The new guardians of emerging technology

BEING an internal auditor - and a movie buff - I sometimes wonder how the outcome of a movie would change if an internal auditor was involved in the plot.

Imagine if the - spoiler alert - android in Ex Machina was programmed with internal audit input, then the killings of the inventor and tester would not have occurred and the escape of the robot stopped. Perhaps it might not have made for a very exciting movie, but it would have been a safer one!

An internal auditor is cognisant that Artificial Intelligence and Data Analytics (AIDA) would, together, make for a more operationally efficient organisation. But the use of AIDA without understanding and managing the risks is a mishap waiting to happen.

Traditionally, internal audit has been relegated to the Third Line of Defence and getting involved in technology adoption only post implementation, where the auditor evaluates whether the implementation process was robust, issues rectified and if the key controls were working as intended.

Such a traditional approach is not viable, given the rapidly evolving business and technology environment. Internal audit should be involved in digital projects at the outset, from setting strategic objectives in terms of governance and oversight, providing advice on possible risks and opportunities to successful implementation.

The Monetary Authority of Singapore (MAS) has published a set of principles on fairness, ethics, accountability and transparency in the use of AIDA in decision-making in the provision of financial products and services.

Internal audit has the ability to be the guardian, providing oversight and bringing those principles to life.

Every organisation's AIDA strategy is unique and the intended outcome for using it must be defined. Business owners who have the vision for the outcome, and the technology experts within the organisation who understand the constraints and capabilities of the technology used, must work collaboratively to set the strategic objectives.

Being involved in the initial objective setting, internal audit can enable the organisation to establish defined strategy and implementation roadmaps, including identifying and integrating possible governance, and risk and control considerations throughout the project life cycle.

BE A STRATEGIC ADVISER TO STAKEHOLDERS

With the adoption of AI, regulators are placing more scrutiny on the risks of using it. Hence, there must be appropriate governance and internal controls to manage risks. Internal audit can act as the bridge between the regulators and the organisation, evaluate the risks, and enforce governance and control.

Additionally, internal audit can play the role of an adviser to the board and senior management in managing AI risks, and simultaneously maintain the confidence and expectations of regulators. The board will be ultimately responsible for all activities, and must play the role of oversight. Internal audit must be represented on the management team, and work with them to review the organisation's AI strategies and activities periodically.

The role of the business owners, as the First Line of Defence, is to ensure that the data provided for AI implementation is complete, accurate and reliable. Often, data is stored across disparate systems which do not communicate with one another. How this data is reconciled, synthesised and validated may be unclear.

Therefore, internal audit can help identify possible control activities to manage data quality and ensure data has been appropriately reviewed and validated.

For example, documentation on data lineage should be established to enable business owners to verify the data sources used. Clear data ownership should also be established to accord accountability on the relevant business owners to ensure data is kept current.

In ensuring that data quality remains intact post-AI implementation, internal audit can support the Second Line of Defence to place appropriate controls over data governance, such as access controls for data changes, frequency of data refresh and processes for data rectification. Periodic testing of existing datasets and outcomes of AI algorithms should also be carried out to ensure the AI technology is working as intended.

By working hand-in-hand with the First and Second Lines of Defence, internal audit would be better placed to understand the benefits and limitations of the AI technology used. That would help the auditors design appropriate audit procedures to evaluate the effectiveness and robustness of the processes and controls implemented and carry out the audits in an efficient and effective manner.

In any digital transformation project, including the use of AI technology, managing cybersecurity risks is another key area of focus for internal audit. With the recent cyber attacks in Singapore, the ability to resist, respond to, and recover from cyber attacks is becoming critical for any organisation using AI.

For example, cyber attackers may get access to the algorithms, and unauthorised changes to the algorithms could result in undesirable consequences. To ensure effective controls and responses are in place, internal audit should work collaboratively with the technology functions and identify potential areas of security weakness and mitigating controls.

PLACING THE RIGHT HUMAN CAPITAL STRATEGY

No change can be enabled without people, and the talent pool for technology professionals with AI capabilities is very limited. In order to support the AI strategy, internal audit will need to grow or acquire talent with competencies in a multitude of areas such as natural language processing, advanced modelling and robotics.

Therefore, it is important that internal audit develop a human capital strategy, identifying capabilities it can grow in-house or hire externally, the training needs of the internal auditors, as well as tools for carrying out its audits.

Internal audit should consider revisiting its operating model and identifying areas working with third-party specialists to augment its technical expertise to carry out specific audits, like complex algorithm audits.

In an ideal world, things will be rosy, as pointed out in a verse in the song IGY by Donald Fagen, so aptly meant for a humanistic auditor:

Just machines to make big decisions

Programmed by fellas with compassion and vision

We'll be clean when their work is done

We'll be eternally free and eternally young

Despite it being an optimistic song, we know, deep down, the sarcasm of the writer in alluding to a Utopian society. At least internal audit might get us along part of the way.