Artificial intelligence (AI) is embedding into businesses faster than most can govern it. Companies are using it to automate finance processes, improve forecasting and decision-making, and much more to stay competitive. What they’re not always doing is establishing the policies, ownership risk assessments, and control frameworks needed alongside it.
Internal audit teams consistently cite two major concerns:
- Failure to identify emerging risks early
- Delayed response to new technologies implemented throughout the business
These concerns are present in AI systems auditing too, where risks such as bias, privacy exposure, and lack of transparency can significantly affect business performance and reputation. Yet, while AI technology is new, the core tenets of internal audit are not.
For internal audit leaders, the mandate is urgent: ensure AI tools remain reliable, compliant, and appropriately controlled while their adoption accelerates.
This article details how internal audit teams can build effective AI assurance in stages:
- Understanding AI use
- Planning the audit
- Testing key risk areas
The starting point: establishing an understanding
Internal audit teams must learn how AI systems function, how they’re being used within the company, and the corresponding regulatory expectations.
A baseline understanding of AI systems includes learning core AI concepts such as machine learning, natural language processing, training data, and model drift. This knowledge strengthens communication with stakeholders and improves the ability to interpret AI-driven outcomes.
Just as importantly, auditors must understand how AI is actually used across the company: what tools are in use, what objectives they support, and how they integrate into existing processes and systems. This requires creating an inventory of AI use cases, including internally developed tools, embedded AI in third-party platforms, and employee use of public AI applications. Without this inventory, companies may overlook “ghost AI,” which are tools or capabilities used without approved governance, procurement, IT, or risk management processes.
Each use case should identify the business owner, purpose, data involved, third parties or vendors supporting the tool, whether sensitive or regulated information is used, and how outputs influence decisions. This baseline helps internal audit assess risk, prioritize higher-risk use cases, and determine whether governance, controls, and monitoring are keeping pace with actual AI adoption.
Regulatory expectations must also be considered as AI and data protection requirements evolve. Internal auditors should remain aware of requirements such as the EU AI Act, GDPR, CCPA/CPRA, SEC cybersecurity disclosure rules, HIPAA, and GLBA, and assess how these obligations affect data governance, cybersecurity, third-party oversight, and the broader control environment.
As AI becomes embedded in daily operations, internal audit must understand how these systems support organizational objectives and shapedecisions. We’re seeing a clear pattern across clients: AI adoption is falling into four primary use cases:
- Enhancing operational efficiency
- Improving forecasting, reporting, and decision-making
- Supporting more advanced analytics across business functions
- Identifying patterns that traditional methods miss
From understanding to planning: designing an audit approach
Once a baseline understanding is gained, the focus should shift to auditing AI in a way that is structured, risk-based, and aligned with organizational priorities. Defining audit objectives helps focus attention on tool reliability, compliance, data governance, and accountability expectations.
A thorough risk assessment is essential because AI introduces unique risks that often don’t exist in traditional systems, including:
- Biased outputs
- Misuse of sensitive data
- Cybersecurity vulnerabilities
- Unclear ownership over model decisions
Engaging stakeholders early helps ensure the audit scope reflects how the business actually uses AI and supports stronger team agreement.
Key AI risk areas to test
With scope and objectives established, internal audit can evaluate the areas where AI risk most commonly appears.
Governance and documentation
A governance and documentation review is often a strong starting point. Companies should clearly document each AI system’s purpose, intended use, data sources, and evidence of training and validation processes. Without transparency, accountability becomes difficult.
Data inputs
Because AI outcomes depend heavily on underlying data, internal audit must also assess whether data inputs are accurate, complete, and appropriately protected. Weaknesses here can cause unreliable outputs, unintended consequences, or regulatory exposure.
Ethics, bias, and compliance
Evaluating fairness and bias is equally important, particularly in tools that influence customer interactions, hiring, lending, or other sensitive decisions. Compliance and ethical considerations are also becoming more central to AI assurance. As regulatory frameworks develop, companies must ensure AI deployments align with data protection laws, industry requirements, and responsible-use expectations. Internal audit plays a key role in confirming that governance frameworks are keeping pace with external scrutiny.
Performance, reliability, and usability
Internal audit should evaluate whether AI tools are operating consistently over time, producing dependable outputs and performing as expected under changing conditions. Companies should have mechanisms to monitor performance, benchmark results against defined standards, and identify when outputs may require review or intervention. Auditors should also consider how AI tools function in practice, including whether users understand the outputs and whether management has processes in place to validate results, troubleshoot issues, and act on AI-driven insights appropriately.
Next steps: building sustainable AI assurance
Companies with strong AI assurance move beyond informal experimentation and establish clear visibility, ownership, controls and monitoring. Those that don’t do this risk relying on tools they don’t fully understand, data they haven’t properly governed, and outputs that haven’t been independently validated.
A meaningful gap is emerging between what many companies believe they have under control and what’s actually happening in practice. While many are discussing policies or drafting governance frameworks, AI capabilities are often already embedded in business processes, vendor platforms, and employee workflows. Internal audit must play a more proactive role in closing this gap and helping the company build trust, accountability and effective oversight before risks become harder to contain.
Sikich’s professionals help companies:
- Assess AI governance maturity.
- Design and evaluate controls over AI-enabled processes.
- Provide assurance over emerging technology risks.
- Align governance frameworks with compliance and organizational objectives.
To learn how Sikich can support your company’s AI governance and technology assurance efforts, connect with our Internal Audit and Governance, Risk and Compliance teams today.
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.
