All Things Internal Audit: Risk & Cyber Audit Opportunities with AI

All Things Internal Audit
28 Jun 202408:54

Summary

TLDRIn this episode of 'All Things Internal Audit Tech', thought leaders discuss the transformative role of AI in risk and cybersecurity audits. David Petrisky and Brian Willis from the Institute of Internal Auditors and LBMC highlight how AI models, trained on specific compliance documents like PCI, offer informed and accurate responses. Canal Agrawal from Diligent underscores AI's utility in continuous risk assessment, scenario analysis, and enhancing communication across departments. West Blocki and Ethan Rohani from Grant Thorton emphasize AI's efficiency in dynamic risk assessment, while Brian Willis showcases generative AI's potential in cybersecurity, offering audit accuracy, consistency, and cost reduction.

Takeaways

  • 🧠 AI is being trained on specific organizational documents to understand controls and operations for compliance programs, such as the development of a PCI GPT at LBMC.
  • πŸ—£οΈ AI's text analysis capabilities are enhancing the process of interviews and surveys, allowing for pattern recognition and more informed risk assessments.
  • πŸ” AI facilitates continuous risk assessment, identifying the highest risks in real-time rather than waiting for periodic assessments.
  • πŸ“Š Scenario analysis is being improved with AI by combining data from various departments to simulate different risk scenarios.
  • πŸ“ AI is aiding in risk scoring, communication, and engagement within and outside the audit department.
  • πŸ› οΈ A dynamic framework model is being developed to score and rank risks, allowing for customized input based on an organization's unique framework.
  • 🌐 AI enables 24/7 risk assessment conversations, improving efficiency and employee satisfaction by removing time zone barriers.
  • πŸ”’ Generative AI, like chat GPT, is a promising tool for cybersecurity audits, providing a knowledgeable base similar to an experienced team member.
  • πŸ“š AI tools offer audit accuracy and consistency by providing direct access to documented information without the need for manual search.
  • πŸ’° The cost of compliance is reduced through AI, as it expedites the review of documentation and evidence, saving man hours in the audit process.

Q & A

  • How is AI being integrated into compliance programs according to the transcript?

    -AI is being used to train models on specific organizational systems and controls, such as creating a custom GPT trained on PCI documentation, to understand and provide informed answers about compliance requirements.

  • What is the significance of training an AI model like GPT on specific information?

    -Training an AI model on specific information allows it to provide well-informed, accurate answers based on the trained documents, reducing the likelihood of providing incorrect or fabricated information.

  • How can AI assist in continuous risk assessment as mentioned by Canal Agrawal?

    -AI can analyze text data from interviews and surveys to identify patterns, support continuous risk assessment by identifying the highest risks in real-time, and aid in scenario analysis by integrating data from different departments.

  • What are some of the practical applications of AI in enhancing risk assessment processes?

    -AI can be used for risk scoring, improving communication about risks across departments, and developing dynamic frameworks for weighted scoring based on an organization's specific industry and business needs.

  • How does AI support audit accuracy and consistency in the context of cyber security?

    -AI tools like chat GPT provide access to a reliable knowledge base of documented information about cyber security audit and compliance, ensuring that the information obtained is accurate and consistent.

  • What benefits does AI offer in terms of cost of compliance in audits?

    -AI can reduce the time spent on audits by quickly searching through documentation and providing instant answers, thereby decreasing the cost of compliance in terms of both time and expenditure.

  • How can AI improve communication within and outside the audit department?

    -AI can help in ensuring that both audit teams and other departments are aware of risks, facilitating better communication and understanding of potential issues.

  • What is the potential impact of AI on employee satisfaction in a global company?

    -AI can enable employees to have conversations and preliminary discussions at any time, streamlining communication and avoiding the need for inconvenient scheduling, thus increasing employee satisfaction.

  • What is the role of generative AI in cyber security audit and compliance?

    -Generative AI serves as a knowledgeable team member that has access to all documented information about cyber security audit and compliance, providing a conversational interface for accessing this information.

  • How does AI contribute to a more efficient and dynamic risk assessment process?

    -AI can perform risk evaluation, identification, impact assessments, and scoring analysis in a dynamic framework model, allowing for a more efficient and tailored risk assessment process.

  • What is the potential of AI in facilitating deeper and more useful conversations in audits?

    -AI can be used to conduct preliminary discussions, gathering information that can streamline deeper and more useful conversations when humans interact, improving the overall audit process.

Outlines

00:00

πŸ€– AI in Compliance Programs and Cybersecurity Audits

This paragraph discusses the integration of AI into compliance programs and cybersecurity audits. David Petrisky and Brian Willis explore the use of AI models like chat GPT, which can be customized and trained on specific organizational information. They highlight the development of a PCI GPT at lbmc, trained on PCI documentation to provide informed answers on compliance requirements. The paragraph also touches on the broader applications of AI in risk assessment, emphasizing the efficiency and accuracy AI brings to the auditing process.

05:00

πŸ” Enhancing Risk Assessment with AI

The second paragraph delves into how internal auditors are leveraging AI for risk assessments. Canal Agrawal explains the utility of AI in analyzing text data from interviews and surveys to identify patterns and risks. The discussion covers continuous risk assessment facilitated by AI, reducing the time and effort required for traditional assessments. Additionally, the paragraph touches on the role of AI in scenario analysis, where data from various departments can be used to simulate different scenarios and inform risk assessments. The conversation also includes the use of AI in engagement risk assessments, risk scoring, and improving communication across departments.

🌐 Global Conversations and AI-Driven Risk Assessments

This paragraph focuses on the practical applications of AI in enhancing risk assessment processes, making them more dynamic and efficient. West Blocki and Ethan Rohani discuss the use of AI for risk evaluation, identification, and impact assessments, as well as scoring analysis. They mention the development of a tool that uses a dynamic framework model for weighted scoring based on an organization's framework, allowing for a more tailored and accurate risk assessment. The paragraph also highlights the benefits of AI in enabling global conversations at any time, improving employee satisfaction and streamlining preliminary discussions.

πŸ›‘οΈ Generative AI's Role in Cybersecurity

Brian Willis concludes the script by discussing the practical applications of generative AI in cybersecurity. He emphasizes the benefits of AI as a tool that provides audit accuracy and consistency, offering a conversational interface to access documented cybersecurity information. The paragraph outlines how AI can support compliance programs by providing a reliable knowledge base and reducing the cost of compliance through more efficient audit activities. Willis also mentions the ability of AI to quickly review and search through extensive documentation, thereby saving time and resources in the auditing process.

Mindmap

Keywords

πŸ’‘AI in Compliance Programs

AI in compliance programs refers to the application of artificial intelligence to ensure that organizational processes adhere to regulatory standards. This can include the use of AI to automate and streamline compliance checks, generate reports, and ensure accuracy in compliance activities. In the script, David Petrisky and Brian Willis discuss how AI models like GPT can be trained on specific compliance documents to answer detailed questions accurately, enhancing the efficiency and effectiveness of compliance programs.

πŸ’‘PCI GPT

PCI GPT is a customized AI model specifically trained on Payment Card Industry (PCI) compliance documentation. It is designed to provide accurate and informed responses to queries related to PCI requirements. In the script, Brian Willis mentions the creation of a PCI GPT at LBMC, which is trained on PCI documents, report templates, FAQs, and other supporting documents, enabling the tool to provide precise answers regarding PCI compliance requirements.

πŸ’‘Continuous Risk Assessment

Continuous risk assessment involves the ongoing evaluation of risks within an organization rather than periodic assessments. This allows for more dynamic and timely identification and mitigation of risks. Canal Agrawal discusses how AI can facilitate continuous risk assessments by automatically analyzing data, identifying high-risk areas, and updating risk evaluations in real time, which helps organizations maintain a proactive approach to risk management.

πŸ’‘Scenario Analysis

Scenario analysis is the process of evaluating possible future events by considering alternative possible outcomes (scenarios). It is used in risk management to predict and prepare for various potential risks. In the script, Agrawal explains how AI can enhance scenario analysis by integrating data from different departments and running simulations to provide insights for risk assessments, enabling more informed decision-making.

πŸ’‘Risk Scoring

Risk scoring is the process of quantifying the level of risk associated with different aspects of an organization's operations. It helps prioritize risks and allocate resources effectively. In the video, risk scoring is mentioned as a use case for AI, where AI tools can evaluate, identify, and score risks based on the organization's framework, making the risk assessment process more efficient and accurate.

πŸ’‘Generative AI

Generative AI refers to artificial intelligence systems that can generate new content, such as text, images, or code, based on the data they have been trained on. This type of AI can create responses, complete tasks, and provide information in a conversational manner. In the context of the script, generative AI tools like ChatGPT are used to support cyber security audits by quickly retrieving relevant information from extensive documentation, thus improving audit accuracy and efficiency.

πŸ’‘Audit Accuracy and Consistency

Audit accuracy and consistency refer to the precision and uniformity in conducting audits, ensuring that the findings and processes are reliable and repeatable. Brian Willis emphasizes how AI, particularly generative AI, can enhance audit accuracy and consistency by providing precise answers and reducing the chances of errors. AI tools can analyze large volumes of data consistently, helping auditors maintain high standards in their evaluations.

πŸ’‘Cost of Compliance

The cost of compliance includes the expenses incurred by an organization to adhere to regulatory requirements, which can involve audit time, resources, and financial expenditure. The script highlights how AI can reduce these costs by automating parts of the compliance process, such as document review and data analysis, thereby decreasing the amount of time and effort required from human auditors and lowering overall compliance costs.

πŸ’‘Dynamic Framework Model

A dynamic framework model in risk assessment is a flexible and adaptable approach that allows organizations to input their specific risk evaluation criteria and weights. This model adjusts to different organizational needs and industries. West Blocki describes a tool being developed to use a dynamic framework model for risk assessment, enabling tailored risk scoring and pinpointing focus areas specific to each organization.

πŸ’‘Cyber Security Audits

Cyber security audits involve the systematic evaluation of an organization's information systems to ensure they are secure and compliant with regulatory standards. AI is used in cyber security audits to enhance efficiency by quickly analyzing extensive documentation and identifying vulnerabilities. Brian Willis discusses how generative AI tools are being employed in cyber security audits to improve audit processes and ensure thorough compliance with security requirements.

Highlights

Introduction of AI's role in internal audit, risk, and cybersecurity.

David Petrisky discusses how AI models are trained to understand specific controls and operations within organizations.

Brian Willis explains the creation of a PCI GPT model at LBMC, which is trained on PCI documents to provide informed answers.

The PCI GPT model helps in obtaining specific requirements for multi-factor authentication and data encryption.

Canal Agrawal highlights the usefulness of AI in continuous risk assessment and scenario analysis.

AI's capability to analyze text data from interviews and surveys for identifying patterns in risk assessments.

AI facilitates automatic and continuous risk assessments, reducing the manual workload by 60-70%.

Use of AI in scenario analysis to integrate data from different departments for risk assessment.

AI's role in risk scoring and communication between audit teams and other departments.

West Blocki and Ethan Rohani discuss dynamic risk assessment models that use AI for risk evaluation, identification, and scoring.

AI tools enable global teams to have asynchronous conversations, improving employee satisfaction and efficiency.

Brian Willis returns to discuss the practical applications of generative AI in cybersecurity.

Generative AI tools like ChatGPT provide accurate and consistent information for cybersecurity audits.

AI reduces the time and cost of compliance by quickly reviewing large documents and finding relevant information.

AI enhances audit accuracy and consistency by providing a reliable knowledge base.

Brian Willis notes that AI supports both auditors and those responsible for maintaining compliance programs.

Transcripts

play00:00

[Music]

play00:02

The Institute of internal Auditors

play00:04

presents all things internal audit Tech

play00:07

in this episode hear from multiple

play00:09

thought leaders on how AI is being used

play00:11

in risk and cyber security audits

play00:14

they'll discuss the opportunities in

play00:16

benefits AI offers internal Auditors

play00:19

first let's jump into AI in compliance

play00:21

programs with David petrisky director of

play00:24

Professional Standards at the IIA and

play00:26

Brian Willis senior lead auditor at lbmc

play00:31

have you seen use cases where people are

play00:33

uh training the AI model to on their

play00:36

system so the the model understands you

play00:39

know the uh the controls and and the

play00:43

operations in their particular

play00:45

organization yes and in fact one of the

play00:47

uh one of the great features with say a

play00:49

chat GPT is that you can actually you

play00:52

can actually create custom gpts and then

play00:55

train that on specific information what

play00:57

we're doing at lbmc and and you've asked

play00:59

about PCI but specifically around PCI is

play01:02

we developed a a a PCI

play01:05

GPT and we've introduced all of the PCI

play01:08

documents the report templates the uh

play01:10

the FAQs the uh supporting documents the

play01:14

you know knowledge based documents that

play01:15

they've published uh into this tool and

play01:18

based on having all based on all of that

play01:20

information we're able to then prompt

play01:22

that GPT with questions about hey what

play01:25

are the specific requirements around

play01:27

multiactor authentication or data in

play01:29

encryption and we can get the answers we

play01:31

need specifically around that and we can

play01:33

know that because it's been trained on

play01:36

that document on that PCI documentation

play01:39

that the answers we're get we're getting

play01:40

are well informed and it's not just uh

play01:43

maybe hallucinating and just making up

play01:45

answers that it's called off of uh uh

play01:47

off of the internet next let's turn to

play01:49

Canal agrawal director of customer

play01:51

success at diligent to discuss the

play01:53

usefulness of AI in continuous risk

play01:55

assessment and scenario analysis how are

play01:58

internal Auditors using artificial

play02:00

intelligence for risk assessments so I

play02:03

would say there are different areas

play02:04

where internal Auditors can really find

play02:07

AI to be useful number one definitely is

play02:10

the interviews and surveys so AI really

play02:13

gives a lot of power to analyze the text

play02:15

Data uh which are part of the surveys uh

play02:18

and it can create different patterns

play02:20

which can flow into uh as an input into

play02:23

your into your process the number two

play02:25

could be um you know the automatic risk

play02:28

assessment uh which means that you're

play02:30

trying to get into a more uh continuous

play02:32

risk assessment process uh so you're not

play02:35

waiting for a certain period or certain

play02:37

time frame to do your risk assessment

play02:38

but you already have the highest risk

play02:40

identified through Ai and then what

play02:43

you're trying to do is add on whatever

play02:45

you want to add to that so the 60 to 70%

play02:48

of the job is already done the other

play02:50

thing could be you know scenario

play02:51

analysis where uh you know you can

play02:54

actually bring in data from different

play02:56

departments and then you can run

play02:58

scenarios uh based on that to to get the

play03:01

input for for your risk assessment is it

play03:03

being used at all uh at an engagement

play03:05

level for engagement risk assessments I

play03:07

mean you mentioned the surveys and that

play03:08

would probably uh be a pretty good

play03:10

method but are there other ways that uh

play03:13

it's being used to scope engagements or

play03:15

identify risks within particular subject

play03:17

areas I think it is definitely used in

play03:19

Risk scoring for sure I think that is

play03:21

one area where it is definitely used uh

play03:23

communication is another area we're

play03:25

picking up where if audit teams are

play03:27

communicating with other departments

play03:29

sometimes you you want to make sure that

play03:31

the audit teams not only the audit teams

play03:33

but the other teams outside of audit are

play03:35

aware of the risk so you know it is also

play03:37

helping out in communication outside of

play03:40

the audit department so there's

play03:41

engagement there is risk scoring and

play03:43

there's communication building on that

play03:45

West blocki Senior manager at Grant

play03:46

Thorton and Ethan Rohani principal at

play03:49

Grant Thorton highlight how AI is being

play03:51

applied to enhance the risk assessment

play03:53

process making it more Dynamic and

play03:56

efficient are there any other uh

play04:00

applications or or use cases that uh you

play04:03

know you see out there that we haven't

play04:05

touched on yet that you think you know

play04:07

you want to get many be careful what you

play04:09

asked for I could go on for hours but uh

play04:11

I would say um one of the big ones that

play04:14

we're working on right now the risk

play04:15

assessment space okay so um there's a

play04:18

lot of opportunity for risk evaluation

play04:20

risk

play04:21

identification um performing risk impact

play04:24

assessments and um doing scoring anal

play04:28

yeah will it uh uh uh forecast estimate

play04:32

uh you know a risk exposure so we are

play04:35

working on a tool right now that I'll

play04:36

actually do that with with the a dynamic

play04:39

framework model so you can actually

play04:41

input your organization's framework for

play04:43

for weighted scoring because every

play04:45

organization is a little bit different

play04:46

depending on the industry and the the

play04:48

business so uh you can be able to you

play04:50

can input that information and and

play04:52

without giving away too much before you

play04:53

roll it out uh it will allow you to to

play04:56

help um score and and risk Rank and and

play05:00

pinpoint areas of focus I will say one

play05:02

of the most interesting use cases that

play05:04

I've seen and it's related to the risk

play05:06

assessment question is enabling folks to

play05:08

have conversations at all hours of the

play05:11

day and doing the preliminary

play05:13

discussions with the AI and Gathering

play05:14

that information so that when the humans

play05:16

actually talk it's a much deeper more

play05:19

useful conversation and you've gotten a

play05:21

lot of the little things out of the way

play05:23

kind of streamlines things it also

play05:24

enables somebody that's in Denver

play05:26

Colorado to have a conversation in

play05:28

Bangalore on their time schedule so that

play05:30

you're not trying to shift hours to have

play05:32

a conversation at 2 in the morning so

play05:34

again employee satisfaction goes

play05:36

skyrocketing when you're not getting up

play05:37

at 2: in the morning to go have a

play05:39

conversation those global Co conference

play05:41

calls yeah thank you very much for your

play05:43

time thank you D appreciate it all right

play05:45

thanks finally Brian Willis returns to

play05:47

discuss the Practical applications of AI

play05:50

in enhancing risk

play05:52

assessment can you tell us a little bit

play05:54

about how generative AI is being used in

play05:57

cyber security yeah it's a great

play05:59

question um AI really uh is presenting

play06:02

itself as an as a very effective and

play06:04

promising Tool uh for cyber security

play06:07

audit and compliance um and particularly

play06:10

when we talk about AI uh I think the

play06:12

thing that that most people are are

play06:14

talking about is generative AI so chat

play06:16

GPT and co-pilot and tools like that um

play06:19

and I think the way I like to think

play06:21

about it is imagine if you could add a

play06:23

team member who knew everything about

play06:26

every everything that was ever

play06:27

documented about cyber security audit in

play06:29

compliance that's what a having AI as a

play06:32

tool uh for your compliance program is

play06:35

like so uh even better than uh your

play06:37

traditional Google search uh where you

play06:40

would uh perform a search and have to

play06:41

look through links and information

play06:43

everything now you can get that

play06:44

information just in a conversational

play06:46

manner uh so it really is a a great tool

play06:49

that's benefiting our uh our industry a

play06:51

couple of the key benefits I like to

play06:53

talk about are audit accuracy and

play06:56

consistency so just like with getting a

play06:58

Google search you're able to go through

play07:00

uh documented information that's been

play07:01

published on the internet the same way

play07:03

that's where that information that a

play07:05

generative AI tool uses comes from the

play07:07

straight from the internet and so when

play07:09

you're having that conversation it's

play07:10

like being able to get directly to that

play07:12

information without having to click

play07:14

through search links and things uh so it

play07:16

brings that element of of accuracy

play07:19

consistency it can support your program

play07:21

uh again through having that reliable

play07:23

knowledge base uh to be able to support

play07:26

folks who are both conducting audit and

play07:28

as well as those folks who have have

play07:29

responsibilities for uh implementing and

play07:32

maintaining a compliance program the

play07:34

other benefit I like to think about are

play07:36

the the cost of compliance both in terms

play07:38

of audit time and expenditure um so uh

play07:42

at obmc we're using already a couple of

play07:44

tools to support and supplement our

play07:46

audit activities to where uh the the

play07:49

tool allows us to review documentation

play07:51

review evidence that our clients provide

play07:53

to us in a much more timely manner it

play07:55

can search through a 300 page uh

play07:58

security policy and find the answers

play08:00

we're looking for in an instant uh

play08:02

without somebody having to search

play08:03

through that document likewise uh if you

play08:06

are um for a team that is either

play08:09

responsible for maintaining compliance

play08:11

or for conducting an audit if you're an

play08:12

internal or an external auditor it just

play08:15

results in fewer man hours uh on the

play08:17

audit you're able to uh go through these

play08:19

activities execute them quicker and so

play08:21

the cost of compliance uh comes down so

play08:24

just a couple of key benefits that we're

play08:25

seeing with AI and in cyber security

play08:27

well thank you very much Brian it's been

play08:29

great talking to you about uh internal

play08:30

audits use of artificial intelligence if

play08:32

you like this podcast Please Subscribe

play08:34

and rate US you can subscribe wherever

play08:36

you get your podcast you can also catch

play08:38

other episodes on YouTube or at the

play08:40

i.org that's T he a.org

play08:47

[Music]

Browse More Related Video

All Things Internal Audit AI Podcast: Generative AI Uses for Internal Audit

How AI is Revolutionizing Finance and Accounting

Audit Risk Model

Generative AI vs. Conventional AI: Introduction For Operational Risk Professionals

24 hr AI conference: The AI in Audit Revolution (US)

IT Audit For Beginners: What is an IT Audit? | ACI Learning Audit

Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
AI AuditsRisk ManagementCybersecurityInternal AuditComplianceGenerative AIRisk AssessmentAI BenefitsAudit EfficiencyTech Insights