Cognitive Technology in Auditing Practices

Dear AI Auditors, Foundations of AI Audit AI has quickly moved from “emerging tech” to business-critical systems. Banks use it to flag fraud. Insurers use it to price policies. HR teams use it to screen candidates. Customer service depends on chatbots powered by large models. But most audit functions still don’t have a tested playbook for AI. This gap creates blind spots at exactly the time when regulators, investors, and the public are asking tougher questions about trust. If you’re leading or participating in AI audits, here are the foundations you can’t afford to ignore: 📌 Define the Scope Clearly Don’t audit AI in the abstract. Focus on systems that shape financial reporting, compliance obligations, or customer outcomes. A fraud detection model or claims assessment tool deserves priority over a low-impact internal chatbot. 📌 Understand AI Evidence Types AI doesn’t always produce “traditional” evidence. You’ll need artifacts like training data lineage, system logs, model documentation, and bias test results. Decide up front what will count as valid audit evidence. 📌 Check Governance Structures Who owns AI risk in your organization? If no one can answer clearly, you’ve uncovered a governance gap. Look for oversight committees, a Chief AI Officer role, or designated control owners. 📌 Assess Data Integrity Models are only as reliable as their inputs. Confirm whether the data is authorized, accurate, and complete. Ask how often it is refreshed? How is quality measured? Who signs off? 📌 Review Model Transparency If management can’t explain why a model makes certain decisions, the risk is already high. Auditors should look for explainability tools, model cards, or other documentation that turns the “black box” into something testable. 📌 Evaluate Monitoring and Drift Detection Models age. They lose accuracy as real-world conditions shift. Look for monitoring dashboards, alert thresholds, and documented retraining cycles. 📌 Link AI to Business Objectives Every AI system should connect to measurable goals, cost savings, fraud reduction, and customer satisfaction. If the business case is weak, even a well-governed system may not justify the risk exposure. Auditors who master these foundations will protect their organizations from regulatory penalties, reputational damage, and costly AI failures. Those who don’t risk leaving critical blind spots unchecked. AI isn’t optional anymore. Neither is AI audit readiness. #AIAudit #AuditLeadership #AIControls #AIGovernance #ModelRisk #InternalAudit #GRC #AITrust #AuditCommunity #RiskManagement #CyberYard #CyberVerge

🚀 AI Auditing– The Next Big Scope AI is now part of daily business, but unlike regular IT systems, it works like a “black box.” Auditing AI is key to ensure it stays secure, fair, and compliant. 🔍 Why AI Needs Auditing AI brings unique risks: Bias & unfairness – bad data can lead to wrong or discriminatory results. Lack of clarity – many AI models don’t explain how they make decisions. Model drift – accuracy drops as real-world data changes. Data privacy – risk of sensitive data misuse. Regulations – new laws (EU AI Act, DPDP,GDPR) demand strong oversight. 🛡️ Key Areas for AI Auditing 1. Governance Clear AI governance policy and roles. Management and board-level oversight. 2. Data & Privacy Training data must be complete, accurate, unbiased. Compliance with privacy laws and consent rules. Controls against data misuse or tampering. 3. Model Risk Testing for accuracy and fairness before use. Ongoing monitoring for drift or errors. Documented audit trail of decisions. 4. Security Access control to AI tools and models. Protection from attacks or manipulation. Logs and monitoring of AI activities. 5. Explainability Can AI decisions be explained to users, auditors, or regulators? Escalation process if AI makes a mistake. 6. Third-Party Risk Vendor SLAs, certifications, and compliance checks. Continuous monitoring of outsourced AI tools. 7. Ethics & Impact Alignment with fairness and company ethics. Guardrails to prevent misuse like deepfakes or biased hiring. Assessment of AI’s effect on employees and customers. ✅ AI Audit Checklist 1. AI Governance Policy – Check if the organization has a documented AI governance framework with clear roles, responsibilities, and oversight from management/board. 2. Data Quality & Bias Testing – Review how training data is collected, validated, and tested for errors, gaps, or hidden bias. Ensure data complies with privacy laws. 3. Model Drift & Monitoring – Confirm that AI models are regularly monitored, retrained, and recalibrated to maintain accuracy and relevance over time. 4. Audit Trail of Decisions – Verify if AI tools maintain logs and documentation that can explain how specific decisions or outputs were made. 5. Vendor Compliance Reports – For third-party AI tools, check contracts, certifications (ISO, SOC), and ongoing compliance with security and ethical standards. 6. Regulatory Compliance – Ensure the AI system meets requirements under laws like EU AI Act, GDPR, DPDP Act, or industry-specific standards. 7. Backup & Contingency Plans – Review if there are manual or alternative processes in case the AI system fails or produces incorrect results. 🌟 The Opportunity for IT Auditors The rise of AI means IT auditors must move beyond traditional checks and provide assurance on AI governance, ethics, and compliance. 👉 AI Governance & Audit is a new career path for IT auditors, blending audit, risk, data, and regulation—making them trusted advisors in an AI-first world.

16 Things I Don’t Understand About How Internal Audit Is Approaching AI After 30+ years in Internal Audit, I’ve never seen a bigger mismatch between what’s coming and how we’re preparing. We are living through the greatest remodelling of our profession not just in a generation; not in our careers; not in our lifetimes but in the history of the profession. With that foundation it still concerns me that there is not greater urgency being afforded this moment. With it comes a whole suite of things that I still don’t understand about how Internal Audit is approaching AI. 1 - Why so many teams still think “AI” is a future topic - when it’s already in every control environment they audit. 2 - Why we’re waiting for someone to define “AI assurance,” instead of shaping it ourselves. 3 - Why our audit methodologies haven’t changed, even though the objects of assurance - data, models, agents -have. 4 - Why we treat AI as a risk, not as a capability that can transform assurance. 5 - Why Audit Committees aren’t demanding AI literacy from their CAEs. 6 - Why so few internal audit plans include model governance when every large organisation already has machine learning in production. 7 - Why auditors fear using AI tools, as if independence disappears when efficiency improves. 8 - Why we’re still sampling transactions when AI can analyse 100 percent in real time. 9 - Why “bias testing” isn’t part of our control frameworks. 10 - Why audit leaders aren’t building AI prompt libraries the way they built workpaper templates. 11 - Why we pretend vendor “AI ethics” statements are assurance evidence. 12 - Why our training budgets cover soft skills - but not how to understand synthetic data or model interpretability. 13 - Why so few CAEs are collaborating across functions (risk, compliance, data science) to map AI control coverage. 14 - Why most “AI in Audit” discussions stop at data analytics - as if assurance ends where automation begins. 15 - Why we ignore the cultural shift required: curiosity over compliance, iteration over inspection. 16 - And why we keep saying “we’ll get to it next year,” as if the pace of change will politely wait for us. The uncomfortable truth? If Internal Audit doesn’t lead the assurance conversation on AI, someone else will.

Before, we audited just controls. Now, we audit algorithms. That’s how fast our world is changing. AI is no longer “supporting” the business. It is the business. And that changes everything about assurance. AI doesn’t run like a traditional system, It learns. ↳ Sometimes from labeled data, ↳ Sometimes from hidden patterns, ↳ Sometimes by trial and error. Each pathway brings its own risks. And if we, as auditors and governance professionals, don’t follow the entire lifecycle from data acquisition to ongoing monitoring, we risk missing the very things that can break trust: ↳ Data quality slipping under the radar ↳ Bias embedding itself in outputs ↳ Documentation failing compliance checks ↳ Ethical blind spots with real human consequences The technical checks matter. Yes, they do! But the bigger question is: Does this AI serve the business with ROI, accountability, and human impact in mind? That’s where our expertise in risk, governance, and ethics becomes invaluable. We’re not here to slow innovation. We're here to make sure innovation and control advance together. Because the future of auditing isn’t about systems supporting the business. It’s about providing assurance over systems that are the business. And that’s a responsibility I take seriously. #AIGovernance #InternalAudit #ResponsibleAI #RiskManagement #TechEthics

In my recent posts, I have shared how Internal Audit can evolve through AI, help the organization adopt it responsibly, and even participate in the building phase so governance is embedded from the start. All of these themes point toward the natural next step in our journey, one I promised to explore: how we will audit AI itself. Auditing AI is not about reviewing a traditional system. It requires us to understand how data flows, how models learn, and how decisions are generated. It demands that we expand our mindset beyond static controls and into a world where algorithms are dynamic, adaptive, and constantly evolving. And it requires Internal Audit to step confidently into new territory as both a challenger and an enabler. The good news is that the foundation has been forming through every step of our transformation. By adopting AI in our own work, we have learned how models behave. By helping the C-Suite, and others shape their AI strategies, we have gained insight into the infrastructure and guardrails required. By being part of the building phase, we have seen firsthand where transparency can break down and where governance must step in. All of this prepares us to audit AI with purpose and clarity. Auditing AI will mean confirming that algorithms operate fairly, consistently, and ethically. It will mean evaluating training data for bias, reviewing model drift, and validating outputs against expected behavior. It will mean ensuring that human oversight is present where judgment is required, and that accountability does not disappear behind the complexity of the model. Most importantly, it will mean protecting the organization from unintended consequences while still enabling innovation to move forward. This next chapter is not theoretical, it is becoming essential...As AI becomes more embedded in forecasting, talent decisions, operational routing, cybersecurity, and financial processes, the organization will look to Internal Audit to help ensure that these systems operate with integrity. Auditing AI is not just a new skill set. It is a natural extension of the philosophy we have embraced: that Internal Audit is here to guide the organization into the future with confidence. So here is the question: As AI becomes part of every major process, will Internal Audit be ready to assure not just the controls around the system, but the intelligence inside it?

AI is transforming GRC and Internal Audit by improving speed, coverage, and insight. In GRC, it supports activities such as monitoring regulatory changes, identifying emerging risks, analyzing third-party exposures, detecting anomalies, and strengthening compliance oversight. In Internal Audit, AI helps enhance risk assessment, audit planning, control testing, document review, continuous auditing, and exception analysis. This allows teams to focus more on high-risk areas and strategic judgment rather than manual and repetitive tasks. At the same time, AI introduces new risks that must be governed carefully. These include inaccurate outputs, bias, limited explainability, data privacy concerns, cybersecurity exposure, and overreliance on automated results. Therefore, organizations should view AI in two ways: as a tool that strengthens GRC and audit work, and as a subject that itself requires governance and assurance. A sound approach includes clear accountability, approved use cases, human oversight, data controls, monitoring, and periodic internal audit review to ensure AI is used responsibly and effectively. I believe that, by now, most GRC and Internal Audit functions have already positioned AI as a key initiative and a strategic pillar within their overall transformation agenda, which requires clear governance, the right skills, disciplined implementation, and strong oversight to ensure its use delivers value in a responsible and effective manner.

AI is being deployed faster than it is being audited. Many organizations are deploying AI into critical processes without a clear method to evaluate security, risk, and accountability. That gap creates exposure most teams do not see until it becomes a problem. I created an AI Security Audit Checklist to bring structure and clarity to how AI systems are assessed in real environments. It is built from a practitioner’s perspective and designed to help auditors, security leaders, and risk professionals evaluate AI across governance, model development, data security, infrastructure, monitoring, and regulatory expectations. This is not a theoretical framework. It focuses on audit execution. What to review. What evidence to request. What controls matter. How to align with standards such as ISO 42001, GDPR, SOC 2, OWASP for LLMs, and the NIST AI Risk Management Framework. AI introduces risks traditional audits were never designed to address. If your audit approach has not evolved, important risks remain unchecked. I am sharing the checklist to support professionals working to bring trust and assurance into AI adoption. What is the biggest challenge you face when auditing AI systems today? #AISecurity #AIAudit #AI Governance #CyberSecurity #ITAudit #RiskManagement #AICompliance #GRC #ResponsibleAI #DigitalTrust

📋 𝐈𝐒𝐀𝐂𝐀 𝐑𝐞𝐰𝐫𝐨𝐭𝐞 𝐈𝐭𝐬 𝐈𝐓 𝐀𝐮𝐝𝐢𝐭 𝐅𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤 𝐟𝐨𝐫 𝐭𝐡𝐞 𝐀𝐈 𝐄𝐫𝐚. 𝐈𝐟 𝐘𝐨𝐮𝐫 𝐀𝐮𝐝𝐢𝐭 𝐏𝐫𝐚𝐜𝐭𝐢𝐜𝐞𝐬 𝐇𝐚𝐯𝐞𝐧'𝐭 𝐂𝐡𝐚𝐧𝐠𝐞𝐝, 𝐓𝐡𝐞𝐲 𝐍𝐞𝐞𝐝 𝐓𝐨. ISACA released ITAF 5th Edition, the first major update since 2020. The technology landscape has shifted fundamentally with AI, cloud, and automation. Audit practices need to reflect that. For those of us in financial services, where regulators expect assurance over every layer of the technology stack, this update is overdue. 🎯 𝐖𝐡𝐲 𝐈𝐭 𝐌𝐚𝐭𝐭𝐞𝐫𝐬 𝐟𝐨𝐫 𝐅𝐢𝐧𝐚𝐧𝐜𝐢𝐚𝐥 𝐒𝐞𝐫𝐯𝐢𝐜𝐞𝐬: ➜ AI governance under scrutiny. Financial regulators are tightening expectations on AI model risk management. ITAF 5 now includes dedicated AI/ML audit guidance aligned with ISACA's broader digital trust ecosystem. ➜ Continuous assurance is no longer optional. DORA and supervisory frameworks demand near real-time oversight of ICT risk. The expanded scope covers continuous assurance and agile auditing, both critical for regulated institutions. ➜ Audit sampling has evolved. Updated companion guideline 2208 reflects data-driven, technology-enabled sampling approaches. For financial institutions processing millions of transactions, this is a direct operational upgrade. 🛡️ 𝐊𝐞𝐲 𝐑𝐞𝐜𝐨𝐦𝐦𝐞𝐧𝐝𝐚𝐭𝐢𝐨𝐧𝐬: 1️⃣ Reassess your IT audit methodology against ITAF 5's expanded scope: cloud, AI/ML, automation, and data analytics. 2️⃣ Align your audit planning and fieldwork processes with the new digital trust integration requirements. 3️⃣ Upgrade your sampling strategy using guideline 2208 to leverage technology-enabled, data-driven approaches. 💡 𝐁𝐨𝐭𝐭𝐨𝐦 𝐋𝐢𝐧𝐞: ✓ Audit teams that still operate with pre-2020 practices are assessing yesterday's risk landscape ✓ ITAF 5 bridges the gap between traditional IT controls and modern technology assurance ✓ Regulators will reference these standards in examination guidance sooner than most expect The audit function in financial institutions cannot afford to lag behind the technology it is supposed to assure. ITAF 5 provides the updated baseline. 💬 Has your IT audit team updated its methodology to account for AI and continuous assurance? #Cybersecurity #Audit #Cyber #Security #ITAudit #ISACA #ITAF #FinancialServices #GRC #DigitalTrust #AIGovernance #Compliance ISACA Switzerland

Governing AI in Action: What Internal Auditors Need to Know! The gap between AI governance principles and practice is a big audit challenge. I believe every audit teams should be aware of several key implications around AI. 𝟭. Organizations should start building "compute thresholds" where AI systems trigger enhanced governance requirements, such as, defined AI risk tiers and corresponding controls. Starting from applicable AI Act and categorize usage of AI systems in your organisation into levels like unacceptable, high, limited, and minimal risk. 𝟮. The global and local 𝗔𝗜 𝗔𝗰𝘁𝘀 and 𝗦𝘁𝗮𝗻𝗱𝗮𝗿𝗱𝘀 like ISO 42001 are not just compliance checks, these laws will become the global baseline while contracting, mapping your AI use cases against the prohibited/high-risk categories 𝗡𝗢𝗪!! 𝟯. Industry self-governance (Frontier Model Forum) is evolving into de facto standards, benchmarking your AI governance against these emerging frameworks will give you a pace of mind in the near future. 𝟰. Traditional 12-month audit cycles can't keep pace with technology development anymore. Therefore, advocate for continuous monitoring and real-time governance metrics 𝗡𝗢𝗪!! 𝗧𝗵𝗲 𝗕𝗼𝘁𝘁𝗼𝗺 𝗟𝗶𝗻𝗲 𝗳𝗼𝗿 𝗔𝘂𝗱𝗶𝘁𝗼𝗿𝘀: We're not just auditing AI controls we're auditing the speed of governance evolution itself. The organizations that bridge this gap will be tomorrow's AI governance leaders. 𝗬𝗼𝘂𝗿 𝗡𝗲𝘅𝘁 𝗠𝗼𝘃𝗲: Start treating AI governance as a dynamic system requiring adaptive audit approaches, not static compliance checks. #InternalAudit #AIGovernance #ITAudit #AICompliance #AuditInnovation #RiskManagement #ArtificialIntelligence #Governance #Compliance #TechAudit

6 AI tools every CA practice should incorporate, not for speed, but for precision! Across audit, tax, and advisory, AI is shifting from an optional enhancement to a core competence. For firms shaping their next decade, these six categories of AI tools create tangible, measurable value. 1. AI-Driven Ledger Review Systems Tools that scan entire ledgers, auto-flag misclassifications, detect unusual entries, and prepare exception summaries. Ideal for reducing review fatigue during audit season and improving sampling accuracy. 2. Document Intelligence & OCR Engines Advanced OCR tools extract data from invoices, contracts, bank statements, 26AS, GSTR-2B, Form 3CD annexures — with 95%+ accuracy. Game-changer for teams spending hours on manual vouching. 3. AI-Based Compliance Trackers Platforms that track due dates for TDS, GST, ROC, ITR, audits… and auto-allocate tasks to teams. Reduces penalty-risk and improves accountability across branches. 4. Predictive Analytics Models for Tax & Finance AI tools that forecast cash flows, estimate tax liabilities, simulate 115BAC regime outcomes, and identify Section 43B or MAT adjustments before closing books. 5. Automated Drafting Assistants AI writing systems that prepare first drafts of notices, replies, partnership deeds, ESOP documents, 142(1) responses, and internal audit reports — which CAs can refine. Saves 40–60% drafting time. 6. Client-Facing AI Chat Platforms Custom bots trained on a firm’s processes that answer basic client queries, share documents, provide filing status, and reduce repeated follow-ups — while maintaining confidentiality. Incorporating AI is not about replacing human judgement, it is about amplifying the speed and depth of technical expertise. Follow CA Sanjay Agarwal for clear, practical insights on restructuring, valuation and tax law. #tech #ai #founders #valuation #taxplanning #cacommunity