Internal audit is adept at evaluating and understanding the risks and opportunities related to the ability of an organization to meet its objectives. Leveraging this experience, internal audit can help an organization evaluate, understand, and communicate the degree to which artificial intelligence will have an effect (negative or positive) on the organization’s ability to create value in the short, medium, or long term. Internal audit can engage through at least five critical and distinct activities related to artificial intelligence:

• For all organizations, internal audit should include AI in its risk assessment and consider whether to include AI in its risk-based audit plan.
• For organizations exploring AI, internal audit should be actively involved in AI projects from their beginnings, providing advice and insight contributing to successful implementation. However, to avoid the perception of or actual impairments to both independence and objectivity, internal audit should not own, nor be responsible for, the implementation of AI processes, policies, or procedures.
• For organizations that have implemented some aspect of AI, either within its operations (such as a manufacturer using robotics on a production line) or incorporated into a product or service (such as a retailer customizing product offerings based on purchase history), internal audit should provide assurance over the management of risks related to the reliability of underlying algorithms and data on which the algorithms are based.
• Internal audit should ensure the moral and ethical issues that may surround the organization’s use of AI are being addressed.
• Like the use of any other major system, proper governance structures need to be established and internal audit can provide assurance in this space.

Download AI Part 1: Considerations for the Profession of Internal Auditing

Practice Guide – recommended guidance from IIA

Public sector organizations are expected to serve the public good, uphold the principles of ethical governance, and comply with myriad laws and regulations. Yet the nature of politics may put pressure on, or conflict with, ethical governance principles.

Based on professional guidance from the International Standards for the Professional Practice of Internal Auditing and practical insights from global internal audit professionals, the guide advises CAEs and internal auditors about planning and performing internal audit engagements while properly managing the opposing forces of political pressures and ethical principles.

This guidance will enable internal auditors to:

• Understand the definition of public sector and the types of public sector organizations.
• Recognize public sector governance roles and how they may affect internal audit principles such as organizational independence and unrestricted access.
• Incorporate additional standards and requirements specific to the public sector.
• Assess the organization’s commitment to ethical governance principles.
• Identify the types of engagements performed in the public sector and how to plan them.

New Guidance from The European Confederation of Institutes of Internal Auditing (ECIIA) on Auditing Cybersecurity within Insurance firms.

Internal Audit plays a vital role in the provision of assurance regarding the efficiency and effectiveness of the key cybersecurity processes and controls in insurance and reinsurance undertakings. Key stakeholders such as Management and the Board rely on the work of Internal Audit in regard to cyber-related risks.

This position paper aims to set out the view from the ECIIA Insurance Committee and intends to provide guidance to Chief Audit Executives (CAEs) in the Insurance sector in regard to the audit of cybersecurity. Cyber risk is important, in light of the recent increase of cyberattacks and the new European Regulations: General Data Protection Regulation and the Network and Information Systems Directive in 2018.

The need for effective IT Cybersecurity controls has been highlighted by the European Insurance and Occupational Pensions Authority (EIOPA), saying that cyber risk is becoming a growing concern for institutions, individuals and also financial markets and is now at the top position of the list of global risks for businesses.

The Solvency II Directive encourages Own Risk Self-Assessment and the use of risk categories based on the specific characteristics of the undertakings and not just the Solvency II standard classification. The paper does not aim to provide a one size fits all solution for auditing Cybersecurity risks, but it provides a framework from which internal audit departments may build a multi-year long term approach to auditing cyber risks.

Does size really matter? Or are the challenges that small internal audit departments face the result of other factors?

This Global Knowledge Brief explores those questions and others involving the challenges of smaller audit groups.

Agility and Innovation hits on key areas that are critical for internal audit functions to master — such as strong data management and data analytics — and discusses areas where artificial intelligence and process automation can be leveraged to allow practitioners to spend their time on more value-added activities.

To assist internal auditors with getting on the path to agility and innovation, the report concludes with five steps they can take now to put the wheels in motion.