Internal Controls for AI Governance

As AI continues to capture significant attention, organizations face increasing pressure to adopt these tools to enhance customer experience and streamline operations. The benefits from AI system implementations are as varied as the tools themselves, and the success of any AI strategy is influenced by numerous factors, like industry or size. As emphasized in an article published earlier this year, internal audit should play a key role in reviewing AI strategies to encourage alignment with organizational goals and risk management frameworks. Achieving this requires a thoughtful, ongoing commitment that must be adaptive and specific to the size and capabilities of your organization.

Key elements of an effective AI governance program include:

• Clearly defined roles and responsibilities for AI decision-making, supported by a governance structure that provides oversight at all necessary levels.
• A framework of ethical standards—such as fairness, transparency and non-discrimination—established to guide AI development and usage.
• Risk management protocols to identify, assess and mitigate risks associated with AI systems.
• Strong data management practices, ensuring high data quality standards and robust privacy protections.
• Ongoing evaluation mechanisms to monitor AI systems for compliance, effectiveness and adaptability to changing conditions.

Establishing and continually refining your AI governance structure can be highly effective with the support of internal auditors. These auditors offer independent assurance that AI implementations are aligned with management’s long-term goals and strategies. When conducting an enterprise risk assessment or internal audit of organizational operations, a thorough evaluation of AI initiatives should be weaved into this assessment to ensure they are operating responsibly, effectively, and in alignment with the overall risk framework.

Having internal controls for AI systems also helps minimize risks related to bias, data privacy, operational failures, ethics and noncompliance. And an internal audit of these controls provides independent assurance that these systems are operating effectively and without risk.

As your team implements and maintains internal controls over your business’s AI usage, refer to the following sample AI governance checklist for a structured framework that promotes responsible and ethical development, deployment, and management of AI systems. You can also download this in a fillable checklist at the bottom of this page.

AI Strategy and Alignment

• Define the organization’s AI strategy and objectives, ensuring they align with organizational goals.
• Identify key stakeholders involved in AI governance.

Ethical Considerations

• Establish an AI ethics framework that includes principles like fairness, accountability and transparency.
• Create guidelines for responsible AI use, including data privacy and user consent, while also assessing for potential biases in AI models.

Regulatory Compliance

• Identify relevant regulations and standards applicable to AI (e.g., GDPR, CCPA).
• Implement processes to ensure compliance with data protection laws.
• Put in a mechanism to monitor changes in AI-related regulations and update policies accordingly.

Data Governance

• Assign clear responsibilities for data ownership and stewardship.
• Develop guidelines for data collection, storage, and usage, including practices for anonymization and encryption.
• Maintain data quality and integrity through rigorous validation and verification procedures.

Model Development and Validation

• Adopt a standardized process for AI model development, covering design, training and testing.
• Set up validation protocols to confirm models function as expected and meet established accuracy benchmarks.
• Continuously monitor models for performance drift and retrain them when needed.

Risk Management

• Perform a risk assessment for AI projects, identifying potential risks (operational, reputational, legal).
• Develop mitigation strategies for identified risks.
• Create a response plan for incidents involving AI systems (i.e., data breach).

Transparency and Explainability

• Make sure AI models are understandable and explainable to stakeholders.
• Record the decision-making processes of AI systems.
• Clearly communicate the capabilities and limitations of AI systems to users.

Accountability and Oversight

• Designate a governance body responsible for overseeing AI initiatives.
• Define roles and responsibilities related to AI governance and decision-making.
• Establish mechanisms for reporting and addressing ethical concerns or breaches.

Performance Monitoring and Evaluation

• Develop key performance indicators (KPIs) for AI initiatives, such as model accuracy thresholds or user satisfaction scores.
• Implement regular reviews and audits of AI systems for compliance and performance.
• Solicit feedback from users and stakeholders on AI system performance.

Training and Awareness

• Provide training programs on AI governance, ethics and compliance for employees.
• Promote awareness of AI governance policies and procedures across the organization.
• Encourage a culture of ethical AI use and responsibility among staff.

Continuous Improvement

• Establish a framework for continuous learning and improvement in AI governance practices.
• Stay updated on advancements in AI technologies and governance trends.
• Regularly review and revise the AI governance framework based on lessons learned and emerging best practices.

When following the steps outlined above, those charged with governance can establish a framework that minimizes risk and maximizes success for any AI implementation.

If your internal audit department would like to learn more about measuring the success of your AI initiatives or what to consider when getting started, our experts on the Sikich governance, risk and compliance team would be happy to assist you.

Download the fillable checklist here >>>

About Our Authors

Jesse M. Laseman, CIA, CFE, is an internal audit consultant on the governance, risk and compliance team. He has experience executing audit engagements in industries such as financial services, government, not-for-profit and professional services. His expertise includes operational audits, data analysis and interpretation, internal control testing, and the development and implementation of internal control recommendations.

With over 20 years of experience in data governance, data management and data analytics, John Eisenhauer helps organizations leverage information to create competitive advantage and drive business outcomes. He is a director of strategic consulting, helping to lead the data and analytics practice and provide solutions for complex data challenges.