As the world looks towards AI for the future, certain underlying principles need to follow suit in aspect of internal auditing.
While AI is the way forward for the internal audit profession, the technology comes with some ethical considerations being developed using a human interface.
EVOLVING FRAMEWORK FOR INTERNAL AUDIT
AI poses both risks and opportunities for internal auditors. While internal audit departments are in the process of formalizing the scope and agreed upon procedures to test the design and operating effectiveness of AI technologies, there is no definitive framework which has been approved for auditing AI, although organizations such as the Institute of Internal Auditors (IIA) and Information Systems Audit and Control Association (ISACA) have issued guidance on the matter.
IIA has provided guidance on auditing AI under the three key principles of governance, strategy and the human factor in its publication ‘Global Perspectives and Insights, Artificial Intelligence | Considerations for the Profession of Internal Auditing’ in 2017. ISACA has subsequently provided technical guidance and application of the existing COBIT 2019 framework for auditing AI in its publication ‘Auditing Artificial Intelligence’.
GOVERNANCE
AI governance refers to the processes, policies, and procedures integrated into the internal audit charter to regulate and monitor the effective performance of AI activities. The key objective is to ensure that there are ownership and accountability across levels, supplemented with a robust control framework to manage the associated risks. Board/senior management oversight including tone at the top, internal controls, external audit, and regulators all play a role in AI governance.
STRATEGY
AI strategy refers to competencies required to implement AI initiatives and should be developed cohesively between business, finance and technology leaders. While internal audit must assess whether the AI strategy has been well defined, conscious efforts should also be directed towards identification of potential conflicts between the AI strategy vis-à-vis vision, mission and entity’s values related to fairness, transparency, effective communication, ethical business conduct and privacy.
HUMAN FACTOR
AI human factor refers to identification of risk of unintended human biases factored into AI design coupled with effective testing of the application to ensure that results reflect accomplishment of the intended objective. Further, the human factor integrated with internal audit ensures that the AI output is being used legally, ethically, and responsibly.
The broader governance landscape for AI includes areas such as big data, algorithms, cybersecurity, third-party management and compliance, key activities of which should form part of the internal audit program.
BIG DATA
This represents the potential universe of internal audit information for determining the actual performance of the AI application. In inspecting the platform upon which AI applications are developed, internal auditors should examine aspects such as data inventory (including data storage and synchronization with the systems), data quality, data security, data privacy, data management/ ownership along with technology infrastructure to be able to support the data needs of its AI application, now and going forward.
ALGORITHMS
Internal auditors should provide reasonable assurance that AI algorithms are adequately designed considering the existing control framework, and operating effectively, while being transparent/ comprehendible to the users and not exposing the entity to potential risk of unforeseen eventualities. Internal auditors should be in a position to assess the AI system development process with specific focus on the algorithm’s objective, type of data being recorded as input along with criteria used to make logical decisions.
CYBER RESILIENCE
As stated in the IIA’s AI auditing framework, “the potentially disastrous effects of a cybersecurity breach involving AI cannot be overstated.” Consequently, the internal audit’s focus should be to ensure that risk exposures emerging from the application of AI technology have been incorporated into the larger cybersecurity audit plan. Internal audit should work cohesively with information technology, finance and legal to assess that the organization is prepared to resist, respond and recover from cyberattacks while having an accurate understanding of the cyber risks and its level of readiness.
THIRD-PARTY MANAGEMENT
Internal audit should work more cohesively with third parties to provide a complete perspective/ overview that there is due cognizance of information security vulnerabilities and that mitigation plan has been prepared to address the new and emerging risks. In case third party service organizations are being engaged to provide cloud services, build AI applications, or analyze information internal audit has a key responsibility to ensure that effective third-party risk management practices are in place wherein controls designed by the service organization are mapped/ referenced to achieve the control objectives of the entity’s existing framework.
COMPLIANCE
Internal audit has an onerous responsibility of providing assurance that the entity’s AI application is in compliance with pertinent industry standards and regulations. Though there is no universally accepted set of AI standards, entities must ensure compliance with emerging/ developing standards.
Internal audit can contribute to delivering valuable assurance immediately with a specific focus on core components of the AI auditing framework. However, one of the key emerging challenges is to keep AI safe from internal fraudsters and external adversaries. AI’s ability to think and act faster than humans will enhance innovation in the procedures adopted by the internal auditor for assessment of the design and testing controls to measure AI’s performance.
Disclaimer: This article is authored by Tarun Kher (Partner, MGC Global Risk Advisory LLP). The views and opinions expressed in this article are those of the author’s and do not represent those of PEAKLIFE.