The Assurance Challenge: Auditing AI Systems
Auditing AI systems requires a different analytical framework from auditing conventional IT systems. Traditional IT audit assesses whether systems are designed and operating as intended. AI systems introduce a more complex question: the system may be operating exactly as designed and still producing outcomes that are systematically biased, strategically misaligned, or harmful to specific groups. The control question for AI is not only whether the system works, but whether it is producing the outcomes the organisation actually wants and can justify.
Internal auditors approaching AI assurance for the first time should focus on three foundational questions. First, what decisions is the AI making or influencing, and who is accountable for those decisions? Many organisations have deployed AI tools without clearly assigning human accountability for outputs. Second, what data was the model trained on, and what biases may have been encoded in that training data? Third, how is the model's performance monitored after deployment, and what governance process exists for identifying and addressing performance degradation or unexpected outputs?
Governance of AI: The Audit Checklist
Effective AI governance requires: documented AI policies; defined roles for AI ownership and accountability; model risk management processes including validation before deployment and ongoing monitoring after; data governance frameworks ensuring training data quality and appropriate use; explainability requirements for AI systems making material decisions; and escalation pathways when AI systems produce anomalous outputs.
A common governance gap is the absence of an AI inventory. Management cannot govern AI risk if it does not know which AI systems are in use, by whom, and for what decisions. Auditing the completeness of the AI inventory — and the process for adding new systems to it — is often the most impactful starting point for an AI governance audit.
Algorithmic Bias and Fairness
Algorithmic bias is one of the most consequential AI risks for organisations in regulated sectors. AI systems used in credit decisions, hiring, pricing, or healthcare allocation that produce systematically different outcomes for protected groups expose organisations to regulatory, legal, and reputational risk. Internal auditors assessing AI fairness should look for documented bias testing prior to deployment, ongoing monitoring of outcome distributions by demographic group, and governance processes for responding when disparate outcomes are identified.
AI as an Audit Tool: Practical Applications
The most mature AI audit applications are in data analytics: using machine learning to identify anomalies in large transaction datasets that traditional sampling cannot detect, applying natural language processing to review large volumes of contracts or communications for red flags, and using predictive analytics to identify higher-risk entities for targeted audit coverage.
Generative AI applications — using large language models to assist in drafting audit reports, analysing interview transcripts, or summarising complex documents — require careful management. The risk of AI-generated content that is plausible but inaccurate is significant in an assurance context. Every AI-generated audit output requires human review before it enters the audit record.
The Competency Imperative
Providing assurance on AI systems requires competencies that most internal audit functions do not currently have. Understanding model risk management, algorithmic bias, data science concepts, and AI governance frameworks requires deliberate investment in training or strategic co-sourcing with AI specialists. CAEs should be explicit with the board about current AI audit competency levels, the investment required to develop them, and the risk of the current gap. The organisations best positioned as AI adoption accelerates are those that begin building AI audit competency now, before the assurance obligations become acute.