NEC has developed a tool that leverages generative AI to automatically generate security audit reports with the aim of enhancing security governance. This tool uses generative AI to create and assess recommended actions based on information about the audit target, thereby improving the efficiency and quality of auditing operations. In actual implementation, the tool has been proven effective at reducing workloads and producing consistent quality in reports. Going forward, further improvements in accuracy and its application in other fields are expected. In this paper, an overview of the tool will be provided along with an explanation of the achieved implementation results and innovations used over the course of its development. 

1. Introduction

In recent years, as security threats have become more sophisticated and diversified, strengthening security governance has become an increasingly important management issue. The governance of group companies presents particular challenges, such as ensuring sufficient audit resources and guaranteeing the quality and frequency of a vast number of audits, due to the large number of companies subject to audits. It is also difficult to promptly and accurately assess and respond to the risk status across the overall group as it spans diverse businesses and regions. If these issues cause delays in the information gathering or the risk analysis necessary for making management decisions for the entire group, executive-level decision making at the executive level can be affected. 

For companies to systematically protect their information assets and comply appropriately with laws, regulations, and compliance requirements under such circumstances, it is essential to implement measures and establish and enforce security rules as a corporation. Accordingly, regular security audits that objectively evaluate and verify the effectiveness and operational status of those measures and rules play an important role. However, the preparation of audit reports has traditionally tended to depend on the experience and skill of the auditors, resulting in issues such as inconsistencies in audit quality and enormous workloads. In order to address these challenges, NEC has developed an automated security audit report generation tool utilizing generative AI.

2. Overview and Mechanism of Advanced Security Audit Activities Using Generative AI

The automated security audit report generation tool takes information such as the business activities and scope of operations of the organization being audited, their status regarding certifications such as ISO/IEC 2700, and the details and operational status of the various security measures that are currently in place. Based on that information, the report generation tool references international standards like ISO/IEC 27001 and the security measures implemented by NEC to automate the entire process of creating audit reports. The generated audit reports include the major risks that can be anticipated from the organization’s relevant information and an overall audit evaluation as well as recommended actions for each audit item (Fig. 1). 

The tool’s mechanism consists of three main steps. 

(1) Recommendation of actions
Based on responses regarding the implementation status of security measures by the audit target, generative AI recommends actions for each audit item while referencing international standards such as ISO/IEC 27001 and security measures implemented by NEC. Finally, the auditor reviews the content and makes required changes (Fig. 2). 

(2) Evaluation of each audit item
Generative AI compares the questions for each audit item with the responses regarding the implementation status of security measures of the audit target and rates the implementation status as being one of four levels: “Fully Implemented,” “Mostly implemented,” “Partially implemented,” or “Not implemented.” Based on generative AI evaluation, its reasons for that evaluation, and the audited organization’s responses, the auditor determines the final evaluation for each audit item (Fig. 3). 

(3) Summary (audit report) generation
Summary generation consists of three additional steps.

The innovations used during the development of this tool can be summarized in three main points. 
First, we refined and compressed prompts. Although generative AI tends to provide the desired responses when roles are specified and clear instructions are given, an issue arose when excessive prompt information resulted in unintended outputs. To address this issue, we repeatedly refined and compressed the prompts so clear and concise instructions would produce anticipated responses. 

Second, we improved the approach to using generative AI and designing prompts for evaluating each audit item. The evaluation requires that generative AI understand the following four-level scale: “Fully Implemented,” “Mostly implemented,” “Partially implemented,” and “Not implemented.” However, specifying detailed criteria for each audit item lacked versatility. For example, when assessing responses to questions such as “Are there security-related regulations in place?”, the result is “Implemented” if regulations exist and are also regularly reviewed. If regulations exist but are not regularly reviewed, the result is “Mostly implemented.” This approach requires prompt modifications whenever audit items are changed, complicating operations. To address this, instead of specifying the evaluation criteria in the prompts for each audit item in detail, we designed the tool so that generative AI provides the rationalization behind its evaluation along with the results, enabling auditors to reference this rationale when making the final assessment.

Third, we distinguished between straightforward automation and the use of generative AI. Because generative AI does not always produce identical outputs even with the same input, this is effective for sections that require diverse perspectives, but not for areas that require consistent output. Therefore, through repeated trials, we established a clear distinction: standardized decisions are programmed to be automated, while generative AI is used to make flexible judgements that need to consider the circumstances of each company and NEC’s standards.

Through these three innovations, the tool not only automates the audit report process but also provides a practical and flexible operational method.

3. Effects of Leveraging Generative AI

This entire series of deliverables is output collectively in the format of an Excel report. Auditors can quickly complete the audit report by simply reviewing the contents of the automatically generated report and making any necessary additions or revisions. This significantly reduces the time and effort previously required to prepare reports. 

When comparing use of this tool to manually performing the same task, the time required to prepare an audit report was reduced from 200 minutes to 60 minutes, resulting in an expected workload reduction of approximately 70%. Additionally, the workload per auditor is expected to be reduced from 200 minutes to 48 minutes, achieving a reduction of approximately 76%. In fact, when NEC introduced this tool in internal security audit activities, the auditing process became more efficient, making it easier to expand the scope of audits, conduct regular audits, and provide prompt feedback, thus contributing to the improved quality of audit activities overall.

Furthermore, automation through generative AI has helped standardize the quality of audit reports, reducing variations caused by differences in auditors’ experience and expertise. Whereas report content previously varied depending on the auditor’s specialized knowledge and experience related to the industry being audited, generative AI now enables the creation of consistent proposals that account for industry-specific circumstances. 

By adding a step where auditors review and revise the evaluation reasons and recommended actions output by generative AI, it becomes possible to achieve results in audit report generation that surpass the auditors’ original capabilities. For example, if generative AI suggests recommended actions that the auditor alone might not have considered, the auditor can propose the optimal solution from a broader range of options, thereby achieving results beyond their inherent abilities. Auditors obviously need to have the skills to review and revise the suggestions made by generative AI.

Additionally, by inputting accumulated audit data and evaluation results into generative AI, it is expected that more effective security measures can be devised and that these insights can be utilized for ongoing improvement initiatives across the entire organization. 

In NEC’s security audit activities utilizing this tool, the governance status of all audit targets is visualized using a heat map. Organizations are evaluated and mapped onto a heat map in accordance with two axes: the impact of incidents and the level of security measures, which is described as a comprehensive evaluation in the audit report. This visual representation shows which of the organizations have a higher priority for security enhancement (Fig. 7). These visualized results not only support management in making decisions about risk mitigation but also enable the group to understand the risk status accurately and promptly across diverse businesses and regions, ensuring appropriate responses. As a result, this tool contributes to solving security governance issues within group companies. As of December 9, 2025, a patent application is pending.

4. Conclusion

This paper has described the impact and mechanisms of leveraging generative AI to enhance audit activities within NEC. Services utilizing this tool’s technology were first implemented internally with NEC positioned as Client Zero and they will be offered externally as NEC BluStellar products. Moving forward, we anticipate further functional expansions, such as applications in audit areas beyond the field of security, improved accuracy of generative AI through continuous learning, and proposals with specific recommendations tailored to the size and industry of the organizations being audited. 

Meanwhile, ongoing efforts are necessary to address issues such as ensuring fairness and transparency and validating the appropriateness of proposals made by generative AI. NEC aims to solve these issues while advancing the development and provision of services and technologies that help organizations and companies strengthen their security management capabilities.

In closing, the adoption of generative AI promises to fundamentally transform future audit operations and governance methods, leading to more efficient and higher quality audit practices. Most stakeholders engaged in audit operations are expected to benefit from this new technology and work towards the ongoing enhancement of governance.

Trademarks

Authors’ Profiles

Related URL