The Institute of Internal Auditors presents all things internal audit tech. In this episode, hear from multiple thought leaders on how AI is being used in risk in cybersecurity audits. They'll discuss the opportunities and benefits AI offers internal auditors. First, let's jump into AI and compliance programs with David Petski, director of Professional Standards at the I I A and Brian Willis, senior lead auditor at LBMC.
Have you seen use cases where people are, uh, training the AI model to, uh, on their system? So the, the model understands, you know, the, uh, the controls and, and the operations in their particular organization? Yes, and in fact, one of the, uh, one of the great features with, uh, uh, say a chat GPT is that you can actually, you can actually create custom GTS and then train that on specific information.
What we're doing at LBMC, and, and you've asked about PCI, but specifically around PCI is, we developed A-A-A-P-C-I-G-P-T, and we've introduced all of the PCI documents, the report templates, the, uh, the FAQs, the, uh, supporting documents, the, you know, knowledge based documents that they've published, uh, into this tool.
And based on having all, based on all of that information, we're able to then prompt that GPT with questions about, Hey, what are the specific requirements around multifactor authentication or data encryption? And we can get the answers we need specifically around that. And we can know that because it's been trained on that document on that PCI documentation that the answers we're get, we're getting are well informed.
And it's not just, uh, maybe hallucinating and just making up answers that it's called off of, uh, uh, off of the internet. Next, let's turn to Kal Agro Wall, director of Customer Success at Diligent to discuss the usefulness of AI in continuous risk assessment and scenario analysis. How are internal auditors using artificial intelligence for risk assessments? So I would say there are different areas where internal auditors can really find AI to be useful.
Number one definitely is the interviews and surveys. So AI really gives a lot of power to analyze the text data, uh, which are part of the surveys. Uh, and it can create different patterns which can flow into, uh, as an input into your, into your process. The number two could be, um, you know, the automatic risk assessment, uh, which means that you're trying to get into a more, uh, continuous risk assessment process.
Uh, so you're not waiting for a certain period or certain timeframe to do your risk assessment, but you already have the highest risk identified through ai. And then what you're trying to do is add on whatever you want to add to that. So the 60 to 70% of the job is already done.
The other thing could be, you know, scenario analysis where, uh, you know, you can actually bring in data from different departments and then you can run scenarios, uh, based on that to, to get the input for, for your risk assessment. Is it being used at all, uh, at, at an engagement level for engagement risk assessments?
I mean, you mentioned the surveys and that would probably, uh, be a pretty good method, but are, are there other ways that, uh, it's being used to scope engagements or identify risks, uh, within particular subject areas? I think it is definitely reused in risk scoring for sure. I think that is one area where it is definitely used.
Uh, communication is another area we're picking up where if audit teams are communicating with other departments, sometimes, you know, you wanna make sure that the audit teams not only the audit teams, but the other teams outside of audit are aware of the risks. So, you know, it is also helping out in communication outside of the audit department. So there's engagement, there is risk scoring and there is communication
Building on that. West Block Kick, senior manager at Grant Thornton and Ethan Rohani, principal at Grant Thornton highlight how AI is being applied to enhance the risk assessment process, making it more dynamic and efficient. Now, are, are there any other, uh, applications or, or use cases that, uh, you know, you, you see out there that we haven't touched on yet that you think, you know, you You wanna get this? There's guy's are many Be careful what you ask for.
I could go on for hours, but, uh, I would say, um, one of the big ones that we're working on right now are the risk assessment space. Okay. So, um, there's a lot of opportunity for risk evaluation, risk identification, um, performing risk impact assessments. Yep. And, and, um, and doing scoring Analysis. Yeah. Will it, uh, uh, forecast, estimate, uh, you know, a risk exposure. So we are working on a tool right now that I'll actually do that really with, with the, a dynamic framework model.
So you can actually input your organization's framework for, for weighted scoring. 'cause every organization's a little bit different depending on the industry and the, the business. So, uh, you can be able to, you can input that information and, and without giving away too much before we roll it out, uh, it will allow you to, to help, um, score and, and risk rank and, and pinpoint areas of focus.
I will say one of the most interesting use cases that I've seen, and it's related to the risk assessment question, is enabling folks to have conversations at all hours of the day and doing the preliminary discussions with the AI and gathering that information so that when the humans actually talk, it's a much deeper, more useful conversation. And you've gotten a lot of the little things out of the way. Yeah. Kinda streamlines things.
It also enables somebody that's in Denver, Colorado to have a conversation in Bangalore on their time schedule so that you're not trying to shift hours to have a conversation at two in the morning. So again, employee satisfaction goes skyrocketing when you're not getting up at two in the morning to go have a conversation. Yeah, yeah. Those global co conference calls. Yeah. Yeah. Yep. Thank you very much for your time. Thank you, David. Thanks for having. Appreciate it. Alright, thanks.
Finally, Brian Willis returns to discuss the practical applications of AI in enhancing risk assessment. Can you tell us a little bit about how generative AI is being used in Cybersecurity? Yeah, it's a great question. Um, AI really, uh, is presenting itself as an, as a very effective and promising tool, uh, for cybersecurity audit and compliance. Um, and particularly when we talk about ai, uh, I think the thing that, that most people are, are talking about is generative ai.
So chat, GPT and copilot and tools like that. Um, and I think the way I like to think about it is, imagine if you could add a team member who knew everything about everything, everything that was ever documented about cybersecurity, audit and compliance. That's what a, having AI as a tool, uh, for your compliance program is like. So, uh, even better than, uh, your traditional Google search, uh, where you would, uh, perform a search and have to look through links and information, everything.
Now you can get that information just in a conversational manner. Uh, so it really is a, a, a great tool that's benefiting our, uh, our industry. A couple of the key benefits I like to talk about are audit accuracy and consistency. So just like with getting a Google search, you're able to go through a documented information that's been published on the internet the same way. That's where that information that a generative AI tool uses comes from is straight from the internet.
And so when you're having that conversation, it's like being able to get directly to that information without having to click through search links and things. Uh, so it brings that element of, of accuracy, consistency. It can support your program, uh, again, through having that reliable knowledge base, uh, to be able to support folks who are both conducting audit, and as well as those folks who have responsibilities for, uh, implementing and maintaining a compliance program.
The other benefit I like to think about are the, the cost of compliance in both in terms of audit time and expenditure. Um, so, uh, at OBMC, we're using already a couple of tools to support and supplement our audit activities to where, uh, the, the tool allows us to review documentation, review evidence that our clients provide to us in a much more timely manner.
It can search through a 300 page, uh, security policy and find the answers we're looking for in an instant, uh, without somebody having to search through that document. Likewise, uh, if you are, um, for a team that is either responsible for maintaining compliance or for conducting an audit, if you're an internal or an external auditor, it just results in fewer man hours, uh, on the audit.
You're able to, uh, go through these activities, execute them quicker, and so the cost of compliance, uh, comes down. So just a couple of key benefits that we're seeing with AI and in cybersecurity. Well, thank you very much, Brian. It's been great talking to you about, uh, internal audits use of artificial intelligence. If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or@theiia.org.
That's THE iia.org.