Building Trust in the Machine Auditing AI for a Robust Control Environment.

We've explored how a unified view of your data and continuous monitoring can strengthen your organisation's controls. Now, let's turn our attention to one of the most powerful – and potentially complex – technologies emerging today: Artificial Intelligence (AI). As AI systems become more deeply embedded in our operations, from automating decisions to generating insights, it's crucial that we understand how to ensure they are working as intended, fairly, and reliably. This is where Internal Audit plays a vital role.

Just as we audit our financial systems and operational processes, we must also strategically audit our AI systems. For senior leaders who may not have a direct understanding of AI, this means ensuring we can trust the 'black box' and the decisions it makes. Trust in the Machine

Why Audit AI? The New Frontier of Risk: The rapid adoption of AI introduces new types of risks that traditional audit approaches might not fully address. These include:

• Bias and Fairness: If an AI system is trained on biased data, it can perpetuate and even amplify those biases in its decisions, leading to unfair or discriminatory outcomes. Imagine an AI system for loan applications that inadvertently disadvantages certain demographic groups.

• Lack of Transparency (the 'Black Box'): Many AI models are incredibly complex, making it difficult to understand how they arrive at a particular decision. This 'black box' nature can make it hard to explain outcomes, resolve disputes, or ensure accountability.

• Data Quality and Integrity: AI systems are only as good as the data they consume. Poor quality, incomplete, or manipulated data can lead to flawed insights and erroneous decisions.

• Model Drift: AI models can degrade in performance over time as the real-world data they encounter changes, leading to less accurate or relevant outputs.

• Security and Privacy: AI systems handle vast amounts of data, making them targets for security breaches and raising concerns about data privacy.

• Accountability: When an AI system makes a decision, who is ultimately accountable for its outcome?

A Strategy for Auditing AI Systems: Internal Audit needs a clear strategy to address these risks, whether the AI systems are developed in-house or purchased from external providers.

1. Know Your AI Landscape: Identifying AI Use Cases

The first step is to get a complete inventory of where AI is being used or planned for use across the organisation. This isn't just about large, obvious AI projects. AI might be embedded in:

• Customer Service Chatbots: Are they providing accurate and helpful information, or are they frustrating customers?

• Fraud Detection Systems: Are they effectively identifying fraud without generating excessive false positives or being biased?

• Automated Decision-Making Tools: Such as credit scoring, pricing adjustments, or resource allocation.

• Data Analysis Tools: Are the insights generated by AI consistent and reliable?

• Third-Party Software: Many off-the-shelf solutions now incorporate AI. Understanding their AI components is crucial.

2. Building a Framework for AI Assurance (Both In-House and External)

Internal Audit's strategy should encompass both AI systems built by your own teams and those acquired from external vendors:

• For In-House Developed AI:

  • Data Governance: Audit the data used to train and operate the AI models. Is it accurate, complete, representative, and secured? This ties directly back to the principles of a data hub and continuous monitoring we discussed.

  • Model Development and Validation: Review the processes for designing, building, testing, and deploying AI models. Are there robust validation steps to ensure the model performs as expected? Are ethical considerations, like fairness and bias, addressed from the outset?

  • Transparency and Explainability: Can we understand why the AI made a particular decision? This involves auditing the techniques used to provide insights into the model's logic.

  • Continuous Monitoring of Performance: Just like our continuous process monitoring, AI models need ongoing checks to detect 'drift' in performance or unexpected behaviour as they interact with real-world data.

• For Externally Acquired AI (Third-Party Systems):

  • Vendor Due Diligence: Before purchasing, audit the vendor's processes for developing, testing, and maintaining their AI systems. Ask for evidence of their approach to data quality, bias detection, and security.

  • Contractual Safeguards: Ensure contracts include provisions for data access for audit purposes, explainability requirements, and clear accountability for AI system performance and outcomes.

  • Ongoing Monitoring: Even if it's a third-party system, monitor its outputs and impact within your organisation. Are the results fair? Are there unintended consequences? Your own unified data platform can help here by cross-referencing outcomes from the AI system with other business data.

3. Upskilling the Audit Team: Auditing AI doesn't mean every auditor needs to be an AI scientist. However, internal audit teams do need to develop a foundational understanding of AI concepts, its risks, and how to assess its reliability and ethical implications. This might involve targeted training, collaborating with data scientists within the organisation, or engaging external specialists.

4. Focusing on Outcomes, Not Just Code: Ultimately, the audit of AI systems isn't just about the algorithms or the lines of code. It's about the outcomes the AI produces and their impact on the business, its customers, and other stakeholders. Are those outcomes fair, accurate, compliant, and aligned with the organisation's values and objectives?

By strategically auditing AI systems, Internal Audit can provide crucial assurance to senior management that these powerful tools are being used responsibly, ethically, and effectively. This proactive approach ensures that AI enhances, rather than undermines, the robust control environment we are striving to build, fostering trust in our intelligent systems and driving sustainable value for the organisation.