Guidelines for AI as Internal Audit

EditorThink Techai guidelines for internal audit, artificial intelligence, future of ai

As the world looks towards AI for the future, certain underlying principles need to follow suit in aspect of internal auditing.

While AI is the way forward for the internal audit profession, the technology comes with some ethical considerations being developed using a human interface.

EVOLVING FRAMEWORK FOR INTERNAL AUDIT

AI poses both risks and opportunities for internal auditors. While internal audit departments are in the process of formalizing the scope and agreed upon procedures to test the design and operating effectiveness of AI technologies, there is no definitive framework which has been approved for auditing AI, although organizations such as the Institute of Internal Auditors (IIA) and Information Systems Audit and Control Association (ISACA) have issued guidance on the matter.

IIA has provided guidance on auditing AI under the three key principles of governance, strategy and the human factor in its publication ‘Global Perspectives and Insights, Artificial Intelligence | Considerations for the Profession of Internal Auditing’ in 2017. ISACA has subsequently provided technical guidance and application of the existing COBIT 2019 framework for auditing AI in its publication ‘Auditing Artificial Intelligence’.

GOVERNANCE

AI governance refers to the processes, policies, and procedures integrated into the internal audit charter to regulate and monitor the effective performance of AI activities. The key objective is to ensure that there are ownership and accountability across levels, supplemented with a robust control framework to manage the associated risks. Board/senior management oversight including tone at the top, internal controls, external audit, and regulators all play a role in AI governance.

STRATEGY

AI strategy refers to competencies required to implement AI initiatives and should be developed cohesively between business, finance and technology leaders. While internal audit must assess whether the AI strategy has been well defined, conscious efforts should also be directed towards identification of potential conflicts between the AI strategy vis-à-vis vision, mission and entity’s values related to fairness, transparency, effective communication, ethical business conduct and privacy.

HUMAN FACTOR

AI human factor refers to identification of risk of unintended human biases factored into AI design coupled with effective testing of the application to ensure that results reflect accomplishment of the intended objective. Further, the human factor integrated with internal audit ensures that the AI output is being used legally, ethically, and responsibly.

The broader governance landscape for AI includes areas such as big data, algorithms, cybersecurity, third-party management and compliance, key activities of which should form part of the internal audit program.

BIG DATA

This represents the potential universe of internal audit information for determining the actual performance of the AI application. In inspecting the platform upon which AI applications are developed, internal auditors should examine aspects such as data inventory (including data storage and synchronization with the systems), data quality, data security, data privacy, data management/ ownership along with technology infrastructure to be able to support the data needs of its AI application, now and going forward.

ALGORITHMS

Internal auditors should provide reasonable assurance that AI algorithms are adequately designed considering the existing control framework, and operating effectively, while being transparent/ comprehendible to the users and not exposing the entity to potential risk of unforeseen eventualities. Internal auditors should be in a position to assess the AI system development process with specific focus on the algorithm’s objective, type of data being recorded as input along with criteria used to make logical decisions.

CYBER RESILIENCE

As stated in the IIA’s AI auditing framework, “the potentially disastrous effects of a cybersecurity breach involving AI cannot be overstated.” Consequently, the internal audit’s focus should be to ensure that risk exposures emerging from the application of AI technology have been incorporated into the larger cybersecurity audit plan. Internal audit should work cohesively with information technology, finance and legal to assess that the organization is prepared to resist, respond and recover from cyberattacks while having an accurate understanding of the cyber risks and its level of readiness.

THIRD-PARTY MANAGEMENT

Internal audit should work more cohesively with third parties to provide a complete perspective/ overview that there is due cognizance of information security vulnerabilities and that mitigation plan has been prepared to address the new and emerging risks. In case third party service organizations are being engaged to provide cloud services, build AI applications, or analyze information internal audit has a key responsibility to ensure that effective third-party risk management practices are in place wherein controls designed by the service organization are mapped/ referenced to achieve the control objectives of the entity’s existing framework.

COMPLIANCE

Internal audit has an onerous responsibility of providing assurance that the entity’s AI application is in compliance with pertinent industry standards and regulations. Though there is no universally accepted set of AI standards, entities must ensure compliance with emerging/ developing standards.

Internal audit can contribute to delivering valuable assurance immediately with a specific focus on core components of the AI auditing framework. However, one of the key emerging challenges is to keep AI safe from internal fraudsters and external adversaries. AI’s ability to think and act faster than humans will enhance innovation in the procedures adopted by the internal auditor for assessment of the design and testing controls to measure AI’s performance.

Disclaimer: This article is authored by Tarun Kher (Partner, MGC Global Risk Advisory LLP). The views and opinions expressed in this article are those of the author’s and do not represent those of PEAKLIFE.

Curating Travel Trails – RezLive.com

Launched by Travel Designer Group in 2007, RezLive.com is a leading travel portal for guests’ accommodation, sightseeing and transfer services to 25000+ travel partners all across the globe. Equipped with 20+ years of experience, 32 offices worl...

OTM Tradeshow India Ends with Massive Success this Year

Amassing 25% growth than last year, OTM Mumbai was a resounding success with more 30000 trade visitors attending the show. Breaking all records this year, the Bombay Exhibition Centre witnessed the greatest edition of OTM this year. Known for its...