ComplianceJuly 16, 2026

AI governance auditing explained: From operational governance to board assurance

Key Takeaways

  • AI adoption is accelerating rapidly, creating both significant opportunities and governance, risk, and compliance challenges.
  • Internal auditors play a critical role in assessing whether AI governance frameworks are effective, operational, and supported by evidence.
  • Effective AI operational governance is built on accountability, transparency, fairness, security and privacy, and human oversight.
  • Organizations should inventory AI systems, assign accountability, assess high-risk use cases, build documentation, and coordinate across functions.
  • Third-party AI systems require the same level of governance attention as internally developed AI because accountability and regulatory obligations remain with the organization.

Artificial intelligence, automation, and rapid technological innovation are reshaping every sector of the global economy. No corner of organizational life remains untouched by this transformation. As a result, organizations are facing a unique inflection point, where leaders at every level must navigate unprecedented complexity and adapt to a rapidly evolving internal audit landscape.

Emerging technologies, such as Generative AI, advanced analytics, and quantum computing, are no longer optional add-ons or experiments confined to innovation labs. These technologies have become central drivers of value creation, competitive differentiation, operational resilience, and organizational risk. However, they also introduce significant governance challenges, particularly around ethics, transparency, cybersecurity, accountability and regulatory compliance.

Despite these challenges, AI acceleration also brings powerful opportunities, enhanced decision-making, smarter products and services, greater efficiency, and deeper customer insights. Organizations are increasingly turning to internal audit functions to help balance the tension between risk and opportunity to provide sound AI assurance and governance.

Why AI governance auditing matters now

Across industries, boards, audit committees, executives, and risk professionals are struggling with an AI governance auditing deficit. To address this, internal auditors and risk professionals must be equipped to answer three fundamental questions:

  • Do we understand the technologies we are deploying?
    This extends beyond a technical level to include an understanding of the decisions these technologies make, the data they consume, and the risks they generate.
  • Is our governance frameworks mature enough to manage the emerging risks?
    Having a policy document is not enough. The real question is whether your frameworks are effective, operational, and demonstrable.
  • How do we unlock innovation without undermining safety, trust, or long-term value?

The goal is not to stifle AI innovation but to govern it well enough to enable confident, accountable decision-making.

Answering these three questions is critical for organizations seeking to build AI confidence and capability in this rapidly evolving environment.

The moment of acceleration

To illustrate the rapid evolution and adoption of AI, consider the following statistics:

  • 40% of jobs worldwide are estimated to be exposed to AI
  • More than 180 AI regulations have been proposed globally
  • AI investment has tripled between 2022 and 2024
  • Generative AI transitioned from research labs to enterprise operations in under 24 months, an unprecedented rate of adoption

The regulatory landscape is proliferating at a record pace. Consequently, organizations must navigate multiple, often conflicting, requirements. Additionally, board and audit committee-level AI literacy has not kept pace with technology adoption, creating an AI governance auditing deficit that continues to grow.

This acceleration is more than a technological shift. AI differs from previous waves of technological change due to six defining characteristics:

  • Speed. AI capabilities are doubling in cycles of months, not years. Governance cannot afford to lag behind.
  • Opacity. Many AI systems operate as “black boxes,” making decisions that cannot be easily explained to regulators or audited.
  • Expectation. Boards, audit committees, regulators and customers now expect responsible AI operational governance.
  • Ubiquity. Technologies are available to any organization via cloud APIs, lowering entry barriers but broadening risk exposure.
  • Interconnection. AI, combined with the Internet of Things and data, creates compounding risk profiles that traditional frameworks cannot fully capture.
  • Opportunity. Effective AI assurance and governance unlocks competitive advantages and builds stakeholder trust, building long-term value.

Of these six characteristics, opacity and ubiquity are what set AI apart from other technologies. The inability to fully explain or audit AI decisions raises significant governance challenges. While boards and audit committees don't need to be software engineers, they do need to understand the decisions these technologies make, the data they use, and the risks they create.

AI operational governance as the foundation for audit and assurance

An effective AI governance framework is what makes confident innovation possible, not what prevents it. AI governance must extend beyond technology and IT to encompass strategy, operations, and assurance. Internal audit has a critical role to play at every level.

The strategic level requires board or audit committee-approved AI policies, executive sponsorship and accountability, and a clearly articulated risk appetite statement. AI governance must be integrated into the enterprise risk management framework, not sitting in isolation as a technology issue.

At the operational level, organizations need an AI inventory, which is a register of all AI systems in use with clear documentation of data inputs and outputs. Pre-deployment risk and ethical impact assessments should be conducted not as a tick-the-box exercise but as a genuine evaluation before systems go live. Organizations also require model validation, testing protocols and appropriate vendor requirements for AI suppliers at the assurance level.

The assurance level is where internal audit is actively involved. There should be appropriate internal audit coverage of AI systems and governance, ongoing monitoring with defined performance metrics and incident reporting, and regular and meaningful reporting to board and audit committee on AI risk. This will help the organization build its AI literacy.

The five pillars of AI operational governance

There are five foundational pillars that make up an organization’s AI operational governance program.

  1. Accountability. Accountability cannot be delegated to the technology team. There must be clear ownership of AI systems, including approval, maintenance, and responsibility for failures.
  2. Transparency. Transparency is a prerequisite for trust. Organizations must be able to explain AI decision-making processes to regulators, customers, employees, and auditors.
  3. Fairness. AI systems can perpetuate, amplify, or introduce bias or discriminatory outcomes. Ensuring fair outcomes, particularly for protected characteristics and vulnerable groups, is both a regulatory requirement and an ethical imperative.
  4. Security and privacy. AI systems can introduce new attack surfaces. Organizations must protect data used to train and operate AI, ensuring systems are resilient to adversarial attacks.
  5. Human oversight. Even in highly automated environments, there must be mechanisms for human review, intervention, and override. The degree of human oversight should be proportionate to the risk and impact of the decisions being made, especially for high-stakes outcomes.

View a demo

The internal audit role in AI governance auditing

Internal auditors are uniquely positioned to assess whether governance frameworks are real and effective, not just documented. Every audit performed should evaluate governance, risk management, and controls; meaning internal auditors should already have some idea about the maturity of their AI governance auditing program.

The distinction between having frameworks that are effective or simply documenting is important. Many organizations can produce an AI policy document, but far fewer can demonstrate that the policy is being implemented, monitored, and enforced in practice. Internal auditors can add value by advising boards and audit committees on AI risk maturity gaps and providing independent, evidence-based assurance that their governance frameworks are working as intended. This requires internal audit to develop the skills, knowledge, and methodologies needed to audit AI systems and governance effectively.

It requires us to move beyond traditional control testing approaches into new territory, reviewing model validation processes, evaluating data governance, examining algorithmic fairness, and assessing human oversight mechanisms. It can be a significant challenge for the internal audit profession to advocate for responsible innovation, but it's also a significant opportunity to add real value in an area where boards and audit committees are seeking independent AI assurance.

The following are the AI governance auditing components that internal audit should be reviewing:

  • Strategy and use case approval to assess business need, risk ratings, and lawful basis.
  • RACI (responsible, accountable, consulted, and informed) and accountability to clarify who is responsible for each AI model, determine who provides risk and compliance oversight, and define the escalation paths.
  • Data governance to establish quality, lineage, privacy, security, and retention.
  • Model risk management to determine a documented model and validation, testing for bias and fairness, and explainability of outputs.
  • Operational controls include change management, versioning, access, monitoring and incident management.
  • Human oversight is required to ensure there’s a human-in-the-loop and thresholds are established, such as override and appeals mechanisms.
  • Documentation and evidence, including model cards, data sheets and decision logs, provide an audit trail when performing AI governance auditing.

Additionally, internal auditors should request access to policies, committee minutes, risk assessments, inventories, validation reports, and monitoring dashboards.

Key AI risks for internal audit

Enhanced decision making, better customer experience, innovation advantages, and operation efficiency are just some of the strategic opportunities that AI provides. However, there is seldom reward without risk.

There are several key risks that internal auditors must understand and assess. All of these can corrupt the outputs of AI systems in ways that may not be immediately visible.

  • Data risks: Bias, poor quality, uncertain provenance, or data leakage
  • Model risks: drift, instability, hallucination, or non-determinism
  • Operational risks: Breakpoints in automated workflows and resilience failures
  • Cyber risks: Adversarial inputs, prompt injection, or model theft
  • Ethical risks: Unfair outcomes and opaque decisions
  • Regulatory risks: Non-compliance with AI, data protection, and sector-specific regulations

Third-party and vendor AI operational governance

One of the most overlooked AI risks is with third-party vendors. Many organizations unknowingly use AI through their software vendors, cloud providers, and outsource service partners without fully realizing it or implementing proper governance. Consider your customer relationship management system, HR platform, finance system, or e-mail productivity tool. How many of those have incorporated AI features, such as machine learning, to power recommendations, establish processes, or flag anomalies?

The answer is likely more than your organization is aware of. This lack of visibility is critical because governance obligations don’t disappear simply because the AI resides in a third-party system. Regulatory obligations around fairness, transparency, and accountability still apply whether the AI is developed in-house or externally procured.

The AI supply chain is extensive, encompassing foundation model vendors, application programming interface (API) providers, cloud platforms, data brokers, and open-source libraries. Each of these represents a potential risk point, not only in terms of performance but also for data security, intellectual property, and regulatory compliance. Effective AI governance requires extending due diligence to these external systems.

Continuous monitoring of third-party systems is equally critical. As software versions are updated, providers experience incidents, and performance degrades without notice, risk can emerge without warning. To mitigate these risks, internal auditors should request and review key documentation from third-party vendors, such as third-party risk assessments, systems and organizational control (SOC) reports, penetration testing summaries, and model version notes.

Building organizational readiness

There are five foundational elements that organizations must put in place to prepare for AI and digital disruption. These include:

  • AI and technology inventory. This ensures governance over all AI systems, including third-party AI solutions.
  • Governance bodies. There must be a defined governance structure and AI committee with clear reporting lines to the board or audit committee.
  • Policies and guardrails. Documented policies covering AI usage, and data and incident management.
  • Skills and culture. Organizations must provide role-based training, establish clear escalation norms, and encourage raising AI-related concerns.
  • Metrics. Measure AI system performance and governance for effectiveness, error rates, override volumes, time-to-mitigate instances, and appeal volumes.

The maturity signal within your organization is the combination of inventory monitoring and regulatory reporting cadence.

What organizations need to know about AI governance auditing

The rapid evolution of AI demands immediate action from organizations, particularly internal audit functions. Waiting until governance frameworks are perfect is not an option. Instead, organizations must begin building internal audit capabilities in this space now, even if it means starting with lower-complexity reviews and scaling up from there. The risks of delay will only continue to grow as AI adoption accelerates.

To establish a strong foundation for AI operational governance, organizations should focus on these five priorities regardless of their jurisdiction:

  • Map your AI. Conduct an inventory of all AI systems in use, aligning them with applicable regulatory frameworks. This is especially critical for organizations operating across multiple jurisdictions.
  • Assign accountability. Identify who in your organization is responsible for AI regulatory compliance. Ensure this individual or team has the authority and resources to be effective.
  • Assess your highest-risk AI use cases first. Prioritize the evaluation of AI systems that are most likely to attract regulatory scrutiny and cause the greatest harm if left ungoverned.
  • Build documentation. Begin compiling technical documentation, data governance records, and audit trails. These are essential for demonstrating compliance with virtually every regulatory framework.
  • Coordinate functions. Foster collaboration across legal, compliance, risk, IT, and internal audit. AI regulatory compliance cannot be siloed within one department but requires an integrated, cross-functional approach.

Good AI governance begins with a board or an audit committee that approves a clear, comprehensive AI policy that articulates the organization’s AI risk appetite. It involves conducting pre-deployment risk assessments, assessing regulatory compliance gaps proactively, and ensuring these efforts are well-documented. Internal audit plays a vital role in this process by evaluating governance policies, clarifying accountability, and ensuring frameworks are effective.

Conclusion

The AI landscape is transforming every sector, and internal auditors must build sufficient AI literacy to fulfill their oversight and assurance responsibilities effectively. Ignorance is not a defensible position.

Digital disruption creates both powerful opportunities and significant risks. The most successful organizations will pursue both sides of the equation simultaneously. Proactive compliance, leadership commitment, and sustained investment in AI capability are essential. The time to act is now, and internal audit has a critical role to play in enabling organizations to navigate this new challenge with confidence.

Frequently asked questions

We’ve asked Liz Sandwith to review the most frequently asked questions and provide her informed responses for additional consideration and clarity.

  • With auditors already stretched auditing different areas, how do you realistically expect them to maintain AI literacy given its pace of change?
    The key is making AI literacy a function-level responsibility rather than an individual burden. Designate one or two people as AI literacy leads who monitor developments and share relevant updates with the team. Build short briefings into regular team meetings rather than relying on periodic deep-dive training. Curate a small number of reliable sources — the IIA's AI guidance and ISACA updates are good starting points — rather than trying to track everything. And use AI tools themselves to summarize developments, which is exactly the kind of task they handle efficiently. If capacity genuinely does not exist to maintain adequate AI literacy, the CAE should raise it with the audit committee as a resourcing gap — not quietly absorb it.
  • The problem I see in sectors like Insurance is lack of data quality, what would you recommend as this is critical for effective AI utilization?
    Waiting for clean data before deploying AI means waiting indefinitely — data quality must be managed in parallel with AI adoption. Three practical recommendations: first, conduct a structured data quality assessment — covering completeness, accuracy, consistency and lineage — before deploying any AI use case; second, tier use cases by data sensitivity — high-stakes applications such as underwriting or fraud detection demand higher data quality standards than internal process tools; third, make data quality a board-level metric, not a technical dashboard item, since AI amplifies the consequences of poor data significantly. For internal audit, data governance is a legitimate and important audit area — assess whether data quality standards exist, are enforced, and whether AI use cases have undergone fitness assessments before deployment.
  • What does RACI stand for? How can we quantify that the cost of inaction exceeds the cost of investment? Has a study confirmed this?"
    RACI here means Responsible—who does the work; Accountable—who owns the outcome; Consulted—who provides input; and Informed—who is kept up to date.  It is a framework used to clarify roles and ownership in any governance or project context. In AI governance it defines who owns each AI system, who is accountable for its outcomes, who needs to be consulted on decisions, and who should be kept informed.

    On quantifying the cost of inaction, no single universal study provides a definitive figure, but the evidence base is growing and compelling. IBM's annual Cost of a Data Breach Report consistently shows that organizations with mature AI and automation in their security function resolve breaches significantly faster and at lower cost than those without. McKinsey's research on AI adoption demonstrates measurable productivity and revenue advantages for early movers. Gartner has estimated that poor data governance—a direct consequence of ungoverned AI—costs organizations an average of $12.9 million annually. The EU AI Act's penalty framework, with fines of up to 35 million euros or 7% of global turnover for serious violations, itself makes a financial case for proactive governance investment. The honest answer is that precise quantification is organization-specific—but the directional evidence is consistent and strong.
  • Our organization has bought and rolled out the full copilot licenses. They seem to think it will replace the need for admin staff.
    The expectation that Copilot will straightforwardly replace admin staff reflects a common but oversimplified view of AI deployment. Copilot will automate specific tasks—scheduling, drafting, summarizing, data retrieval—but realizing that value requires change management, training and process redesign that organizations frequently underestimate. License purchase is not transformation.
  • In your opinion, what's the right mix of the use of AI in finance and auditing?
    On the right mix for finance and audit, AI adds most value in high-volume, repeatable tasks: transaction analysis, anomaly detection, report drafting, document summarization and continuous monitoring. Human judgement remains essential for interpretation, stakeholder relationships, ethical reasoning, complex risk assessment and any decision with material consequences. The right mix is therefore not a fixed ratio but a principled division: use AI to handle volume and speed, preserve human expertise for judgement and accountability. In both finance and audit, the critical principle is that AI supports and accelerates human decision-making — it does not replace the professional responsibility that sits behind it.
  • It seems like roles can become blurred between human and machine. If a machine makes a decision surely the human is still responsible (e.g. if a loan is not approved, surely the accountability is on the financial institution and not the machine). Should an AI Committee be made a standard sub-Committee of the Board, such as an Audit Committee and Nom Com?
    You are absolutely right, and this is a crucial point. Legal and regulatory accountability always rests with the institution, not the algorithm. No AI system can be held responsible—only the people and organizations that deploy it can be. What becomes blurred is not accountability itself but the practical exercise of oversight—specifically, whether the humans nominally responsible for a decision genuinely understand, review and can explain what the AI has done. 
    An officer who rubber-stamps an AI recommendation without meaningful review is still accountable for that decision but may be unable to defend it if challenged. That is where the governance risk lies. The webinar's emphasis on human-in-the-loop oversight, explainability and audit trails is precisely about ensuring that accountability is not just theoretically present but practically exercisable—that the human responsible can demonstrate they understood and owned the decision.

    This is a debate the governance profession is actively having, and there are credible arguments on both sides. The case for a dedicated AI Committee is strong: AI risk is material, complex, fast-moving and crosses every function—it warrants dedicated board-level attention, specialist membership and a formal reporting line. Several large financial institutions and technology companies have already established them.

    The counterargument is that creating a separate committee risks fragmenting governance — AI risk should be integrated into risk, audit and strategy oversight rather than siloed. There is also a practical challenge: finding board members with sufficient AI expertise to populate a credible committee is genuinely difficult in most organizations today.

    The most pragmatic near-term position is to ensure the existing audit or risk committee has explicit AI oversight responsibility, defined AI competency requirements, and regular substantive reporting on AI governance—with a dedicated committee as the logical next step as board AI literacy matures. The important thing is that AI has a formal, named governance home at board level, whatever structure achieves that.

  • Data governance and controls over what information is input on AI tools has got to be even more critical now, because unchecked errors are going to be magnified exponentially.
    One of the most significant characteristics of AI systems is that they scale, which means errors, biases and poor data inputs do not simply produce one wrong answer, they produce wrong answers at volume, speed and consistency that manual processes never could. A biased dataset feeding a loan decisioning model does not produce one unfair outcome; it produces thousands, systematically and invisibly. The practical governance implications are significant. Data quality assessment must precede AI deployment, not follow it. Input controls—defining what data can and cannot be fed into AI systems—must be designed, documented and tested as rigorously as any other financial control. Data lineage must be traceable so that when something goes wrong, the source can be identified and remediated. And monitoring must be continuous, not periodic—because drift in data quality will translate directly into drift in AI outputs, often without any visible trigger. For internal audit, data governance is not a supporting work program alongside AI audit. It is central.
  • Can you provide a progressive view or snapshot of how a company should typically evolve in its use of AI over time?
    A useful way to think about this is in four broad stages, recognizing that organizations will move between them at different speeds and may be at different stages in different parts of the business.

    Stage 1 — Experimentation. AI use is ad hoc, often driven by individual teams or enthusiastic adopters. Tools are being explored, pilots are running, but governance is minimal and the inventory is incomplete. The risk at this stage is that adoption outpaces oversight.
    Stage 2 — Formalization. The organization establishes foundational governance: an AI policy, a formal inventory, a pre-deployment assessment process and named accountability for AI systems. Internal audit begins including AI governance in its universe. Third-party AI starts to be addressed in vendor management
    Stage 3 — Integration. AI is embedded in core processes across multiple functions. Governance frameworks are mature, monitoring is continuous, and board reporting on AI risk is regular and substantive. Internal audit has developed specialist capability and is providing assurance across the full AI lifecycle.
    Stage 4 — Optimization. AI governance is a competitive differentiator. The organization uses AI to govern AI — automated monitoring, real-time risk sensing, continuous assurance. The culture treats responsible AI use as embedded practice rather than compliance obligation. Most organizations currently sit between stages one and two. The priority is to move deliberately towards stage two before the volume and complexity of AI use makes ungoverned adoption very difficult to reverse."

  • Can you provide practical examples of AI usage in business and internal audit?
    In business, current AI applications span every function. In finance: automated invoice processing, anomaly detection in transactions, AI-assisted forecasting and close processes. In HR: CV screening, workforce planning, employee sentiment analysis. In customer services: AI chatbots, complaint triage, personalized product recommendations. In risk and compliance: real-time transaction monitoring for fraud, regulatory change tracking, sanctions screening. In operations: predictive maintenance, supply chain optimization, demand forecasting. In insurance specifically: underwriting model assistance, claims automation and fraud detection.
    In internal audit, practical applications include: using AI to analyze entire populations of transactions rather than samples, identifying anomalies that sampling would miss; document summarization—rapidly reviewing policies, contracts and board minutes to identify gaps or inconsistencies; continuous monitoring of key controls, flagging exceptions in real time rather than at the next audit cycle; drafting audit programs, findings narratives and management reports from structured notes; risk sensing—scanning regulatory updates, industry developments and internal data to keep the audit universe current; and using AI to support pre-audit research and stakeholder interview preparation.

    The common principle in both contexts is that AI handles volume, speed and pattern recognition—humans provide judgement, interpretation and accountability.
  • At the assurance level, would the audit need to be done by the IT auditors or the combination?
    A combination, without question—and the balance matters. A purely IT audit approach to AI governance will miss the most significant risks. AI audit requires technical understanding of how models work, yes—but it equally requires business audit skills to assess governance structures, accountability frameworks and decision-making processes; data audit capability to evaluate data quality, lineage and privacy compliance; and professional judgement to assess ethical implications, fairness and the adequacy of human oversight.

    In practice, the most effective AI audit teams bring together: an IT or data auditor with sufficient technical knowledge to evaluate model documentation, validation reports and system controls; a business or risk auditor who can assess governance, accountability and process controls; and where the use case is sufficiently complex or high-risk, a co-sourced specialist—a data scientist or AI ethics expert—who can provide depth the internal team does not have. The CAE's role is to ensure the combined team has the right coverage, and that no single dimension—technical, governance or ethical — is overlooked because of gaps in team composition.
  • What changes do you expect to see in appointments to governing boards and audit committee of organizations as AI affects governance?
    Board composition is evolving rapidly. Expect AI and technology literacy to become a baseline requirement in skills matrices, not an optional extra. Regulators, investors and proxy advisors are increasingly scrutinizing whether boards and audit committees can meaningfully oversee the technologies their organizations deploy. Practically, this means more directors with AI, data and cybersecurity credentials; growing use of dedicated Technology or AI sub-committees; and candidates drawn from emerging C-suite roles such as Chief AI Officer or Chief Data Officer. Crucially, technical knowledge alone is insufficient—boards, audit committees also need directors who bring ethical reasoning and regulatory awareness. For internal audit, where board or audit committee capability gaps exist in AI oversight, that is a legitimate governance finding worth raising.
  • Should any audit staff members specialize in auditing AI-supported processes?
    Yes—but proportionately. Not every auditor needs deep technical expertise, but all auditors need sufficient AI literacy to recognize when AI is embedded in a process, ask the right questions and identify where human oversight is absent. Beyond that baseline, developing two or three specialists within the function—through targeted training and co-sourcing arrangements—brings genuine depth to model risk, bias testing and data governance reviews. The IIA's AI Auditing Framework, (https://www.theiia.org/globalassets/site/content/tools/professional/aiframework-sept-2024-update.pdf), is the best starting point for building that capability. The key message: don't let the pursuit of perfect capability delay action. Start building with what you have now.
  • How do you recommend auditing Shadow AI?
    Shadow AI—AI tools used without organizational approval or governance—is fast-growing and genuinely difficult to audit. A structured approach has three stages. 

    First, discovery: network monitoring, procurement and expense analysis, staff surveys and interviews are all valuable; surveys are often the most revealing if framed helpfully rather than punitively. 

    Second, risk assessment: focus on what data is being input into unsanctioned tools, whether outputs influence decisions, and whether any regulated or confidential data is at risk. 

    Third, governance review: assess whether an acceptable use policy exists and is understood; whether there is a proportionate approval pathway for new AI tools; and whether technical controls such as data loss prevention are operating effectively. 

    Frame findings constructively—Shadow AI is usually a symptom of unmet need and slow official processes, not simply non-compliance. Recommendations should address both the control gap and the underlying demand.
  • What advice do you have regarding the AI inventory given that AI is being incorporated into nearly everything (often with no notification from vendors that they are adding it)?
    The perfect inventory is the enemy of a useful one, start imperfect and iterate. Build from multiple sources simultaneously: IT asset registers, procurement records, contract reviews, business unit self-declaration questionnaires, and ongoing dialogue with IT, legal and compliance. 
    On the vendor notification gap specifically: embed AI disclosure obligations into new and renewed contracts requiring vendors to notify you of material AI changes before deployment; subscribe to vendor release notes and product updates; and make AI disclosure a standard part of supplier relationship management reviews. 

    Once you have an inventory, risk-tier it, focus governance attention on AI that influences significant decisions, processes sensitive data or operates without meaningful human oversight. 
    Assign a named owner, build in regular update cycles, and require registration of new AI use cases before deployment. 

    Coverage and risk tiering matter more than exhaustive completeness.
  • AI is no longer optional; it is a competitive necessity. However, organisations must use it responsibly to manage legal, ethical, and operational risks. Can you share some practical “dos and don’ts” for implementing AI safely?
    To implement AI safely there is a need for some do's and don'ts. Here are some suggestions:

    Do: establish a board-approved AI policy with clear risk appetite; assign named accountability for every AI system; conduct pre-deployment risk and ethical impact assessments; maintain a live, risk-tiered AI inventory; ensure human oversight for high-stakes automated decisions; build AI literacy across the whole organization; create an accessible, proportionate approval pathway for staff wanting to adopt AI tools; and embed AI disclosure obligations into vendor contracts.

    Don't: mistake a documented policy for effective governance—controls, monitoring and accountability must follow; assume systems and organizational control (SOC 2) reports provide sufficient assurance for third-party AI risk; deploy AI in high-stakes decisions affecting individuals without bias testing and explainability; input confidential or regulated data into AI tools without confirming vendor data handling practices; assume AI outputs are accurate without human review; or wait for a mature governance framework before auditing—the gap itself is the finding.
  • How long before financial reporting standards boards (i.e.: IFRS, FASB, etc.) require disclosures on use of AI in operations or financial statement preparation? Do you foresee SOC-type reports being demanded from AI providers?
    Formal mandatory standards are probably three to five years away for most jurisdictions, but the direction is unambiguous and voluntary disclosure expectations are already building now.
    Several developments are already in motion. The SEC's existing materiality framework already requires disclosure of material AI risks in US public company filings. The IAASB (International Auditing and Assurance Standards Board) is considering how AI use by auditors affects audit standards. The IAASB and FASB (Financial and Accounting Standards Board) both monitor AI's implications for financial reporting, particularly where AI is used in estimates, valuations and judgements that underpin financial statements.

    In the near term, expect pressure to come through three channels: investor and analyst expectations driving voluntary disclosure; securities regulators requiring disclosure of material AI use and risks ahead of formal accounting standards; and audit standards evolving to require auditors to consider and document AI use in the audit process.

    For organizations using AI in financial close processes, impairment modelling, revenue recognition or other judgement-intensive areas, the prudent position is to document AI use now, assess materiality, and build disclosure-ready governance—rather than waiting for standards to mandate it.
  • An AI startup company has been imbedded into a Bank's operations, primarily via a chatbot they have built and all associates are using it. This tool is owned by Management. Should IA pause this for core audit processes due to independence concerns? We are supposed to be independent of Management, and I fear if they own the tool, then we might be non-compliant with the "independent" standards and guidelines published by the IIA.
    This is an excellent and important question that goes to the heart of IIA independence standards. The concern is legitimate and warrants careful consideration. The IIA's independence standards require that internal audit be free from conditions that threaten its ability to carry out responsibilities objectively. Using a tool owned and controlled by management for core audit processes creates a genuine independence risk—not necessarily because management would actively interfere, but because the perception of independence may be compromised, audit outputs could potentially be visible to management, and the audit function has no control over the tool's configuration, data retention or access permissions.

    Practical guidance: Internal audit should not use management-owned AI tools for work that involve sensitive audit findings, draft reports, confidential sources or whistleblower-related information. For lower-risk uses—general research, summarization of public information—the risk may be manageable with appropriate safeguards, but this should be a conscious and documented decision, not a default. The audit committee should be informed of the situation and provide direction. Ideally, internal audit should advocate for access to an independently procured AI tool—even a modest one—that sits outside management's control and visibility. This is a reasonable resource request that the audit committee is well placed to support. The independence concern you have identified is well-founded and worth raising formally.
  • How do you see AI affecting future job growth in Internal Audit? Do you believe organizations will use AI as an additional tool or an opportunity to eliminate certain professions?
    Honest answer: both, depending on how organizations choose to respond and how the profession adapts.

    AI will automate a meaningful proportion of current internal audit activity—data gathering, transaction testing, document analysis, working paper drafting and routine report production. Organizations facing cost pressure will inevitably use this as an opportunity to reduce headcount in audit functions, particularly at junior levels. That is a realistic outcome, and the profession should not pretend otherwise.

    However, the demand for genuine audit judgement, stakeholder challenge, ethical assessment and governance oversight is not diminishing—if anything it is growing as AI itself becomes a major risk area requiring assurance. The net effect on jobs will depend heavily on whether the profession successfully repositions—moving up the value curve towards risk advisory, AI governance assurance, continuous monitoring and strategic insight, rather than remaining anchored to activities that AI can perform faster and cheaper.

    For individuals, the implication is clear: auditors who develop AI literacy, data skills and the ability to audit AI systems will be significantly more valuable than those who do not. For CAEs, the challenge is to make the case for reinvesting AI-driven efficiency gains into higher-value audit capability, rather than simply allowing headcount reduction to erode the function's influence and coverage.
  • What skills do Internal Auditors need to audit AI, and how to obtain them?

    Core skills needed across all auditors: Understanding of AI concepts—what machine learning, generative AI and automated decision-making actually do, without requiring deep technical expertise; ability to identify where AI is embedded in processes being audited; familiarity with AI risk categories including bias, hallucination, drift and model failure; and working knowledge of relevant frameworks—the IIA's AI Auditing Framework, NIST AI RMF and ISO 42001.

    Deeper skills for those specializing in AI audit: Data governance and data quality assessment; model validation concepts and how to evaluate validation documentation; bias and fairness testing methodologies; understanding of AI system architecture sufficient to assess control design; and ability to engage credibly with model owners, data scientists and AI ethics teams.

    How to obtain them: The IIA's own AI-related guidance and CPE program is the most directly relevant starting point. ISACA offers AI audit and governance certifications. MIT, Coursera and similar platforms offer accessible AI literacy courses suitable for non-technical professionals. Peer learning—bringing data scientists or AI engineers into audit team sessions—is often underutilized and highly effective.

    Co-sourcing AI audit work with specialist firms accelerates knowledge transfer. And simply auditing AI systems, starting with lower risk use cases, builds practical competence faster than any classroom program.

  • How can we audit to ensure a human is remaining in the loop when AI is used and quality reviews are being done?
    Human-in-the-loop (HITL) assurance is one of the most important and practical AI audit areas, and it is very testable. A structured audit approach would cover:

    Policy and design: Does the organization have defined HITL thresholds—specifying which AI decisions require human review before action, and at what confidence levels automated decisions can proceed without review? Are override and appeals mechanisms documented and operational?

    Testing: Select a sample of AI-generated decisions or outputs and trace them end-to-end. Evidence that a human reviewed the output before it was acted upon — approval records, sign-off logs, system timestamps—should be obtainable. Where it is not, that is a control gap. Test whether override capability is genuine—can reviewers change an AI output, or does the system design make override impractical or discouraged?

    Monitoring: Review whether the organization tracks override rates, error rates and escalations. A very low override rate is not necessarily good news—it may indicate reviewers are rubber-stamping AI output rather than genuinely reviewing them. Meaningful HITL oversight should produce some level of challenge and correction.

    Culture: Interview reviewers. Do they feel they have sufficient time, information and authority to meaningfully challenge AI outputs? Nominal human oversight that is designed to be bypassed in practice is not governance. It is liability management.

Subscribe below to receive monthly Expert Insights in your inbox

Missing the form below?

To see the form, you will need to change your cookie settings. Click the button below to update your preferences to accept all cookies. For more information, please review our Privacy & Cookie Notice.

Liz Sandwith
Internal Audit and Risk Management Consultant
Liz Sandwith has been a member of the IIA Standards Board for the last 6 years. Because of her involvement in the IPPF Evolution project, the IIA asked her to stay on as a Special Adviser to the Standards Board. 
Back To Top