Artificial intelligence (AI)-powered tools have been leveraged by companies and early adopters for some time now. The recent introduction to Generative AI tools, such as ChatGPT, has recirculated this topic, marking it among trending subjects of conversation throughout businesses (findings from Reuters even report the number of S&P 500 companies discussing AI has climbed to a new high in conference calls; with the proportion of S&P 500 companies mentioning “AI” being 36%, per its latest data). While AI can streamline tasks and automate manual steps throughout business processes, it is still met with a certain level of risk. Risk that should be scrutinized in an internal audit evaluation if your organization is considering implementing, or has already implemented, an AI-powered tool.
Here are a few ways internal audit can make the adoption of AI-powered tools a success:
Risk Assessment
As there are countless concerns associated with technological advancements – from human error and data security to the risk of failure – with each new significant adaptation, expansion or shift in business operations, a risk assessment should be performed. Identifying and classifying risks early on allows organizational leaders to take action to address known concerns. It is crucial that the data inputs driving your AI platform are screened through the risk assessment process prior to implementation.
Partnering with internal audit in identifying and prioritizing risks is a valuable step to take, as internal audit can be used to avoid groupthink. Based on position and expertise, internal audit can provide an independent assessment of the project at hand. The implementation team, as internal audit has expertise and tools in identifying risk, can build on an existing foundation to streamline identifying risks and filling in gaps once the tool is fully implemented, too.
Many organizations are siloed. In these cases, internal auditors provide a holistic view of risks across the organization, considering both strategic and operational risks. The implementation of a new AI-powered tool may provide a significate benefit for one department, but unmitigated risk could manifest itself elsewhere in the organization. Internal audit can provide information on potential risks in these situations.
Governance and Oversight
Before implementing an organization-wide tool, internal audit can evaluate the adequacy of the governance framework at the organization. This evaluation can include reviewing policies, procedures and ethical guidelines. Having a better understanding of this framework enables the implementation team to accommodate the end-user more proficiently.
Once responsibilities are established, it is crucial that the data input and output from the platform are continuously monitored for quality, integrity, privacy and security. A clear line of accountability must be defined and understood.
Controls Assessment
Internal audits can evaluate the effectiveness of controls designed to manage AI-related risks, such as data governance, model validation and cybersecurity. For each step taken, internal auditors can recommend and help implement risk mitigation strategies to address identified concerns.
Monitoring Compliance
Internal audit can monitor compliance with relevant laws, regulations and internal policies related to AI, like data privacy laws or industry standards. As the landscape of AI changes every day, internal audit is in a unique position to continuously apply new concepts gained from various experiences with the technology.
Using the defined goals and motives, internal audit can perform a consulting engagement to ensure the tools in use deliver the expected benefits. A common way to do this is by identifying and monitoring key performance indicators (KPIs) and making a comparison between pre- and post-implementation. In addition to assessing compliance and control effectiveness, internal audit can perform testing to assess user satisfaction, data integrity and reporting accuracy, among other areas. Having these assessments performed allows management to better identify opportunities for continuous improvement.
Education and Awareness
The technical team that is responsible for setting up new systems is often different from the individuals that are expected to use it daily. For many, technology poses challenges, as it utilizes unique jargon, rapidly changes and requires hands-on experience. Identifying risks and understanding controls also does not often come naturally to most individuals. This creates a gap that internal auditors must fill if organizations want to achieve project success.
Internal audit is able to provide training on AI-related risks and controls to an organization’s employee population to address this barrier. When training is offered on risks and controls associated with handling AI-powered tools, it proactively drives awareness to potential challenges. Having knowledgeable users that understand these risks is essential for ensuring that the implemented tool is leveraged efficiently and effectively.
Main Takeaways
By harnessing the knowledge and resources of an internal audit team, organizations can better identify risks and enhance the input process as part of any AI implementation, increasing the likelihood of a successful output. If your organization is at any stage in the AI implementation process and does not have an internal audit partner, contact our team at Sikich, where we offer expansive internal audit resources and capabilities. Having a third-party internal auditor perform an evaluation of your AI implementation and governance can help you better achieve your mission. This fresh perspective, along with additional technological insights, can be utilized to ensure the risks your organization experiences are appropriately addressed and monitored.
About our Authors
David Panicko is an internal audit consultant who collaborates with business leaders, internal auditors, and external auditors to ensure strategies and solutions create business value while maintaining compliance with policies and procedures.
Jesse Laseman is an internal audit consultant with deep experience executing audit engagements across industries. His expertise includes operational audits, data analysis and interpretation, internal control testing, and the development and implementation of internal control recommendations. Jesse has worked on multiple teams responsible for executing the internal control testing requirements for the Sarbanes-Oxley Act.