Harnessing Artificial Intelligence in Internal Audit:
Navigating opportunities and risks with ISO 42001
The internal audit profession is undergoing a transformative shift, driven by emerging technologies such as Artificial Intelligence (AI). As AI becomes deeply embedded in business operations, internal auditors must not only assess the risks of AI adoption across the organisation, but also explore how AI tools can enhance audit performance.The publication of ISO/IEC 42001:2023, the first international standard for AI Management Systems, marks a pivotal moment. It offers organisations - including internal audit functions - a framework to ensure the responsible use, governance and assurance of AI systems.
Understanding ISO/IEC 42001:2023
ISO/IEC 42001 provides comprehensive guidance for implementing an AI management system that aligns with organisational objectives, while ensuring ethical, safe and transparent use of AI technologies. Key principles include:• AI governance and oversight
• Risk-based thinking
• Transparency and explicability
• Human involvement and accountability
• Continual improvement and auditability.
For internal audit, ISO 42001 acts as both a reference for auditing AI systems and a guide for using AI in a controlled and compliant manner.
How internal audit can leverage AI
Internal audit functions are increasingly integrating AI to strengthen their capabilities in areas such as:
Risk assessment and planning: AI tools can rapidly analyse large datasets across the organisation to identify trends, red flags and emerging risks, helping auditors focus on what matters most.
Continuous monitoring and testing: AI enables real-time monitoring of controls and transactions, making continuous auditing a practical reality.
Predictive insights: Machine learning models can provide forecasts of likely risk events or control failures, allowing auditors to shift from reactive to proactive approaches.
Automation of routine tasks: AI, combined with Robotic Process Automation (RPA), can handle data collection, reconciliations and sampling - freeing auditors to focus on judgement-based areas.
Risks related to using AI in internal audit
While AI offers substantial benefits, its adoption in internal audit is not without risks. Key considerations include:Data quality and integrity: AI tools are only as good as the data they are trained on. Poor quality or biased data can lead to incorrect conclusions, affecting audit accuracy and credibility.
Lack of transparency (black box models): Some AI models, particularly deep learning, operate as ‘black boxes’, making it difficult for auditors to understand how outputs are generated. This raises concerns over explicability and accountability.
Ethical and privacy concerns: AI tools that analyse sensitive data must comply with data protection regulations (e.g. GDPR). Misuse can lead to legal or reputational risks.
Skill gaps: Effective use of AI requires a level of data analytics and AI literacy that many audit teams may currently lack. This can lead to misinterpretation of results or overreliance on flawed models.
Overdependence on AI: Relying too heavily on AI tools may lead to reduced professional scepticism and human judgement, especially if the outputs are not critically evaluated.
Model drift and relevance: AI models may become less accurate over time if they are not updated to reflect changing conditions - a risk known as model drift.
Integration challenges: Integrating AI into legacy audit systems and processes may require significant change management, infrastructure investment and alignment with risk and control frameworks.
Mitigating the risks: the role of ISO/IEC 42001
The structured approach of ISO/IEC 42001 helps internal audit functions identify, assess and manage these AI-related risks through:• Defined AI risk governance frameworks
• Controls for model validation, data quality and auditability
• Guidelines on ethical AI use and human oversight
• Emphasis on transparency, documentation and continuous improvement.
By aligning with ISO 42001, internal audit can ensure its AI initiatives are responsible, resilient and risk-aware.
Conclusion
AI has the potential to elevate internal audit from a retrospective assurance function to a forward-looking, insight-driven adviser. However, as with any powerful tool, its use must be governed carefully.ISO/IEC 42001 offers internal auditors a timely and globally recognised framework to navigate the complexities of AI adoption - both in auditing AI systems and using AI tools within the audit function itself.
By embracing AI responsibly, internal audit can drive greater efficiency, insight and value -while upholding trust, transparency and accountability in the age of intelligent automation.
How BDO can help
BDO’s internal audit risk advisory experts apply the practical experience and knowledge gained from working with clients locally and worldwide.Please reach out to the relevant partner in your local BDO firm for further information.
Author: Bahaa Abdelmawgod, Risk Advisory Services, BDO Saudi Arabia