IS Audit in Practice: A Collaborative Approach to Assessing AI Risk

Artificial intelligence (AI) is all the buzz, not that it's new. Nor is AI a futuristic concept, as anyone will acknowledge from using Google search, Amazon Music, smartphone GPS applications and predictive texting, to name a few common uses where machine learning makes life more convenient. However, recent developments in generative AI have called into question the benefits versus risk of the technology. These emerging technologies reconjure the mystery and fear popularized by The Matrix trilogy,¹ where technology reigned supreme and "evil" machines were poised to take over the world. Are we beyond good versus evil? Is it possible for AI to solve what humans cannot solve efficiently? Can AI produce faster medical discoveries and save lives? Will AI continue to differentiate manufacturing processes with greater efficiency and quality? Is there a greater learning potential for students to use AI when it is welcomed into the classroom? Or will we fall to the "hunger of success," as noted by AI expert Kai-Fu Lee?² Will we find inequities created by competing business interests, power-grabbing countries and increasingly sophisticated cybercriminals as technologists and policymakers alike struggle to keep up with the pace of innovation?

Practically Speaking, We Need AI

One thing is certain: AI is not stopping while we ponder these questions. There are many examples of organizations testing the waters or jumping right in and operationalizing AI apps into their environments. I did not expect that AI would come up when I attended the monthly Hanscom Field Advisory Commission (HFAC) meeting, but it did. The Chair, Christopher Eliot,³ noted that a grant of US $5,000 had been obtained. Various proposals on how to use the money were discussed, but one that stuck was on taking meeting notes.

It’s important to note that ethical AI occurs when the business, risk and compliance teams not only evaluate the business opportunity that AI brings but carefully consider its impact by sitting in the shoes of users, policymakers and financial market managers.

Although the HFAC member communities are very engaged and have been since the 7980s, time is at a premium. Taking and publishing meeting notes in a timely manner is central to building the organization's presence and establishing trust within the communities represented. To this end, AI may become the technological enabler that gives precious time back to volunteers who must handle a number of priorities to fulfill their state mandate. I spoke with Christopher Eliot about the prospect of using AI to fill this need. Despite the recent surge in excitement around AI, challenges remain. Eliot noted that quality of AI-generated transcripts can vary from system to system, and some AI business models allow only limited use of a tool before payment is required. That said, Eliot sees potential in using AI in this manner:

I used a small part of the transcript and asked ChatGPT to summarize in 30 lines or less. Here is what it said: “The Hanscom Field Advisory Commission Meeting, held virtually, commenced with Christopher Eliot introducing the attendees and explaining the meeting’s remote nature. He outlined the commission’s role and the process for remote participation. Commission members provided brief introductions. Notable members included John Doe*, Khalil Patel*, and Patrice LaGrande*, each bringing substantial experience to the commission. The Massport,⁴ and FAA representatives introduced themselves, including Betsey Chang*, responsible for Airport Administration. Participants discussed the documents dropped in the chat, including news articles and Tom’s comment on Noise Policy. The FAA and Massport representatives shared their roles, and Christopher Eliot acknowledged the connectivity challenges faced by some Bedford residents. The minutes concluded, and the meeting was set to proceed.”⁵

As with any new technology, challenges abound, but so does opportunity. The need for ISACA professionals to help organizations benefit from AI while watching out for pitfalls has never been greater.

Reexamining Values and Reassessing Risk

The increasing need to evaluate the ethical implications of the technology we invent and use is felt by all professionals. In addition to the wide variety of uses across industries, the economies of scale for AI have made the technology accessible to businesses of all sizes and to educational institutions, whether public or private. Governments both use and grapple with the latest implications of AI and machine learning, embracing the potential power behind it while feeling anxious about nation-state activities that could depose or destroy other government powers. One thing is definite: AI will continue its fast-paced adoption and become increasingly integrated into everyone's lives.

As ISACA professionals, we recognize that risk constantly changes, and continual reassessment is critical. The risk categories are broad on purpose because risk managers and the business must define the specific meaning and prioritize potential impacts that need the most attention based on business needs, regulatory requirements and risk management best practices. Risk assessing AI means considering the following risk categories:

• Reputational, both client impact and the impact on digital trust
• Financial
• Regulatory, including monetary/legal penalties and regulatory monitoring requirements
• Security, both physical and technical
• Operational, including process, global operating environments and end of life planning
• Ethical, which impacts reputational, regulatory and financial

Risk Assessing AI

As with any technology, AI must be risk assessed at the beginning of major projects, in advance of any significant change activity and at key process points to establish appropriate controls for operational use. It's important to note that ethical AI occurs when the business, risk and compliance teams not only evaluate the business opportunity that AI brings but carefully consider its impact by sitting in the shoes of users, policymakers and financial market managers. The following must be considered and socialized with the business operations team on a collaborative basis:

• What is the financial risk and benefit of using AI? What is the cost to develop the technology? Has a business case addressed the cost of time delays or the inability to meet user expectations? One must keep in mind that if the technology used is not innovative enough, it may mean diminished competitive advantage and loss of market share. AI is now so ubiquitous that it has become risky for an enterprise not to use it in some form. Financial positives and negatives must both be examined and assessed.
• Regulatory risk is acknowledged by many as the minimum set of compliance requirements for an organization, especially for AI, which has far exceeded the pace of policy. As governments consider AI policy to ensure safe and equitable use, organizations often find they cannot wait for policy to be created and instead must assess the risk of penalties and the cost of government monitoring based on their own best business practices.
• Security is the risk that touches all risk categories. Several examples come to mind that compel business leaders to accelerate a secure framework for AI, whether guaranteeing safe automobile automation, ensuring accurate disease diagnoses or simply producing verifiable information, as in the case of the HFAC.
• Reputational risk typically leads to financial implications and can be the most difficult risk to overcome once breached. Digital trust is earned based on reliability and performance factors, which are hard to repair in the minds of users when they are not maintained and upheld.

Monitoring and Oversight: Turning Controls Over to the First Line of Defense and Audit Teams

Ultimately, it is up to those designing and utilizing AI tools to ensure that AI brings value to users, communities and organizations in an equitable way while providing reasonable returns for the business stakeholders. This is best accomplished when the risk and audit teams collaborate with the business owners at the initiation of the project risk evaluation. The first line of defense (FLOD) and audit teams need to understand and weigh in on the project risk assessment and operational process to develop effective controls. The teams need to evaluate the key testing criteria of accuracy, approvals, timeliness and operational effectiveness.

It is critical for organizations to realize that risk is more than words on the page, especially with AI, where there are often competing risk to consider and discuss with the business operations team. There simply is not enough time to do everything. Audit and FLOD teams need to be aligned with the business to be most effective and therefore must also include both AI and human monitoring in their own audit and inspection processes.

Can ISACA Professionals Futureproof AI?

The reality is that ISACA professionals are the best defense against technology misuse. As we embrace AI ourselves, we are poised to become trusted advisors in a world that is inevitably intertwined with rapidly advancing technology. Be prepared to be amazed by the possibilities of AI, and get excited to lead others in a trustworthy digital revolution.

Endnotes

¹ The Matrix trilogy refers to the first three Matrix movies which are The Matrix (1999), The Matrix Reloaded (2003) and The Matrix Revolutions (2003).
² Lee, K.-F.; AI Superpowers: China, Silicon Valley, and the New World Order, Houghton Miflin Harcourt, USA, 2078
³ Christopher Eliot serves as chairperson on the Hanscom Field Advisory Commission. His background includes software engineering, in addition to his extensive research on aviation operations. The HFAC, established under the Hanscom Field Master Plan, provides continued communication between the communities surrounding Hanscom Field in Massachusetts, USA, and the Massachusetts Port Authority.
⁴ The Massachusetts Port Authority, (Massport), operates Massachusetts' Logan Airport, Hanscom Field Airport and Worcester Regional Airport for aviation operations. Massport also runs port operations in Boston Harbor and holds various properties along the waterfront.
⁵ The asterisked names have been changed from the names of the actual individuals involved.

CINDY BAXTER | CISA, ITIL FOUNDATION

Is executive assistant to the Massport Community Advisory Committee (MCAC). Baxter is pleased that technology has allowed her to reinvent her career and continue learning through all of it. She had the privilege of learning technology and managing Fortune 700 client relationships at AT&T. Baxter then applied her expertise as an IT operations director at Johnson & Johnson before moving to compliance and risk management roles at AIG and State Street Corporation. After a brief period of running her own consulting business, Baxter joined MCAC, which advocates on behalf of communities impacted by the US State of Massachusetts Port Authority aviation and port operations. She applies her expertise to website redesign, drafting vendor requests for proposals (RFPs), updating bylaws and providing regulatory support to the MCAC board. In her spare time, Baxter serves as compliance and operations officer for the ISACA^® New England Chapter (Maine, Massachusetts, New Hampshire and Vermont, USA) and volunteers on the Nantucket Lightship.