool for the department.”
Reduce Effort & Hand Off Monitoring
One CAE’s team is moving toward AI-driven analytics, so that AI agents handle much of the T&E work. “But it takes a big investment of time and effort to get them to work right,” he admitted. Early on, agents were surfacing and notifying Internal Audit about things like $3 policy violations — not exactly valuable or time-saving.
To fine-tune your AI tool, “You have to ask yourself, what are you really worried about?” he advised. That means “tailoring your AI analytics appropriately to look at different buckets differently, so you can spend more time on groups of people at higher risk. Then you can eventually get to the point where those policy violations you’re worried about are mostly dealt with by the managers. Then they surface issues to you, so you’re spending less of your time doing T&E.”
Improve Testing Sample Targeting
Thad’s two-person team hopes to eventually build AI agents that scrape data automatically, requiring less prompting. But as Thad explained, “We haven’t had time to build that muscle yet.” To lay a foundation, they’ve been experimenting with Microsoft Copilot to better target their samples. “We wanted to get away from just testing 60 reports and saying, ’This year we’re 57% compliant, as opposed to 48% last year.’ We want to identify what exact policy rules are being broken and spend more time on talking about impacts of non-compliance.”
They started by giving Copilot their T&E policy, SAP Concur T&E reporting data, and notes from Internal Audit’s planning meetings with key stakeholders (e.g., FP&A, CFO, Accounting) reflecting their views on high-risk T&E transactions. The team then prompted Copilot to use the provided inputs to assess what the AI saw as high-risk transactions.
“We’re finding it very helpful,” said Thad. “For example, our FP&A friends are very interested in questions like — what if we lower the meal per diem from $110 a day for meals to $75? So we’re using Copilot to say, ’Well, this is how many people are really going over $75, so maybe that’s not the line in the sand we need to draw. Maybe it’s this line.’ So, maybe this is your gut feeling, but this is what the numbers are saying at a detail level.”
2. Use Creative Data Mining to Dig Deeper
T&E audit analytics typically focus on amounts above a certain threshold, since larger dollar amounts tend to be more material. But as another Internal Audit leader highlighted, smaller dollar amounts aggregated over an entire population can quickly add up to become material. That’s why her Internal Audit team at a past employer got creative with data mining. She explained that, “instead of doing a long string of name, date, payee, all those fields” when looking at expenses below a $2,000 threshold, they bifurcated that population into several different buckets (e.g., name/amount, amount/date). That helped them identify a range of anomalies, such as non-traveling employees with frequent expenses, unauthorized use of company funds to bring spouses on business trips, or high-volume orders of office supplies that were then cancelled. “On the surface, nothing looked inappropriate,” said the leader. But the creative data mining got past the usual thresholds — where violations are automatically flagged for compliance review — to access “the no-big-brother-watching, because it’s deemed immaterial” buckets where most fraud happened.
Some organizations have successfully used advanced data analytics and AI techniques to identify fraudulent T&E submissions that were able to bypass traditional controls. By analyzing patterns and aggregating expense behavior across individuals over time, AI-enabled monitoring helped surface anomalies that were not visible through routine reviews.
With data mining, the leader advised, “Sometimes you yield something, sometimes you yield nothing. But you will always get at least 1% of the population that requires more looking. And if people know you’re looking, they’re either gonna get more sophisticated in their hiding activities or fraud will go down drastically.”
3. Emphasize Culture & Cross-Functional Alignment
One CAE’s team found that improving first- and second-line involvement and alignment was critical in successfully changing behaviors and effecting culture change. Years back, his organization had a high volume of policy violations. “It’s easy to get overwhelmed with the day-to-day flow,” he said. “But it’s really important to get in front of it. To be blunt, we’re a 45-person audit team with four people dedicated to fraud, and we do not want to spend very much — if any — of our time doing T&E, except for the T&E that matters,” (e.g., large dollar amounts, Foreign Corrupt Practices Act violations).
Changing the T&E culture has been a long, multi-year road requiring cross-functional collaboration and commitment. They kicked things off with an all-hands meeting during which the Chief Legal Officer and CFO set clear expectations. The CAE explained, “That gives room for us to do our work,” enabling the Finance T&E team, Ethics/Compliance team, and Internal Audit to perform investigations, enact policies that make sense, improve training, and carry out enforcement.
Another key component was resetting expectations with managers, ensuring they (1) knew T&E policies well enough to understand when employees were in violation, and (2) knew their responsibilities for addressing violations (e.g., talking to employees about specific violations, course-correcting behavior). He said, “That’s #1 on the culture piece.”
As one Internal Audit leader emphasized, the big picture is that “many people have figured out what the limits are to stay right underneath the radar — that $75 requires no receipt. So guess what? A $1,000 T&E is made up of nothing but $75 charges. It adds up.”
When facing T&E behavioral issues where employees are gaming the system, consistently violating policy, or flagrantly ignoring it, said another Internal Audit leader, “There has to be a tone at the top and middle and bottom that says, ‘We will not tolerate this. We will fire you’.”
Of course, as yet another Internal Audit leader pointed out, the realities of some organizations’ cultures make them resistant to change. “In my experience, that’s the perfect world. Most fraud occurs with the sales department or field service department, not average P-cards,” he said. “They usually have the reputation in the company that, ‘We're bringing in business, they're not gonna fire us’.”
4. Translate T&E Insights Into Preventive Controls
Analytics are helping teams translate their observations and insights into proactive strategies for preventing bad or fraudulent T&E behavior. For example:
- Robert explained, “We’re trying to shift our T&E audits from not just identifying behavior, but looking at preventative controls. For example, if you’re having consistent non-payment, non-submission of expenses, what do the triggers look like on the cards? In terms of how the cards are configured, and how the T&E system is configured — how can we reduce the funnel and implement some of those preventive controls?”
- Thad’s team saw a correlation that pointed them toward a potential preventive risk factor. Said Thad, “Historically we’ve found that the more serious violations are by managers who are known to be easy graders when it comes to T&E. One of the correlating factors we found is if they’re slow, that usually means they don’t want to do it. And then violations slip through.” Accordingly, “average time to approve expense report” is now a risk factor the team tracks.
- Jonathan’s team found that employees were using P-Cards to bypass existing purchase requisition controls and buy office supplies on Amazon. But as Jonathan said, “There’s no reason for them to buy something on Amazon. They’re just circumventing the processes that are in place.” So the organization banned Amazon from an MCC code perspective and reset expectations that all Amazon purchases must be routed through Procurement’s account. The solution allowed for better tracking of vendor spend and also opened up potential savings available through centralized Amazon Business accounts (e.g., discounts, cash back).
- One second-line team created Power BI dashboards that let them hand off some T&E monitoring to the Finance T&E team and executive leadership — an approach that has helped them be more effective in identifying, prioritizing, and aligning on issues. A team leader explained, “They can look at spending by month, by expense report category, by geography — who are their top 10 or 20 employees, where are you seeing that high-risk merchant activity by vendor, things like that. That’s been a game-changer.” The tools let stakeholders dig into the data and proactively identify areas to look at more regularly.
- Her team has also identified trends that point to potential preventive measures: e.g., after identifying higher-risk merchants, they’re assessing which higher-risk merchant codes need built-in spending restrictions.
5. Consider Leveraging New Auditors to Staff T&E Audits
Several roundtable participants reported success from enlisting interns, professionals on rotation from other parts of the organization, and other new auditors in T&E audits. As Thad put it, these fairly straightforward audits are “a good way to get your feet wet on what to look for in an audit,” helping them learn the basics while gaining exposure to different parts of the enterprise.
New auditors may also bring diverse backgrounds and skills to T&E auditing, such as:
- Tech capabilities. A rotation auditor with analytics skills built a Power BI dashboard that enabled one Internal Audit team to increase T&E review frequency to quarterly.
- Fresh perspectives. As another Internal Audit leader explained, “Auditors that only come up through an accounting background tend to be very, very black and white. If you’re able to pull in people from more generic business backgrounds, they tend to be more comfortable with gray. They’ll sometimes have an easier time standing back and seeing the forest from the trees,” offering insights and suggesting angles the team may not otherwise consider.
- Relationship building. The leader also called out how rotating auditors often help “build bridges” between different functions and Internal Audit.
6. Don’t Be Afraid to Rattle the Cages
In some cases, T&E policies are broken to the point where Internal Audit needs to speak up and challenge the status quo. “When everything’s an exception, nothing is. So functionally, at that point, you don’t really have a policy,” explained one Internal Audit leader. “I gained traction by saying that, effectively, we have no policy. And if that rubs people the wrong way, that should get attention: to say thematically that (1) either we have a policy, and exceptions are rare, or (2) we don’t have a policy.” In his case, that “turned enough of the right heads.”
THE LAST WORD: T&E Auditing Is a Key Optimization Opportunity
Obviously, we’ve packed a ton of ideas into this article. But we have to stop somewhere.
But the reality is that roundtable participants offered up countless other excellent tidbits on T&E reporting, frequency, technology ROI, common challenges, best-practice solutions, and more.
In other words: More to come. To start, we’re planning a deep-dive roundtable on how teams are using AI and analytics for detecting/monitoring T&E. Let me know if you’d like to participate.
To position ourselves as trusted advisors and business partners, we first have to be amazing at our core responsibilities. T&E is one of those, for better or worse, making it a prime target for optimization. In 2026, commit to at least one initiative to level up your T&E audit process.
When you are ready, here are three more ways I can help you.
1. The Enabling Positive Change Weekly Newsletter: I share practical guidance to uplevel the practice of Internal Audit and SOX Compliance.
2. The SOX Accelerator Program: A 16-week, expert-led CPE learning program on how to build or manage a modern & contemporary SOX program.
3. The Internal Audit Collective Community: An online, managed, community to gain perspectives, share templates, expand your network, and to keep a pulse on what’s happening in Internal Audit and SOX compliance.