AI for internal audit: 5 Insights and 5 actions

Harness GenAI for smarter internal audits

Generative AI (GenAI) is transforming Internal Audit (IA) practices by making advanced capabilities accessible to everyone. Unlike previous technologies, AI excels at making sense of data, decision making, and advising on actions to take. This accessibility brings both challenges and opportunities for IA departments. As businesses rapidly adopt GenAI, IA teams must carefully evaluate the associated risks and benefits to stay ahead in this evolving field.

What are some things that internal audit teams should consider when thinking about GenAI?

5 insights you should know

  1. What is GenAI? This evolution of AI capabilities is underpinned by Large Language Models (LLMs) which have learned on a broad set of generalized data (text, images, audio) adaptable across a number of use cases. Generative AI models generate data by fine-tuning their knowledge to interact and produce various outputs (text, code, images) by taking in a variety of prompt inputs in different formats.
  2. GenAI is driving speed to market—but new approaches are required. As GenAI quickly evolves, in both technical complexity and capabilities, there’s a natural excitement and desire to develop use cases across the enterprise, both formally and informally. But the best speed is one cognizant of risk.
  3. GenAI (and other AI) projects are not only technology projects, but they are also business projects and involvement of key subject matter resources with domain knowledge are needed early and consistently as part of the team developing the accountability framework.
  4. The use of public or private GenAI tools adds a new layer of risks including data leakage of sensitive information, the use of biased data in producing outcomes, improper usage of Intellectual Property (IP), and difficulties in testing and explaining GenAI models. Additionally, the fear of risks in using GenAI can cause organizations to shy away from the capability, missing an opportunity to realize significant benefits.
  5. There are numerous use cases for IA’s use of GenAI including audit report generation, Industry Benchmarking of Risks, Smart Document Analysis, and the creation of AI-Powered Chatbots (to name a few). As the capabilities of GenAI have pushed traditional capabilities and historic use cases, legacy intake and use case prioritization models (including expected benefits) may need to evolve.

5 actions you can take

  1. Develop a strategy for GenAI and integrate/harmonize it with your digital IA strategy and the enterprise’s existing AI strategy. The same principles that guide an AI-fueled organization apply to the use of GenAI (e.g., access to curated enterprise data; AI governance; process transformation to leverage cognitive workers). With AI technology evolving rapidly, avoid the temptation to go forward alone. Find support and knowledge from internal partners and third-party organizations operating in this space.
  2. Become familiar with the underlying technologies that make GenAI possible, as well as the current capabilities and limitations. Educate your workforce in the usage, risks, and capabilities of AI to establish a baseline of knowledge through training and assess where updates to policies are required. Also, monitor over time how the technology advances and the impact on business risks and opportunities (including policies and controls), as they emerge.
  3. Bring together a cross disciplinary team of people with the domain IA and risk knowledge to think creatively about potential use cases. When business leaders, technology leaders, and creatives collaborate with subject matter and technical resources, they may be better able to identify valuable applications and design GenAI deployments with consideration to mitigating related business and technology risks, including meeting applicable laws and regulations.
  4. A refresh of AI risk review and mitigation strategies (including governance strategies and policies) is needed for organizations wishing to leverage GenAI without introducing significant risk. This includes evolving legacy AI risk frameworks to consider challenges around bias and misinformation, attribution, transparency, enterprise accountability around the impacts of GenAI, and building a plan to review high risk use cases.
  5. Organizations should explore the use of private GenAI models that allow teams, including IA, to significantly reduce the efforts spent in generating and accessing information. Additionally, assess your current intake and prioritization models, and identify ways to evolve them. This might consider capabilities of GenAI from incremental digitization of basic productivity use cases to higher order opportunities, such as new, differentiating IA services and creative ways to deliver value for stakeholders. 

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?