The Institute of Internal Auditors presents all things internal audit tech. In this episode, hear from industry thought leaders about governance and ethical considerations of the artificial intelligence usage in the internal audit profession. First, let's hear from David Petski, director of Professional Standards at the I A A and Brian Willis, senior lead auditor at LBMC on mitigating risks associated with sensitive data disclosure through public AI tools.
How are companies, uh, mitigating that risk, uh, of, you know, their proprietary information getting into a public tool? Well, there's a couple of key, uh, key elements to that. First of all is just through policy.
Uh, it's really important for organizations now to establish an AI usage policy, uh, uh, establishing what types of tools that, uh, that, that folks are allowed to use, uh, the types of information they're allowed to, to input into a, you know, into an AI tool, um, and, uh, maybe even specifying tools that they're authorized to use and under what circumstances. So, policy is an, uh, you know, is one key element you may consider a private tool.
So we're now seeing, uh, lots of private tools being developed. LBMC has developed one for our internal use and for some of our clients, uh, uh, uh, resources like chat, uh, uh, open ai, Microsoft are now publishing, uh, private versions or secure versions of their AI tools. And the way that works is it's simply establishing a secure portal for you to prompt in. It's leveraging the large language model that is kind of the, the secret sauce, if you will, behind these open AI tools.
Um, and then without exposing the data in your prompt to that backend. So if you wanna search a, uh, a contract that may have some, uh, may have some sensitive language in there, or you want to, uh, uh, you've got some intellectual property that you want to use in your prompt without exposing that to an external, uh, uh, uh, endpoint, uh, then you can use that private a, uh, private AI tool or a secure tool that provides that layer of protection, uh, for, you know, that, that sensitive material.
Following Brian's insights, let's explore the importance of governance and monitoring and AI implementation with Alex esi, head of Information Security at Meta. Ivan Martinez, internal audit managing director at Goldman Sachs, and Charles King, managing director at KPMG. Yeah. Let me ask, uh, for a second, if your organizations are using artificial intelligence, have your audit functions, uh, tested or verified? The, the ethical risks, uh, related to the, the usage of, of artificial
Intelligence? So, AI has been in existence, especially in our organization for many years. So, and ethics, uh, and bias and all of that has already been pretested in the fir first place. So with gen AI is just a new different type of technology, but, you know, the same baseline. So it's been tested and, and, and many, many times over. Yes. So, Charles, are you seeing more broadly in, in, uh, your, your clients that, uh, that is a, a concern?
And, and, uh, are, are people looking to some sort of like standardized, uh, you know, good seal of a, you know, how housekeeping or good housekeeping seal of A proof or something like that? Look, I think, I think, uh, generative AI and artificial intelligence in general has always been an area where we are relying on data from various sources, right? And data, every dataset has bias in it, right? Every dataset has errors in it.
And the people that are making the models, like the big technology companies, they are building, you know, I think very rigorous controls into the models that they commercialize.
And, you know, as consumers of those models, I think our biggest concern is not necessarily the internals of the model or the guardrails on the model itself, but more how do we talk to our teams and our employees about what the model is and what it isn't, so that there's clear understanding of how the model is producing what it's producing, and that we have a process to think about whether the use cases that we are applying those technologies to make sense in the context of our business.
If you are a lender, you don't wanna be discriminatory in your lending, regardless of whether you're using AI to do that discrimination or have old manual processes, right? I don't think the, our fundamental desire to have a fair business that is free of bias doesn't change because we introduce AI into the picture.
We just need to be aware that AI has the potential to increase that bias, um, in some cases, and to make sure that we are thinking about that, that we have controls and processes in place to identify those issues when, when they're relevant to monitor them and control for them. And then in the, in the event that we see problems that we remediate them. But I don't, you know, I don't think that privacy or ethics exists in an AI vacuum.
I think we have to do that with all tools, all processes, all software, because manual processes have the potential to be biased and unfair as well. Right? But another concern, uh, or that occurs to me is that if these models are learning, are they unstable? Do they change over time? And, and how do you, uh, test or, or verify that it's still operating as intended?
So typically in the ecosystem, in, in the ecosystem from a controlled perspective, uh, you have monitoring controls at the front end, preventative controls, and you also have backend controls to make sure the least, if there's anything or any anomaly that comes out of it, it's corrected as quickly as possible.
So in simple terms, when you build a model, you wanna build it in an ecosystem with the right level of controls from the front end and the back end, and also the preventative and the detective type of controls. Are you saying anything similar at your organization? Yeah, So, so it's definitely a challenge. The velocity at which models are being produced these days, it's, it's insane. It is really fast. One of the key principles we, we stick to is the governance at the firm level.
So the standards and the monitoring independent of the functions that are implementing the solutions has to exist. So, for example, whenever we implement a solution, we will have to have touch points with the governing body of AI and reaffirm our use of the solution and being still able to produce the results that we want.
Uh, and also you are responsible for tracking the areas where, and this is difficult to do, it's not easy of where actually the model may not be behaving, uh, you know, at 90 or 95% the way you expected it. So, so I think the instrumentation that you need to observe that and having a third party governing structure within the firm, kind of asking you on a periodic basis, are you monitoring your models, you know, this new thing came up.
'cause you know, there will be bugs also on things that, you know, could be found. So, so I think, I think the balance has to exist. It's almost like that having that independent function checking is, is, is crucial Moving forward.
Ethan Rohani, principal at Grand Thornton and West Luckett, senior manager at Grand Thornton, shed light on preventing AI generated hallucinations and ensuring safe recommendations and AI systems, You know, mitigate that risk of, of the AI model, you know, spitting out, you know, hallucinations or, you know, or even, you know, uh, potentially, you know, dangerous, uh, solutions or, or recommendations. So Wes alluded to it a little bit.
Um, you know, we've been working on some of the standards for human intervention and review Yeah. Around, uh, artificial intelligence. And so we know that IA is moving toward that standard as well. We've worked with other regulatory bodies, including the ai CPA, but to be fair, there's some really great standards out there that, you know, outline how do you responsibly use ai.
And, you know, as auditors, we probably call them controls, but you could probably go back and take a look at some of those standards and, and draw from it, you know, what type of human intervention needs to be there so that, you know, you don't have machines running amok, I guess you could say. So, you know, great example. Microsoft's responsible AI framework, fantastic tool.
You can boil that down to some pretty, um, uh, you know, tactical controls that folks could use on a day-to-day basis, and just, you know, mitigate the risk of, you know, a, a potential decision.
Now, I think the, the critical part, and Wes you'll probably go into this at our, at our, uh, discussion a little bit, is making sure that the AI is not allowed to make a decision without some kind of human intervention or some very substantive testing and oversight of that decision making capability when it has consequences and it has a significant impact and output. Yeah. And that, that really starts with an upfront impact assessment.
It's important when companies are adopting AI to do an AI impact assessment, to understand the use case, what sort of implications that the output has, uh, what the risks are really, um, so that those can be mitigated in the process of implementing the system. It's not something we wanna do on the backend. Yeah. You wanna get it in front of it while, uh, while you're still ideating and, uh, before you actually build and implement the system in the first place.
Are, are there any industry standards or cer, you know, certifications for tools that you would say, you know, so auditors don't have to, you know, like test, you know, like, you know, you don't have to verify that Excel, you know, ads and, you know, subtracts correctly, you know, but, uh, is there anything similar? That's a good Question. I mean, they're emerging. This is, this is rapidly evolving space. Uh, we definitely see, uh, NIST as a, as a front runner in the AI auditing standards Yeah.
And recommend auditing framework. Um, so that's a great one. But, um, this is, uh, something we're monitoring frequently. We've, we definitely, um, recommend keeping an eye on, on all the emerging standards that will be coming about in the next year. Yeah. I think the NIST standard, NIST RMF 1.0, yeah. Microsoft responsible Framework. Yep. There's, there's some derived standards from the eu, um, artificial Intelligence Act.
Yep. Oddly enough, you'd asked the question about certification or standardization, kind of an external assessment potentially. Yeah, yeah. Or internal assessment. There hasn't been a lot of standardization in that space that we've seen. We've seen some atest standards coming out, um, that are being used. I don't know if they're specifically designed for artificial repurposed a little bit. Yeah. They're being repurposed is a good way
to frame it. Gotcha. Yeah. You mentioned the Microsoft framework, uh, and nist are, are there any other, well, I'll say first, do you think those frameworks are granular enough for practitioners to actually, you know, good question, apply, you know, and, and know, you know, how to test their, their, uh, their programs to process the, the algorithm? Or is that, is that kind of missing the point? No, there's, there's definitely room. I think, um, it's a good start, right?
I think there's, it's important to understand we don't wanna overregulate the space and inhibit innovation as well, right? We wanna make sure that there's an appropriate balance. We need to, to adopt this technology and take advantage of it safely and effectively. Um, and I think the, the frameworks and, and regulations and standards that are coming about right now is, are a really good start to, that there's room to be, um, for improvement, but, but we're, we're on the right track.
Lastly, basil Shaah Foundered Audit Partners discusses the ethical considerations and safety measures essential for maintaining integrity in AI applications. I've heard, uh, and read a lot about concerns about, you know, the ethics in certain artificial intelligence algorithms or even safety. Yes. Like it's applied to yes. Uh, processes that, uh, involve, you know, human safety or, or things like that.
Uh, how do we make sure that the artificial intelligence package or tool that we're using is, you know, not going to, uh, behave unethically or, you know, put anybody in Danger? Yeah, no, that's a great question. I think we all have a part in this, right? Um, just like with any new technology, any new tool, uh, you know, it's, they're powerful and, uh, you'll see more regulation coming out.
We'll see, uh, onus on the companies that are providing the tools and making sure that their models are secure, they're trained, and that they're not giving you some, you know, things that are unethical, right? But I think it goes down to the human aspect too. As auditors, we are trained to be ethical and responsible, and we have to imply that in our, in our daily, uh, lives, uh, in addition, you'll start seeing more enterprise tools to where it's more on your environment.
It's not using your data to, to train, right? It's, uh, all the information is secure. So I think with that coming in, it will help, uh, kind of ease those burdens. I'm not concerned of it. You know, if you look now how many companies went from on-premises accounting systems to cloud, right? Yeah. And you get a SOC report, you understand, you know where the gaps are, what the risks are, uh, and you're, you know, you've gotta do your dili due diligence as well.
So, so I, I, I think being ethical and safe with it, those are things that inherently will continue to improve. Uh, I think we have solutions for security now that can be applied in the same way that we're using it for other data. If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcast. You can also catch other episodes on YouTube or@theiia.org. That's THE iia.org.