Internal Audit and Generative AI

I’m not going to get involved in the debate about whether internal audit should be leaping (hopefully forward) to leverage AI in our work.

I remain convinced that we should understand the more significant risks to enterprise objectives, identify the audits we want to perform, and only then select the best tools for the job – which may or may not include AI.

AI may be great at detecting errors or even fraud and cyber breaches. But that is management’s job, not internal audit’s job.

Our job is to provide assurance, advice, and insight.

That can include:

• Whether they have appropriate controls and security over the use of AI
• Whether they are optimizing the use of technology in general
• Whether they have the ability to know when to use what

With that last in mind, I am sharing two pieces you might enjoy:

Here are just a few nuggets:

• Incorrectly used, AI may make up facts, be prejudiced, and leak data. In board packs, this means a real risk for directors of being misled or failing to discharge regulatory duties.
• …we can easily mistake it for an “everything” tool and use it on the wrong problems. And when we do, our performance suffers.A Harvard study showed this in action, taking smart, tech-savvy BCG…