article banner
Advisory Alert

Is your internal audit function artificially intelligent?

In recent years, the world has seen exponential growth in the amount of data being captured, processed and stored by organizations, mirrored by a relative reduction in the cost of data storage itself. As a result, the timely, accurate analysis and appropriate management of these vast amounts of data (‘big data’) is where organizations can recognize real business value.

Global technology companies are facilitating organizations in this endeavor by collaborating with them in the development of Artificial Intelligence (Al).

What is AL?

The consensus is that AI is hardware and software capable of behaving like the human brain including, learning, reasoning, adapting, analyzing, making decisions and performing complex and judgment driven tasks. There are many other interchangeable terms for AI such as machine learning, image recognition and cognitive computing. AI is not about being absolutely correct and complete; it uses probability to process data and estimate the likelihood of particular events occurring. The higher the quantity of good quality data processed, then the greater accuracy of the AIs decision making, thereby allowing management to place greater reliance on the AIs output.

What does AI mean for internal audit?

Internal audit functions will need to recognize the global shift towards AI and consider the advisory/assurance role they will have in this movement. It will be critical that they keep pace with the practical application of AI in business and develop competencies that will enable them to provide AI related advisory and assurance services to their organization. As AI is founded upon data analysis and the processing of big data, some of the key risks associated with AI will derive from risks relating to data management, quality and security, as well as AI specific risks. Is your internal audit function artificially intelligent? Internal audit will be expected to provide assurance on the risks underlying the design, performance, oversight and monitoring of AI based processes. Additionally internal audit will be tasked with identifying, assessing and communicating to the board and senior management, the risks associated with AI and the efforts of the business to address those risks, each being key in assuring AI augmented processes.

Internal audit can fulfil its AI assurance role by engaging in certain distinct activities related to AI such as:

  • including AI in its risk assessment and considering whether to include AI in its risk-based audit plan;
  • being actively involved in AI projects from the beginning, providing advice and insight contributing to successful implementation;
  • where AI has been implemented within business operations or incorporated into a product or service, internal audit should provide assurance on the management of risks related to the reliability of the underlying algorithms and the data on which the algorithms are based;
  • ensuring the moral and ethical issues that may surround the organization’s use of AI are being addressed; and
  • providing assurance in relation to AI established governance structures

Our AI auditing framework

Each element of the AI auditing framework is set within the context of an organization’s AI strategy and are outlined below.


Each organization’s AI strategy will be unique based on its approach to capitalizing on AI opportunities. Internal audit must consider the organization’s AI strategy at the outset and internal audit should help management and the board realizes the importance of formulating a deliberate AI strategy consistent with the organization’s objectives.


AI governance refers to the structures, processes and procedures implemented to direct, manage and monitor AI activities in pursuit of achieving the organization’s goals. Regardless of the specific approach, AI governance establishes accountability and oversight, helps to ensure that those responsible have the necessary skills and expertise to effectively monitor AI and helps to ensure the organization’s values are reflected in its AI activities. AI activities must result in decisions and actions that are in line with the ethical, social and legal responsibilities of the organization.

Data architecture and infrastructure

All data architecture and infrastructure will likely reflect the organization’s architecture and infrastructure for handling big data. It includes considerations of:

  • the way that data is accessible (meta-data, taxonomy, unique identifiers and naming conventions);
  • information privacy and security throughout the data life-cycle (data collection, use, storage and destruction); and
  • roles and responsibilities for data ownership and use throughout the data life-cycle.

Data quality

The completeness, accuracy and reliability of the data on which AI algorithms are built are critical. It is not unusual for an organization to have a poorly defined, incoherent structure to its data. Often, systems are not integrated and do not communicate with each other and only do so through complicated add-ons or customizations. How this data is brought together, synthesized and validated is crucial.

Performance measurement

As an organization integrates AI into its activities, performance metrics should be defined to tie AI activities to business objectives and clearly illustrate whether AI is effectively contributing to the achievement of those objectives. Management must actively monitor the performance of its AI activities.

The human factor

Algorithms are developed by humans. Human error and biases will impact the performance of algorithms. The human factor component considers whether:

  • the risk of unintended human biases in AI design are identified and managed;
  • AI has been effectively tested to ensure that results reflect the original objective;
  • AI technologies can be transparent given the complexity involved; and
  • AI output is being used legally, ethically and responsibly.

The black box factor

As organizations advance to implementing Type III and Type IV AI technologies, utilizing machines or platforms that can learn on their own or communicate with each other, how the algorithms are operating becomes less transparent or understandable. The black box factor will become more and more of a challenge as an organization’s AI activities becomes more sophisticated.


The internal auditing profession cannot sit on its laurels for fear of being left behind in what may be the next digital revolution – AI. To prepare, internal auditors must understand the fundamentals of AI, the role that internal audit should play in it, as well as its underlying benefits and risks. We can assist internal audit functions in navigating the challenges of AI by recalibrating their plans, expertise and methodologies to cater for same. This will ensure they are best placed to critically assess the effectiveness of AI risk management, control and governance processes.


We are committed to keep you updated of all developments that may affect the way you do business in Puerto Rico. Please contact us for assistance in relation to this or any other matter, we will be glad to assist you.