How Do You Audit AI and Emerging Technology?

Auditing AI is the frontier of the assurance profession. As companies embed artificial intelligence and automation into decisions that once required human judgment — credit approvals, fraud detection, pricing, hiring — these algorithms become controls that need assurance. Yet most audit functions lack the skills to examine them. This guide explains the risks of AI, the controls that matter, and how auditing must evolve.

Why does AI need to be audited?

When an AI model makes or influences business decisions, it functions as a control — and like any control, it can be flawed. A biased model can systematically disadvantage groups; a poorly trained model can make wrong decisions at scale; an opaque model can produce outcomes nobody can explain or challenge. Without assurance, these risks operate invisibly across every decision the model touches.

The scale is what makes AI risk distinctive. A human error affects one decision; a flawed algorithm affects every decision it makes, potentially thousands per day. This amplification means AI controls deserve at least as much assurance as the manual controls they replace, extending the audit mandate into territory covered by our data analytics discussion but going further into the models themselves.

What are the main risks of AI systems?

Key AI risks include data quality and bias (a model trained on biased or poor data produces biased or poor results), lack of explainability (complex models whose decisions cannot be understood or justified), model drift (performance degrading as real-world conditions change), and weak governance (no control over how models are built, validated, deployed, and monitored).

Bias is particularly consequential because it can cause discrimination, legal liability, and reputational harm. A model that appears neutral may embed historical bias from its training data. Explainability matters for regulated decisions where the organization must justify outcomes. These risks require auditors to look inside the model, not just at its outputs, a significant shift in audit approach.

What is model governance and why does it matter?

Model governance is the framework of controls over how AI and analytical models are developed, validated, approved, deployed, monitored, and retired. It ensures models are built properly, tested for accuracy and bias, approved before use, monitored for drift, and documented — bringing discipline to what is often an uncontrolled, experimental process.

Strong model governance is the primary control auditors assess: who can deploy a model, how it was validated, whether bias was tested, how its performance is monitored, and who is accountable. Without governance, models proliferate uncontrolled, and the organization cannot answer basic questions about the algorithms making its decisions. This governance gap is one of the most significant emerging control risks for technology-driven companies.

How do auditors assess AI fairness and bias?

Assessing fairness involves examining the training data for representativeness, testing model outputs across different groups for disparate impact, and evaluating whether the model’s decisions can be explained and justified. Auditors look for evidence that bias was tested during development and is monitored in production, not assumed away.

This requires data science literacy that traditional auditors often lack, which is why AI audit usually involves specialist skills, either developed in-house or co-sourced. The assessment also considers the regulatory context: some jurisdictions are introducing specific AI regulation requiring fairness, transparency, and human oversight, making bias assessment a compliance matter as well as a risk one.

How must the audit function evolve for AI?

The audit function must develop new capabilities: data science literacy to understand models, frameworks for assessing algorithmic fairness and explainability, and the ability to evaluate model governance. This means upskilling existing auditors, hiring specialists, or co-sourcing technical expertise — the same evolution that data analytics demanded, taken further.

The function must also stay current with rapidly evolving AI regulation and emerging risks. AI audit is not a one-time capability but a continuously developing one, as the technology and its risks evolve. Functions that fail to build this capability will find an ever-larger share of their organization’s consequential decisions operating beyond their assurance — a growing blind spot the board cannot afford.

What about auditors using AI themselves?

AI is also a tool for auditors, not just a subject of audit. Machine learning can analyze entire transaction populations, detect anomalies, predict risk areas, and automate routine testing, dramatically extending what audit teams can cover. The same technology that creates new risks also enhances the auditor’s ability to find them.

Using AI in audit raises its own questions — the auditor must understand and validate the tools they rely on, avoiding the trap of trusting an algorithm they cannot explain. The principle is consistency: auditors should hold their own AI tools to the same governance and validation standards they expect of the business, ensuring their analytics are reliable and their conclusions defensible.

What regulatory landscape is emerging for AI?

AI regulation is developing rapidly, with frameworks emerging that require transparency, fairness, human oversight, and risk management for AI systems — especially high-risk applications like credit, employment, and essential services. The EU AI Act is the most comprehensive, classifying AI by risk level with corresponding obligations, and other jurisdictions are following.

For organizations, this means AI governance is becoming a compliance requirement, not just good practice. Auditors must understand the emerging regulatory landscape and assess whether AI systems meet the applicable obligations. For multinational groups, AI regulation will vary by jurisdiction, adding another layer to the compliance map. Staying ahead of this evolving regulation is part of the forward-looking risk management that protects the organization from future exposure.

How do you govern AI models that vendors provide?

Increasingly, organizations use AI built into vendor products rather than developing it themselves — a credit-scoring service, a fraud-detection tool, an HR screening system. This creates a third-party AI governance challenge: you are accountable for decisions made by an algorithm you did not build and may not be able to inspect.

Governing vendor AI requires due diligence on how the vendor built and validated the model, contractual transparency about its operation, and monitoring of its outcomes for bias or error. The accountability does not transfer to the vendor — if a vendor’s biased algorithm causes you to discriminate, the liability is yours. This intersection of AI governance and third-party risk is a fast-growing concern as AI becomes embedded in purchased software.

What controls reduce AI risk most effectively?

The most effective AI controls are governance-based: a model inventory, mandatory validation and bias testing before deployment, human oversight of consequential decisions, ongoing monitoring for drift and bias, and clear accountability for each model. These bring the same control discipline to algorithms that the organization applies to other significant processes.

Human oversight is particularly important for high-stakes decisions — ensuring a person can review and override algorithmic outcomes, especially where they affect individuals’ rights or significant amounts. Combined with validation and monitoring, human oversight prevents the scenario where an unexamined algorithm causes harm at scale before anyone notices. These controls turn AI from an uncontrolled risk into a governed capability, the goal of mature model governance.

How do you audit robotic process automation (RPA)?

Robotic process automation — software bots that perform routine tasks — creates control risks similar to but distinct from AI. Auditors assess whether bots have appropriate access (bots often hold powerful credentials), whether their actions are logged and monitored, whether changes to bot logic are controlled, and whether the processes they perform retain adequate human oversight.

RPA can silently scale errors or create segregation-of-duties conflicts — a bot performing multiple steps of a process that should be separated. Bot credentials are also an attractive target, since they often have broad access. Governing RPA with the same discipline as human-performed processes — access control, change management, monitoring — is the auditor’s focus, applying ITGC principles from our ITGC guide to automated workers.

What skills will the future audit team need?

The future audit team blends traditional audit judgment with technology fluency: data analytics, an understanding of AI and automation, cybersecurity awareness, and the ability to assess complex technical controls. The pure financial-controls auditor of the past is giving way to a hybrid professional comfortable with both risk and technology.

Building this capability means upskilling existing auditors, recruiting technical specialists, and co-sourcing expertise for the deepest technical work. The function that fails to evolve will find an ever-larger share of the organization’s risk — algorithmic decisions, cyber exposure, automated processes — operating beyond its assurance. The evolution is not optional; it is the price of remaining relevant as the organization itself becomes more technological, a theme running through the modern data-driven audit.

How do you build trust in AI-driven decisions?

Trust in AI decisions comes from transparency, validation, and accountability — being able to explain how the model works, demonstrating it was tested for accuracy and fairness, and ensuring a person is accountable for its outcomes. Independent audit of these elements provides external assurance that the trust is warranted, not assumed.

For consequential decisions — those affecting individuals’ rights, significant amounts, or regulatory matters — explainability and human oversight are especially important. Stakeholders, regulators, and affected individuals increasingly demand to understand and challenge algorithmic decisions. Building this trust through governance and independent assurance is what allows organizations to deploy AI responsibly, capturing its benefits without exposing themselves to the risks of unexamined, unaccountable automation that operates at scale.

How do you start an AI audit program from scratch?

Starting an AI audit program begins with discovery — inventorying the AI and significant models already in use, which is usually more than the organization realizes. From there, assess each model’s risk based on the consequence of its decisions, establish governance requirements (validation, monitoring, accountability), and build or acquire the skills to assess the highest-risk models.

The program should grow incrementally: govern the most consequential models first, build capability and frameworks, then extend coverage. Co-sourcing technical expertise while building internal capability is a practical starting approach. The key is to begin — every consequential algorithm operating without governance is an unassured control, and the inventory alone often reveals risks the organization did not know it carried, the essential first step toward bringing AI within the assurance framework.

Frequently Asked Questions