GPI Artificial Intelligence
GPI Artificial Intelligence
GPI Artificial Intelligence
AND INSIGHTS
Artificial Intelligence – Considerations for the
Profession of Internal Auditing
Special Edition
About The IIA Contents
The Institute of Internal Auditors (IIA) Introduction .............................................................................................. 2
is the internal audit profession’s most
widely recognized advocate,
Putting AI Into Context .............................................................................. 2
educator, and provider of standards, AI – The Basics ........................................................................................... 3
guidance, and certifications.
Established in 1941, The IIA today Big Data and Algorithms ..................................................................... 3
serves more than 190,000 members Types of AI .......................................................................................... 3
from more than 170 countries and
territories. The association’s global
AI Opportunities and Risks ........................................................................ 4
headquarters are in Lake Mary, Fla., Opportunities...................................................................................... 4
USA. For more information, visit
Risks .................................................................................................... 4
www.globaliia.org.
Internal Audit’s Role .................................................................................. 5
Reader Feedback AI Competencies: Filling the Understanding Gap ............................... 6
Send questions or comments to Reemphasizing Cyber Resilience ........................................................ 6
[email protected].
AI Auditing Framework.............................................................................. 6
Previous Issues Strategy ............................................................................................... 6
Previous issues of Global Perspectives Components........................................................................................ 7
and Insights on a variety of topics can Closing Thoughts ....................................................................................... 8
be found at www.theiia.org/gpi.
Disclaimer
The opinions expressed in Global
Perspectives and Insights are not
necessarily those of the individual
contributors or of the contributors’
employers.
Copyright
Copyright © 2017 by The Institute of
Internal Auditors, Inc. All rights
reserved.
globaliia.org 1
Artificial Intelligence
Considerations for the Profession of Internal Auditing
Introduction This application was demonstrated publicly to a wide
audience in 2011 when IBM’s AI platform Watson won a
Artificial intelligence (AI) is a broad term that refers to Jeopardy! exhibition on prime time TV. According to IBM
technologies that make machines “smart.” Organizations Research, IBM is “guided by the term ‘augmented
are investing in AI research and applications to intelligence’ rather than ‘artificial intelligence,’” and
automate, augment, or replicate human intelligence — focuses “on building practical AI applications that assist
human analytical and/or decision-making — and the people with well-defined tasks.” Human expertise
internal auditing profession must be prepared to fully develops technologies to make machines smart, and
participate in organizational AI initiatives. smart machines, in turn, augment human capabilities.
There are many other terms related to AI, such as, deep There is already widespread application of AI across
learning, machine learning, image recognition, natural- diverse sectors (publicly held, privately held,
language processing, cognitive computing, intelligence government, and nonprofit) and industries. Consider, for
amplification, cognitive augmentation, machine example, that AI enables a number of new and novel
augmented intelligence, and augmented intelligence. AI, capabilities that were impossible just a few years ago:
as used here, encompasses all of these concepts.
Automobile manufacturers to develop self-driving
Putting AI Into Context vehicles.
AI is not new. According to the McKinsey Global Online search engines to deliver targeted search
Institute’s (MGI) discussion paper “Artificial Intelligence: results.
The Next Digital Frontier,” the idea of AI dates back to
Social media organizations to recognize faces in
1950 when Alan Turing first proposed that a machine photographs and filter newsfeeds.
could communicate well enough to convince a human
evaluator that it, too, was human. Media companies to recommend books or shows to
subscribers.
While AI represents a series of significant
Retailers to create customized online experiences for
advancements in technology, it was not the first, and shoppers.
likely will not be the last. Looking back over the last few
decades, the advent of computers, PCs, spreadsheets, Logistics companies to route optimal paths for
deliveries.
relational databases, sophisticated connectivity, and
similar technological advancements have all impacted Governments to predict epidemics.
how organizations operate and accomplish their
objectives. AI is poised to do the same with the
Marketing professionals to deliver hyper-
personalized content to customers in real time.
potential to be as or more disruptive than many
previous technological advances. Virtual assistants to use voice-controlled natural
language to interface with consumers.
AI can be viewed as the latest significant advancement
But it is not only new and novel activities affected by AI.
on a continuum of advancements that have occurred due
More mundane tasks that have been occurring for
to technology improvements. What is new is the
decades are being improved by AI such as loss modeling,
advancement and scalability of technologies that have
credit analysis, valuations, transaction processing, and a
unleashed the practical application of AI.
host of others.
globaliia.org 2
Global Perspectives: Artificial Intelligence
globaliia.org 3
Global Perspectives: Artificial Intelligence
others it interacts with have thoughts, The ability to reduce errors by replacing human
feelings, and expectations. A machine actions with perfectly repeatable machine actions.
embedded with Type III AI would be able to The ability to replace time-intensive activities with
understand others’ thoughts, feelings, and time-efficient activities (process automation),
expectations, and be able to adjust its own reducing labor time and costs.
behavior accordingly.
The ability to have robots or drones replace humans
Type IV. Self-awareness: A machine embedded with in potentially dangerous situations.
Type IV AI would be self-aware. An extension The ability to make better predictions, for everything
of “theory of mind,” a conscious or self-aware from predicting sales of certain goods in particular
machine would be aware of itself, know about markets to predicting epidemics and natural
its internal states, and be able to predict the catastrophes.
feelings of others.
The ability to drive revenue and grow market share
In other words, a Type II self-driving vehicle would decide through AI initiatives.
to change lanes when a pedestrian is in its path, simply Risks
because it recognizes the pedestrian as an obstacle. A
Type III self-driving vehicle would understand that the The risk that unidentified human biases will be
pedestrian would expect the vehicle to stop, and a Type imbedded in the AI technology.
IV self-driving vehicle would know that it should stop The risk that human logic errors will be imbedded in
because that is what the self-driving vehicle would want the AI technology.
if it (the self-driving vehicle) were in the path of another
oncoming vehicle. Wow.
The risk that inadequate testing and oversight of AI
results in ethically questionable results.
Most “smart machines” today are manifestations of Type The risk that AI products and services will cause
I or Type II AI. Ongoing research and development harm, resulting in financial and/or reputational
initiatives will enable organizations to advance toward damage.
practical applications of Type III and Type IV AI.
The risks that customers or other stakeholders will
not accept or adopt the organization’s AI initiatives.
globaliia.org 4
Global Perspectives: Artificial Intelligence
For all organizations, internal audit should include AI Internal audit should ensure the moral and ethical
issues that may surround the organization’s use of AI
in its risk assessment and consider whether to
are being addressed.
include AI in its risk-based audit plan.
For organizations exploring AI, internal audit should Like the use of any other major system, proper
governance structures need to be established and
be actively involved in AI projects from their
internal audit can provide assurance in this space.
beginnings, providing advice and insight contributing
to successful implementation. However, to avoid the Regardless of the specific activities performed, internal
perception of or actual impairments to both audit is well-suited to be a key contributor to an
independence and objectivity, internal audit should organization’s AI-related activities. Internal audit:
not own, nor be responsible for, the implementation
of AI processes, policies, or procedures. Understands the strategic objectives of the
organization, and the processes implemented to
For organizations that have implemented some achieve those objectives.
aspect of AI, either within its operations (such as a
manufacturer using robotics on a production line) or Is able to evaluate whether AI activities are
accomplishing their objectives.
incorporated into a product or service (such as a
retailer customizing product offerings based on Can provide internal assurance over management’s
purchase history), internal audit should provide risk management activities relevant to AI risks.
assurance on management of risks related to the Is perceived as a trusted advisor that can positively
reliability of the underlying algorithms and the data support the adoption of AI to improve business
on which the algorithms are based. processes or enhance product and service offerings.
globaliia.org 5
Global Perspectives: Artificial Intelligence
Internal auditing should approach AI as it approaches the board, and the audit committee. A good place to
everything — with systematic, disciplined methods to start is with The IIA’s thought leadership on AI, and The
evaluate and improve the effectiveness of risk IIA’s supplemental guidance on topics like big data and
management, control, and governance processes talent management.
related to AI.
Reemphasizing Cyber Resilience
AI Competencies: Filling the Understanding Gap Cybersecurity threats continue to define our times. The
The pool of talent for technology professionals with AI adoption and evolution of AI will force organizations to
expertise is reportedly small. Organizations who want to reemphasize their cyber resilience capabilities. As AI
participate in the AI revolution need to grow or acquire becomes more powerful and more decisions are handed
talent with competencies in a multitude of areas such as: off to new, complicated, and opaque algorithms, using
huge data sets, protecting these systems from outside,
Natural language processing. malevolent forces is critical to success. A 2014 EY report
Application program interfaces (APIs) such as facial defined cyber resilience as the ability to resist, react to,
recognition, image analytics, and text analytics. and recover from cyberattacks — and modify an
environment to increase security and sustainability over
Algorithms and advanced modeling.
time. Cyber resiliency is critical for any organization
Probabilities and applied statistics. relying increasingly on AI.
Data analytics.
Among all the complexity surrounding cybersecurity,
Software engineering. there are four key areas where internal audit can have an
Machine learning.
Provide assurance over readiness and response to
Computer vision. cyber threats.
globaliia.org 6
Global Perspectives: Artificial Intelligence
obvious extension of the organization’s overall digital Information privacy and security throughout the
or big data strategy — organizations with a well- data lifecycle (data collection, use, storage, and
developed and implemented digital/big-data strategy destruction).
are one step ahead in AI. According to MGI,
organizations that “combine strong digital capability, Roles and responsibilities for data ownership and
use throughout the data lifecycle.
robust AI adoption, and a proactive strategy see
outsize financial performance.” Data Quality
The completeness, accuracy, and reliability of the data on
Internal audit must consider an organization’s AI
which AI algorithms are built are critical. Unfortunately, it
strategy first. Does the organization have a defined
is not unusual for organizations to have a poorly defined,
strategy toward AI? Is it investing in AI research and
incoherent structure to their data. Often, systems do not
development? Does it have plans in place to identify
communicate with each other or do so through
and address AI threats and opportunities? AI can
complicated add-ons or customizations. How this data is
become a competitive advantage for organizations, and
brought together, synthesized, and validated is crucial.
internal audit should help management and the board
realize the importance of formulating a deliberate AI Measuring Performance of AI
strategy consistent with the organization’s objectives.
As organizations integrate AI into their activities,
performance metrics should be defined to tie AI activities
Components
to business objectives and clearly illustrate whether AI is
AI Governance effectively supporting the achievement of those
AI governance refers to the structures, processes, and objectives. Management must actively monitor the
procedures implemented to direct, manage, and performance of its AI activities.
monitor the AI activities of the organization in pursuit
of achieving the organization’s objectives. The level of The Human Factor
formality and structure for an organization’s AI Algorithms are developed by humans. Human error and
governance will vary based on the specific biases (both intentional and unintentional) will impact
characteristics of that organization. Regardless of the the performance of the algorithm. The human factor
specific approach, however, AI governance establishes component considers whether:
accountability and oversight, helps to ensure that those
responsible have the necessary skills and expertise to The risk of unintended human biases factored into AI
effectively monitor AI, and helps to ensure the design is identified and managed.
organization’s values are reflected in its AI activities. AI has been effectively tested to ensure that results
This last point should not be overlooked or given little reflect the original objective.
attention. AI activities must result in decisions and
actions that are in line with the ethical, social, and legal AI technologies can be transparent given the
complexity involved.
responsibilities of the organization.
AI output is being used legally, ethically, and
Data Architecture and Infrastructure responsibly.
AI data architecture and infrastructure will likely be one It is widely recognized that human error is the most
in the same as the organization’s architecture and common cause of information privacy and security
infrastructure for handling big data. It includes breaches. Similarly, the human factor component
considerations for: addresses the risk of human error compromising the
ability of AI to deliver the expected results.
The way that data is accessible (metadata,
taxonomy, unique identifiers, and naming
conventions).
globaliia.org 7
Global Perspectives: Artificial Intelligence
become more and more of a challenge as an IIA Standard 2030: Resource Management
organization’s AI activities become more sophisticated. IIA Standard 2100: Nature of Work
intelligence. To prepare, internal auditors must IIA Standard 2201: Planning Considerations
understand AI basics, the roles that internal audit can
and should play, and AI risks and opportunities. To meet
IIA Standard 2210: Engagement Objectives
these challenges, internal auditors should leverage the IIA Standard 2220: Engagement Scope
Framework to deliver systematic, disciplined methods to IIA Standard 2230: Engagement Resource
evaluate and improve the effectiveness of risk Allocation
management, control, and governance processes related
to AI.
IIA Standard 2240: Engagement Work
Program
This paper is Part I of a three-part series. Part II will IIA Standard 2310: Identifying Information
provide more detailed information and
Complete text of the Standards is available at
recommendations regarding the AI Governance; Data
www.theiia.org. Each standard is complemented
Architecture and Infrastructure; and Data Quality
by an Implementation Guide.
components of the Framework. Part III will provide more
detailed information and recommendations regarding
the Measuring Performance, Human Factor, and the
Black Box Factor components of the Framework. Parts II
and III will include relevant engagement objectives and
procedures which internal audit activities can use to
customize an AI audit program to fit their organizations’
risk profile and strategic objectives.
globaliia.org 8