The Saudi Data & AI Authority issued 48 enforcement decisions in twelve months, and PDPL Article 36 lets the regulator fine a firm up to SAR 5 million per violation — doubled for a repeat. For an audit firm, the most dangerous document in that exposure is not the final report. It is the audit plan, because everything downstream inherits whatever the planning conversation got wrong.
What an audit plan actually rests on
An audit plan is born in a room, not a template. The planning meeting is where the team assesses the risks of material misstatement, sets the materiality threshold, and decides how to respond — the substance ISA 300 expects the plan to record. But the inputs are spoken. The partner asks the CFO how revenue is recognized. A senior notes a control weakness the controller mentioned in passing. The materiality figure gets agreed out loud and written down later. Six months on, a quality reviewer or a regulator asks where a particular risk rating came from. The honest answer is often "someone remembered the meeting." A MENA firm carries client PII through that whole chain, so an audit plan built from an unverified account of what the client said is not just a documentation gap — under PDPL it is direct exposure entering the file at its first step.
Why your current tools don't fix this
Two tool categories sit in most audit firms, and neither closes the gap. Workpaper platforms — Caseware, MindBridge, Validis — store the plan but not the conversation that produced it. A risk rating lives in a cell with no link to the moment it was decided. Meeting tools — Otter, Fireflies, the built-in recorders — record and summarize, but a summary is a model's guess about what mattered, confirmed by nobody. Dropping that summary into the audit file does not make it evidence. It makes it an unattested claim wearing an evidence costume. For a Saudi engagement under PDPL, that is worse than no record, because now there is a written artifact no person stands behind. Neither category gives the partner what the plan actually needs: a fact a named human checked, tied to the second it was said.
What changes when every fact is confirmed by a named human
Knowcap sits on top of recording and transcription and adds the layer none of those tools ship: a record of which facts a named human confirmed, against named evidence. Every statement from the planning meeting is extracted and classified — a risk, a decision, a task, a commitment — and timestamped to the exact second it was spoken. None of it enters the audit file automatically. A senior or the engagement partner reviews each claim and confirms it with one tap, and only confirmed claims become evidence the rest of the work can stand on.
There is no "confirm all" button, on purpose. A bulk approval that bypasses individual review is exactly the rubber stamp that Saudi PDPL's right to human intervention and GDPR Article 22 treat as legally insufficient. The confirmation is the verification and the audit trail at the same time. When a reviewer or a regulator later asks where a risk rating came from, the answer is a confirmed claim — attributed to the partner who confirmed it, linked to minute 14 of the planning call. And if the firm runs an AI agent to pre-draft the planning memo, that agent reads only human-confirmed facts; it cannot reach into the raw transcript and invent a risk the partner never agreed to.
What this looks like inside an audit firm
The engagement partner records a 50-minute planning meeting with the client's finance team. By the time it ends, the claims are already pulled: the CFO's description of revenue recognition, a control gap the controller mentioned, the agreed materiality figure, three follow-up tasks. The senior opens the review queue that afternoon and confirms seven claims in about four minutes — rejecting two that were loose talk, editing one for precision. Those seven confirmed claims now carry provenance to the second.
When the senior drafts the audit plan, the assessed-risks section cites them directly: each risk rating traces to a confirmed statement, not a recollection. If a quality reviewer questions a judgment months later, the partner opens the claim and plays the moment it was spoken. The plan stops being a document the team defends from memory and becomes one where every line points back to a confirmed source. That is the difference between an audit plan that survives a quality review and one that quietly falls apart under questioning. The same confirmed facts also carry forward, so the next meeting builds on settled ground instead of re-arguing it.
FAQ
Does an AI tool put our PDPL compliance at risk?
It depends entirely on whether the tool draws a line between what was said and what a human confirmed. Saudi PDPL Article 36 exposes a firm to fines up to SAR 5 million, and the regulator has issued 48 enforcement decisions in a single year. The risk is not recording a client meeting — it is letting an AI act on, or file, an unverified version of what the client said. A summary no person checked, sitting in an audit plan, is processing client data on the basis of a machine's guess. Knowcap keeps the unconfirmed transcript separate from the confirmed-fact graph, and only the second feeds any downstream memo or agent. The named human who confirmed each fact is recorded, which is the human-intervention right that PDPL and GDPR Article 22 both require.
Is a meeting transcript enough evidence for the audit file?
No. A transcript proves words were spoken; it does not prove anyone assessed them, agreed with them, or decided they mattered. Audit evidence has to be evaluated by a professional, and the file has to show that evaluation happened. A raw transcript or an AI summary skips the step that makes evidence defensible: a named person taking responsibility for it. That is why dropping a summary into the audit plan feels productive but creates exposure. The useful unit is not the transcript — it is the individual claim a senior or partner confirmed, with a link back to the second it was said. The transcript stays available as the source, but the plan cites the confirmed claim, and the reviewer can replay the exact moment if they want to.
How is this different from the AI notes our team already uses?
AI notetakers are good at producing a readable recap fast. They are not built to make a fact defensible. Every line they generate is the model's interpretation, confirmed by no one, with no record of who stood behind it. For most meetings that is fine. For a planning meeting that sets the assessed risks in an audit plan, it is not. Knowcap is not trying to win the recap competition. It captures the same meeting, then adds the step those tools skip: each extracted claim waits for a named human to confirm, reject, or edit it before it can be used. The output is not a prettier summary. It is a set of facts the firm can put weight on, each one attributable to the person who confirmed it and the moment it was spoken.
Where does the audit plan actually connect to the recording?
At the level of the individual claim. When the team confirms a statement from the planning meeting — an assessed risk, the materiality figure, a control the client described — that claim keeps a timestamp pointing to the exact second in the recording. The plan's risk section references the confirmed claim, so each rating carries a traceable line back to the conversation that produced it. There is no manual cross-referencing to maintain. If a quality reviewer questions a judgment months later, the partner opens the claim and plays the moment. The audit plan is no longer a standalone document defended by recollection; it is connected to its own source, which turns the weakest link in the file into the most traceable part of it.
Do partners have to review every single claim?
Someone with authority does, and that is the point — but it is faster than it sounds. A 50-minute planning meeting produces a handful of claims that matter, not hundreds. Confirming the ones that feed the audit plan takes a few minutes, and the work splits cleanly: a senior confirms routine items, the partner confirms the judgments that carry risk. What the system deliberately does not offer is a single button that confirms everything at once — the shortcut a regulator treats as no review at all. The review time is small; the alternative, a plan nobody can trace under a PDPL inquiry, is not. Across an engagement the confirmed facts get reused, so the same ground is not re-litigated meeting after meeting.
An audit plan written from memory is a liability the moment someone asks a question you cannot trace. One written from confirmed facts answers the question before it is asked.