Auditing Guidelines for Artificial Intelligence

image

Over the past few years, there has been a tremendous shift toward emerging technologies such as blockchain, robotics and artificial intelligence (AI). Global organizations and governments have come to terms with the impact—and opportunity—of advanced technology. Governments around the world consider AI to be a nation-defining capability. A report from HolonIQ shows that countries are looking to their education systems to develop excellent generational AI capability while ensuring equity, privacy, transparency, accountability, and economic and social impact.

Significant opportunities lie ahead for AI software market penetration, despite short-term economic turbulence resulting from the COVID-19 pandemic. As AI grows in importance and popularity, the role of internal auditors has evolved in lockstep to address a variety of new challenges that have yet to be fully anticipated.

There are 2 primary aspects auditors should consider while performing the audit of AI applications:

  1. Compliance—Assess risk related to the rights and freedoms of data subjects.
  2. Technology—Assess risk related to machine learning, data science and cybersecurity.

A starting point for auditing an organization’s AI is defining the scope and objectives of the audit and considering the risk the AI initiative poses to the organization. These areas of risk should be compiled in a document such as a risk and control matrix (RCM), which lists each risk and related controls. COBIT® 2019 provides an effective framework for considering the risk of any initiative or process within an organization.

There are several examples of risk related to AI strategy:

  • Lack of alignment between IT plans and business needs
  • IT plans that are inconsistent with the organization’s expectations or requirements
  • Improper translation of IT tactical plans from the IT strategic plans
  • Ineffective governance structures that fail to ensure accountability and responsibility for IT processes related to the AI function

From a compliance perspective, auditors need to understand the underlying data privacy and data protection principles and the impact of AI applications and initiatives on the rights and freedoms of data subjects and natural persons.

The UK’s Information Commissioner’s Office (ICO) has drafted the following guidelines that serve as a baseline for auditors auditing AI applications, which take into consideration data protection principles according to the EU General Data Protection Regulation (GDPR):

  • Accountability and governance in AI, including Data Protection Impact Assessments (DPIAs)—Completing a DPIA is legally required if organizations use AI systems that process personal data. DPIAs offer an opportunity to consider how and why organizations are using AI systems to process personal data and what the potential risk could be. Additionally, depending on how they are designed and deployed, AI systems will inevitably involve making trade-offs between privacy and other competing rights and interests. It is the job and duty of the auditors to understand the need to know what these trade-offs may be and how organizations can manage them.
  • Fair, lawful and transparent processing—As AI systems process personal data in various stages for a variety of purposes, there is a risk that if organizations fail to appropriately distinguish each distinct processing operation and identify an appropriate lawful basis for it, it could lead to a failure to comply with the data protection principle of lawfulness. Auditors must identify these purposes and have an appropriate lawful basis in order to comply with the principle of lawfulness.
  • Data minimization and security—Auditors need to ensure that personal data is processed in a manner that guarantees appropriate levels of security against its unauthorized or unlawful processing, accidental loss, destruction or damage. They also need to verify that all movements and storing of personal data from 1 location to another are recorded and documented. This will help to monitor the effectiveness of appropriate security risk controls.
  • The exercising of individual rights in AI systems, including rights related to automated decision-making—Under data protection law and regulations such as GDPR, individuals have rights relating to their personal data. Within the scope of AI, these rights apply wherever personal data is used at any of the various points in the development and deployment life cycle of an AI system. Auditors need to ensure that individual rights of information, access, rectification, erasure, and to restriction of processing, data portability, object (rights referred to in Articles 13-21 of the GDPR) are considered when developing and deploying AI.

AI is a reality that promises to transform more than just the way enterprises do business. It will touch every corner of society. AI will have a far-reaching impact on the audit profession as well, given auditors’ need to provide AI assurance. Auditors should ask themselves whether organizations and audit teams are ready for the tough questions surrounding AI and the approach with which it is to be audited. With little guidance and few frameworks available for auditing AI, auditors need to focus on the controls and governance structures that are in place to determine whether they are operating effectively.

Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, COBIT 5 Assessor, ISO 20000 LA/LI, ISO 22301 LA/LI, ISO 27001 LA/LI, is a governance, risk and compliance (GRC), information security and IT strategy professional with more than 15 years of industry experience. He serves as a board member of the ISACA® United Arab Emirates (UAE) Chapter and volunteers at the global level of ISACA as a Topic Leader for the Engage online communities, member of the IT Advisory Group and the Chapter Compliance Task Force, ISACA® Journal article reviewer and SheLeadsTech Ambassador. He previously served as a chapter award reviewer and on the Certified in the Governance of Enterprise IT® (CGEIT®) Quality Assurance Team. He can be reached via email at adnan.gcu@gmail.com and LinkedIn (https://ae.linkedin.com/in/adnanahmed16).

image

Has there ever been a more challenging climate for the second and third lines of defense? The COVID-19 pandemic has quite clearly changed the entire 2020 landscape for financial services. A flurry of economic challenges and hurdles has put tremendous pressure on the business models of both traditional organizations and upstart, digitally native firms. Risk functions, in addition to dealing with financial challenges, are grappling with assessments of their risk universes, searching for previously overlooked single points of failure in operations, IT and supply chains. Compliance functions are racing to ensure that they meet unwavering regulator expectations with respect to financial crime, market and consumer conduct. Internal audit departments, as their counterparts in the second line, are adapting to the work-from-home (WFH) environment, adjusting audit priorities and leveraging digital capabilities wherever possible to compensate for their inability to perform onsite audits.

For the second line, sudden economic shifts often result in the perfect storm: a disrupted market that provides new opportunities for those inclined to engage in dishonest practices such as fraud, bribery, investment schemes and market manipulation, and increased vulnerability. The websites of governmental agencies and regulators globally offer myriad warnings and advisories about these risk scenarios.

Financial institutions need to take reasonable steps to ensure that their compliance monitoring programs are designed to identify fraudulent activity and market abuses, intentional or inadvertent. In the current environment, compliance assurance programs should include enhanced scrutiny of the following areas:

  • Transaction monitoring—Pre-COVID-19 transaction monitoring models may no longer be fit for purpose, given significant changes in consumer behavior. In response, monitoring rules should be recalibrated to avoid:
    1. Overwhelming numbers of false positive alerts, which distract analysts from reviewing truly malicious activity
    2. Missing new patterns of behavior indicative of criminal activity
  • Fraud management—New fraud schemes have been devised to take advantage of government support measures and public demand for certain goods. Shortages of goods also heighten the potential for public and private sector bribery. Financial crime prevention teams should evaluate how wrongdoers can take advantage of the current situation and incorporate new rules and keyword typologies into fraud management to identify and flag potential criminal activities.
  • Market abuse surveillance—Insider trading, market manipulation and investment schemes have been on the rise in parallel to the unprecedented market shifts that have occurred over the past few months. Traders working from home have introduced new challenges related to information leakage and potential insider trading. Vulnerable parties, such as unsophisticated investors, may be more susceptible to manipulation activities such as “pumping and dumping.”
  • Analyze control environments—Organizations should be evaluating their control environments to ensure that their prevention and detection capabilities are fit for purpose.
  • Conduct risk and treatment of vulnerable customers—Regulators expect firms to have in place sufficient forward-looking conduct risk metrics and indicators and to be performing analysis of their activities and transactions, so that they are assured that conduct risk is being properly managed. Given the dramatic changes in many customers’ circumstances, increased numbers of customers are vulnerable and the impact of the organization’s decisions on those consumers during the pandemic is likely to be subject to significant regulatory scrutiny. Enhanced compliance assurance and testing in this area is a top priority.

As with other second-line functions and with the third line, WFH compliance departments have had to adapt and modify their methodologies for monitoring and testing. While for most compliance departments, the focus has been on managing the immediate short-term shock of the crisis, much remains to be seen about the mid-to-long term effects. History has taught financial institutions that crises often lead to a wave of regulatory mandates in the future—along with the remediation efforts and costs required to manage these—and that practices developed to deal with crises can lead to operating model improvements.

Three common themes have emerged as organizations have responded to the compliance monitoring challenge. While the first appears to be an interim, tactical change, the last two point to an acceleration of many executives’ strategic plans for a more dynamic assurance model.

The following are 3 themes observed during ongoing compliance monitoring:

  1. Repositioning staff—Following government actions to protect consumers and markets, many organizations have had to respond quickly to huge demand from their consumer and business customer bases seeking to take advantage of the benefits put into place. This has also led to a large volume increase in customer contact and service requests. In response, some first-line personnel have been temporarily seconded to customer service roles and even second- and third-line personnel have been redirected to assist. This short-term solution has both risk and a potential benefit. Risk arises from asking people with limited training and experience to step into roles with which they are unfamiliar, heightening the chances of error, and from withdrawing second- and third-line personnel from their assurance activities, at a time when they are already challenged to deliver these activities effectively.
  2. Enhancing active assurance techniques to provide an immediate feedback loop—To support their organizations with rapidly evolving demands, assurance functions have changed their ways of working to operate in more responsive ways. This has included greater involvement in emerging topics and issues, including the areas of increased risk noted above, flexibility to ensure that reviews do no inhibit first-line performance and increased use of data and analytics. Some clients are delaying deep dive reviews until later in the year to prioritize emerging risk. Active assurance has been applied most toward data-focused reviews of key risk indicators in the financial crime space; operational resilience; and in response to government actions such as new government loans and guarantee schemes, furloughs and payment holidays.
  3. Increasing the use of technologies to support active assurance—Becoming a more digital organization across the first, second and third lines was already a top priority for most executives prior to the COVID crisis. The consequences of the pandemic have accelerated this trend.

In all likelihood, many of the changes to the ways of working that have been introduced to respond to the current environment are here to stay, and the assurance functions that respond most innovatively to ways of working during the pandemic are likely best poised for future success.

Read more about compliance assurance during the COVID-19 pandemic in the full article from KnowledgeLeader.

This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA® members receive a discount on an annual subscription to the service.

image

Author: Mehmet Cüneyt Üvey, CISA, CISM, CGEIT, CRISC, APMG Accredited Trainer, ISO 20000 LA, ISO 27001 LA, PMP

I spent nearly 4 months of this year shopping for complete strangers, thousands of miles from my home and navigating completely different food and culture than I am used to, all while attempting to build a new life in the midst of a global pandemic—and I loved it. Only in 2020, right?

When I decided to relocate from my native country of Turkey to the United States, arriving in February 2020, little did I know I would spend a portion of the year serving as an Instacart shopper during a massive pandemic, purchasing and delivering groceries for others in my new home of Palm Beach County in South Florida. I learned so much about American food, prices and how American markets work. I had wonderful people helping me find items on the market shelves, adjust to different driving rules, figure out the many surrounding neighborhoods and towns, and the list goes on—everything was so different! I saw beautiful gated communities in Florida while making my delivery rounds. My brand-new car logged 6,000 extra miles, I made almost 500 shopping deliveries and, although the money was not mine, I spent around US$75,000 on groceries. Believe me, I took the job seriously, asking my customers if they wanted their bananas green or yellow, their avocados ripe or hard and informing them about in-store deals. Not to boast, but I consistently earned 5-star rankings. Another bright spot: the 13-hour workdays, 7 days a week, consisting of shopping and rushing to meet deadlines was the first job that improved my physical fitness. The work was not as complex as I am used to, but it was gratifying nonetheless.

In a way, this professional detour was surreal after spending more than 3 decades as an IT leader in Turkey, where I established the country’s first IT audit department, worked on the first COBIT® implementation at a large Turkish bank, was the first IT risk manager and was one of the country’s first professionals to attain the 4 core ISACA® certifications and become a project management professional (PMP). I have lectured on COBIT, information security, IT audit and IT governance in graduate programs at several universities, given speeches at international conferences and traveled around the world to deliver training. I certainly did not anticipate adding “Instacart Shopper” to my CV at this stage of my career, but then again, many of us have stumbled into a brave new world in 2020.

Little did I know the impact COVID-19 would have on my American journey, but I am hopeful now that I have returned to sturdier footing. In July, I was hired as a third-party risk assessment senior consultant at TD Ameritrade. Instead of learning about new products in the supermarket, I have been learning about products in the IT supermarket that provide services to TD Ameritrade. It is my first remote job, but like everything else this year, I am adapting.

It has been great to be back in the IT space. The business transformation I have witnessed and been part of throughout my life is hard to fathom, starting with closely observing my father, who worked for a large bank. I have been fascinated by technology transformation since the days of typewriters, facit calculators, carbon transfer papers and the first versions of monochrome monitors, when it took 3 days for an email to be transmitted from 1 PC to another in the same room. I have seen the IT evolution right from the beginning, especially working in the banking and finance industry, which has been a leader in automation and innovation.