No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Featured

Artificial Intelligence: Building the Foundation for Internal Audits that Deliver Value

Developing an Approach to Auditing AI

by Kevin Alvero and Randy Pierson
October 22, 2019
in Featured, Internal Audit
engineer tinkering with robot brain

Nielsen’s Kevin Alvero and Randy Pierson explore the fundamental elements that should be included in any approach to doing internal audit of artificial intelligence.

Many internal audit departments are in the process of developing approaches to auditing their company’s artificial intelligence (AI) activities. There is no single, definitive framework yet for auditing artificial intelligence, although organizations such as the Institute of Internal Auditors and ISACA have issued guidance on the matter. Regardless of what approach internal audit departments choose to take and what still-developing AI auditing frameworks will ultimately look like, there are some critical elements that internal audit teams can already begin planning for, and even executing against, knowing that they will be a core element of any AI auditing framework they may utilize in the future.

Existing Guidance

A single, definitive framework for auditing AI has yet to be written, and internal audit frameworks for AI continue to evolve along with the technology itself. Still, there is guidance available for internal audit functions that are in the process of scoping and defining their own approach to auditing AI within their organizations.

Institute of Internal Auditors

In 2017, the Institute of Internal Auditors (IIA) published its Global Perspectives and Insights, Artificial Intelligence – Considerations for the Profession of Internal Auditing. In it, the authors propose considering the auditing of AI under the three overarching components of governance, strategy and the human factor. The IIA guidance provides example procedures and areas of inquiry that internal audit functions could use as a starting point for auditing the key elements that fall under these three components.

ISACA

ISACA, meanwhile, published Auditing Artificial Intelligence in 2018, which describes how to leverage ISACA’s existing COBIT 2019 framework to apply to auditing AI. While this approach is more granular and technical, ISACA concedes that organizations’ approaches to AI are not likely to be as mature as IT in general, so it will require customization on the part of the organization and the internal audit function.

Core Components

As AI auditing frameworks continue to evolve and internal audit functions adapt and customize them for their own use, there are certain core elements that must be covered. Even organizations that are just beginning to define and hone their approach to auditing AI can confidently plan on these things being included in any future effort to provide assurance around AI.

Governance

As described in the IIA’s AI auditing framework, AI governance refers to the structures, processes and procedures implemented to direct, manage and monitor the AI activities of the organization.[i] These things ensure that there is ownership and accountability over AI activities, that there are controls in place to manage the associated risks and that the objectives of these activities are ultimately met. Board/senior management oversight, company policies and procedures, business-unit management and their internal controls, internal and external audit and regulators all play a role in AI governance. The broader governance landscape for AI includes areas such as data, cybersecurity and third parties, as well as activities specific to AI.

Strategy

Internal audit of AI must include an effort to determine whether the organization has clearly articulated its AI strategy and whether it clearly expresses the intended result of AI activities. If not, it will not be possible to determine whether AI initiatives are ultimately successful. It is also important to get a sense of whether the strategy is realistic. A realistic strategy considers the supporting competencies needed to execute the AI initiatives and should be developed collaboratively between business and technology leaders to ensure that neither has unrealistic expectations of the other.

Finally, the AI strategy must be consistent with the mission and values of the organization. Internal audit should be alert to potential conflicts (or perceived conflicts) between the AI strategy and the organization’s values related to fairness, transparency, privacy, discrimination and corporate citizenship.

Big Data

Big data is the raw material, so to speak, that AI algorithms use as the basis for making decisions and determining probabilities. Therefore, the AI audit program must include looking at the organization’s data assets. In inspecting the foundation upon which AI systems are built, internal auditors should understand aspects such as:

  • Data Inventory – Does the organization have an accurate knowledge of what data (and metadata) it possesses, how/where that data is stored and what systems the data is integrated into?
  • Data Quality – Is the data accurate, complete, available and structured appropriately to meet the needs of AI systems? What controls are in place to ensure this is the case?
  • Data Security – How is the data kept secure from theft and/or unauthorized access?
  • Data Privacy – Is the collection, processing, storage, reporting and destruction of data done in a way that is ethical, legal and respectful of the privacy rights of the data’s sources?
  • Data Management/Ownership – Are clear lines of ownership and stewardship of the organization’s data defined, and are they being followed?
  • Technology infrastructure – Is the organization’s overall technology infrastructure able to support the data needs of its AI strategy, now and going forward?

Algorithms

To what extent AI algorithms should be audited, and by whom, is still a topic of debate. But, it is safe to say that internal auditors should be looking to provide some assurance that AI algorithms are competently designed, that they are performing as expected, that they are sufficiently transparent to users and that they are not exposing the organization to risk through unintended outcomes. Internal auditors need not possess the subject matter expertise of the algorithm’s programmer, but they should understand enough about the AI system development process to understand what the algorithm’s objective is, what data it is using as input and what criteria it is using to make decisions/predictions.

Internal auditors should focus on governance and controls around algorithm design and performance and seek to answer questions such as:

  • Is the algorithm biased is a way that is inconsistent with the company’s mission, ethics or values?
  • Is it producing outcomes that could lead the company to take risks that are inconsistent with its risk appetite?
  • Could the algorithm expose the company to legal/reputational risk as it relates to fairness and/or transparency?

Cyber Resilience

As noted in the IIA’s AI auditing framework, “the potentially disastrous effects of a cybersecurity breach involving AI cannot be overstated.”[ii] Most internal audit functions are already performing some form of assessment around their organization’s cyber resilience. Therefore, when it comes to AI, internal audit’s focus should be to ensure that risk exposures emerging from the organization’s use of AI are being accounted for and incorporated into the larger cybersecurity audit plan. It is critical that internal audit work collaboratively with IT, security, legal and other business areas to gain assurance that the organization is prepared to resist, respond to and recover from cyberattacks and to ensure that senior management and the board have an accurate understanding of the cyber risks facing the organization and its level of readiness.[iii]

Third-Party Risk Management

Whether the organization is leveraging vendors to provide cloud services, build AI applications, analyze data, or even provide an end-to-end AI solution, internal audit has a critical responsibility to ensure that sound third-party risk management practices are in place to safeguard the organization.

As organizations become more dependent on technology and data to operate and to create value, third-party relationships are becoming less one-way and increasingly interdependent. Where in the past, assurance in the form of periodic audit results and/or vendor-supplied performance metrics may have sufficed, internal audit should be prepared to work more collaboratively with third parties to provide a holistic view that operational and security vulnerabilities are being managed appropriately and that proactive measures are being taken to address emerging risks.[iv]

Compliance

As with any organizational activity, internal audit should be providing assurance that the company’s use of AI is in compliance with all relevant industry standards and regulations. While there is not yet a universally accepted set of AI standards, standards are being developed at several different levels. (ISO, for example, has published three AI-specific standards to date with more in development.) Organizations (and their internal audit groups) should have compliance with emerging standards on their radar as it relates to AI risk management.

Benefits/Value Delivery

Due to the emerging nature of AI technology, the urgency with which firms are trying to leverage AI to gain a competitive advantage and the hype in the marketplace surrounding AI’s potential, it may be less intuitive for internal audit to draw a line from AI initiatives to benefits and value delivery than with other initiatives it is more familiar with. Nevertheless, when looking at AI, the topic of return on investment (ROI) cannot be ignored.

Organizations that are starting out on their AI journeys may not yet have clear plans to align AI use cases to the business or recognize return on AI investment.[v] Ultimately, however, AI must be able to demonstrate that it is supporting the organization’s strategy and objectives, that it is meeting success criteria and that it is a better option that other tools, techniques and technologies.

Conclusion

If the organization is becoming increasingly reliant on AI for its operations and/or value creation, then internal audit need not wait until it has honed and polished its AI auditing approach or until a definitive, industry standard AI auditing framework is established. Internal audit can begin delivering valuable assurance immediately by looking at areas that should be core components of any AI auditing framework. Doing this, and enhancing/adjusting its AI auditing approach over time may be the best way to ensure that internal audit delivers valuable, AI-related assurance over the long term.

 


[i] Global Perspectives and Insights: Artificial Intelligence – Considerations for the Profession of Internal Auditing. The Institute of Internal Auditors. 2017.

[ii] Global Perspectives and Insights: Artificial Intelligence – Considerations for the Profession of Internal Auditing. The Institute of Internal Auditors. 2017.

[iii] Global Perspectives and Insights: Artificial Intelligence – Considerations for the Profession of Internal Auditing. The Institute of Internal Auditors. 2017.

[iv] Spusta, R. “Third-Party Risks Need New Approaches.” May 28, 2019. https://securityintelligence.com/posts/third-party-risks-need-new-approaches/

[v] Auditing Artificial Intelligence. ISACA. 2018.


Tags: Artificial Intelligence (AI)Big DataReputation RiskThird Party Risk Management
Previous Post

The Implications of Technology on the Workplace

Next Post

Regulatory Roundup: 10 Recent FINRA and SEC Violations and Penalties

Kevin Alvero and Randy Pierson

Kevin Alvero and Randy Pierson

Kevin M. Alvero, CISA, CFE, is Senior Vice President, Internal Audit, Compliance and Governance at Nielsen. Kevin leads the internal quality audit program for Nielsen Global Media, as well as its industry standards compliance initiatives, including the external accreditation process. Kevin began his career with Nielsen in 2003 and has been leading the Internal Audit department since 2010. In addition to his audit expertise, Kevin possesses more than a decade of experience with traditional audience measurement and digital ad measurement. Kevin is a Certified Fraud Examiner (CFE) and Certified Information Systems Auditor (CISA). He is also a member of the Board of Governors for the Institute of Internal Auditors (IIA) Florida West Coast chapter.
Randy Pierson is a Manager in the Nielsen Internal Audit department with eight years of experience serving the measurement & technology industry. For the past three years, Randy has been a member of Nielsen’s Internal Audit department. In this capacity, he has conducted and supported internal and external audits for various Nielsen products. Prior to joining Nielsen, Randy worked with the Advisory Media & Entertainment practice of EY for five years, providing attest and advisory services to companies conducting media research in the U.S. on behalf of the Media Rating Council. Randy led a number of teams in this capacity, focusing primarily in the area of digital advertising. Randy is a Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).

Related Posts

news roundup data grungy

DEI, Immigration Regulations Lead List of Employers’ Concerns

by Staff and Wire Reports
May 9, 2025

Half of fraud driven by AI; finserv firms cite tech risks in ’25

ai policy

Planning Your AI Policy? Start Here.

by Bradford J. Kelley, Mike Skidgel and Alice Wang
May 7, 2025

Effective AI governance begins with clear policies that establish boundaries for workplace use. Bradford J. Kelley, Mike Skidgel and Alice...

robot reviewing contract

9 Emerging Use Cases for AI in TPRM

by Miriam Konradsen Ayed and Craig Moss
May 6, 2025

(Sponsored) As third-party ecosystems grow more complex, compliance teams face mounting pressure to assess and monitor external relationships effectively. Miriam...

state laws us map

States Are Passing AI Laws; What Do They Have in Common?

by Kevin M. Alvero
May 6, 2025

Companies face expanding disclosure requirements and potential third-party scrutiny amid state-level regulatory wave

Next Post
Regulatory Roundup: 10 Recent FINRA and SEC Violations and Penalties

Regulatory Roundup: 10 Recent FINRA and SEC Violations and Penalties

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights