5 Ways to Start Building AI into your Internal Audit and Control Programs
Given the number of questions Risk Oversight receives about AI and steps companies should be taking, we wanted to share our thoughts on generative AI and what we need to be doing right now as professionals, leaders, and organizations. A year ago, we will admit to being initially skeptical about its impact. But over the past 6 months–prodded by conversations, conferences, and colleagues–we’ve taken a more proactive approach. We began testing specific business cases and applications of AI in our own business, in our client work, and with some initial advising. Our conclusion: Generative AI is changing the landscape for internal control, internal audit, and GRC (or governance, risk, and compliance).
But first, let’s remember what hasn’t changed. For a decade or more, there has been a move away from manual, low-value transactional testing and filling in templates and forms toward more focus on value-added work and advisory services. Internal audit and internal control programs are no longer about going through motions or the superficial or mechanical aspects of what we’re doing (e.g., walkthroughs, processes, diagrams, test procedures). They are much more about working with the business collaboratively to solve problems, find solutions, and drive improvements.
What’s new is the pace of that shift. Generative AI is set to accelerate this movement by challenging the complacency that sometimes creeps into our professions and industries. There’s a lot of talk about the need for continuous monitoring, automation and data analytics and AI will–and has–turbocharged many of these existing programs specifically for larger enterprises. The Association of Chartered Certified Accountants (ACCA) estimates that AI can reduce audit costs by up to 30% by automating repetitive tasks. But what’s not to be overlooked is that many (if not most) of the immediate benefits will be found in the day-to-day tasks we perform for companies of all sizes, not just the big ones. For instance, AI can streamline note taking, speed up editing and copyediting processes, and help us to create or refine our templates, or answer our questions more quickly.
The impact of AI is not about replacing our professional judgment—it’s about doubling down on our expertise and freeing up time for more valuable insights.
For the year ahead, we have a few recommendations to consider:
- Engage Leadership: Start a dialogue with your board and leadership about AI. AI is becoming increasingly strategic. We’d like to see these conversations being formally documented in board meetings in the coming year. (For excellent information on AI discussions for the Board, check out this Harvard Law School Forum article here.)
- Embrace Innovation: Internal audit, internal control, and GRC professionals need to foster a spirit of innovation and experimentation in our teams. It’s okay to take risks and try new tools—even if it means occasionally being wrong. This will mean a dramatic mindset shift for internal audit and internal control professionals who thrive on routine and process.
- Focus on Information and Data: Good data is the lifeblood of AI. While there’s plenty of talk about AI readiness reviews and audits, many organizations still need to tackle basic information and data housekeeping. Baby steps first. You need to do basic information management reviews first. (We have a YouTube video if you are looking for help in this area.)
- Get Ready for Next-Gen Accounting Systems: While this is broader than AI, next-gen accounting systems are being rolled out which use data more effectively and are thus in a better position to use AI. There is a growing intolerance for sloppy, manual, or inefficient processes that needs to be built into internal control and internal audit work.
- Learn About AI Governance and AI Vision: Although none of us are deep experts in AI governance just yet, it’s important to at least start developing a vision. Your AI vision doesn’t have to be perfect from the get-go, but setting a clear tone at the top will help guide your organization through these changes. Internal audit and internal control will play a role in stickhandling or monitoring the roll out of AI governance programs.
If we are perfectly honest with you, we expect our own views around AI to evolve over the coming year. We are eager to continue this conversation with you. If you have different thoughts or find that some of these ideas resonate with your experiences, we’d love to hear from you. Let’s navigate this transformative period together, keeping our practices both innovative and grounded in solid professional judgment.
Are you interested in participating in a peer group to discuss AI and the impact on our work? Risk Oversight is in the process of organizing some group sessions. If you have any ideas or would like to speak, participate or have any ideas to share, please let us know.