AI appears to be ubiquitous; you check LinkedIn and find a post about it, stroll through an airport and there are signs all over advertising it, or launch your social media app and a prompt is right there. Having worked in information technology for more than 25 years, I’ve observed several trends come and go, but AI is the one that is the one that is starting to make a lasting impact. Like any technology, the implementation and use of AI comes with a range of risks. These include traditional technology concerns such as security, access control, change management, continuity, and system operations. Additionally, AI introduces a new array of risks, including bias and discrimination, transparency issues, misinformation, and ethical dilemmas.

In an effort to mitigate some of the risks of the use of AI, increasingly we are seeing legislation and regulations being introduced to govern the use of AI across various nations, some of the legislation that has been introduced includes (with more to come):

• Responsible Use of AI in Government Policy (Australia)
• AI Act (EU)
• The Artificial Intelligence and Data Act (Canada)
• American Data Privacy and Protection Act, Section 207 (US)
• Internet Information Service Algorithm Recommendation Management Regulations (China)

The convergence of these risk factors and compliance requirements has significantly accelerated the demand for highly skilled auditors with specialised expertise in artificial intelligence. As organisations increasingly integrate AI technologies into their operations, they will require auditors who not only understand traditional auditing principles but also possess a deep knowledge of AI systems and their implications. This expertise is essential for ensuring that AI implementations are both effective and compliant with evolving regulations, ultimately fostering trust and accountability in AI-driven decision-making processes.

Because of the risks associated with the use of technologies the role of the IT auditor has always been important to any organisations use of technology.  IT auditors help organisations maintain compliance with regulations, safeguard sensitive data, and enhance overall operational effectiveness. Founded over 50 years ago as the EDP Auditors Association, ISACA was created to support professionals in the IT audit field by providing opportunities for upskilling and ensuring they possess the necessary competencies to excel in their roles.

I have been fortunate to volunteer with ISACA for several years. My journey began in 2008 when I was elected to the board of the ISACA Canberra Chapter, where I dedicated 11 years of service, including a two-year term as chapter president. In 2016, I began participating in various global working groups composed of Subject Matter Experts (SMEs) from around the world. Additionally, I contributed to the development and review of several ISACA publications.

As a long standing ISACA member and volunteer I am pleased that ISACA have responded to the need to upskill the IT audit profession in regards AI.  Over the last two years I have been very privileged to have been invited to participate in two critical initiatives from ISACA.

The first was the development of the ISACA AI Audit Toolkit, I was an expert reviewer of this product.  It may be a biased view but I believe this is one of the best products ISACA has ever produced. It looks a little a different to the traditional audit programs that ISACA has produced in that it introduces a controls library, this outlines a suite of better practice controls that would be expected in an AI system and then guidance on how you would go about auditing each of them.  The controls cover both controls to mitigate traditional risks such as data protection, business continuity and change management but it goes further to risk areas unique to AI such as bias & fairness, ethical governance and human interactions.  The controls are also aligned with regulatory requirements to facilitate compliance.

My colleagues at Anchoram and I can assist organisations in effectively auditing their AI systems by providing tailored guidance on implementing the controls outlined in the toolkit. This includes helping to assess the maturity of existing AI governance frameworks, identifying potential gaps in compliance with ethical standards, and ensuring that bias and fairness considerations are integrated into the auditing process. By leveraging our expertise, organisations can enhance their AI auditing practices, ensuring they not only meet regulatory requirements but also uphold ethical standards and foster trust in their AI initiatives.

The second initiative I participated in was as a member of the ISACA Advanced AI Auditing (AAIA) Certification Working Group.  The AAIA™—Advanced in AI Audit™ | ISACA recently went live. Myself and a small group of SME volunteer colleagues from across the world worked with the ISACA staff from the inception of this certification.  This has been one of the most rewarding experiences of my career, as I have had the privilege of learning about AI concepts and risks, as well as auditing approaches, from colleagues across the globe.  Engaging with diverse perspectives has enriched my understanding of the complexities involved in AI auditing and has inspired me to think critically about best practices in the field. Additionally, collaborating with such a talented group of professionals has fostered a sense of community and shared purpose, reinforcing the importance of ethical governance in AI initiatives.

From these two experience I am equipped with in-depth knowledge of the latest standards and best practices in AI auditing, the insights I’ve gained from collaborating with subject matter experts from around the world enable me to provide organisations with a comprehensive understanding of the diverse challenges and risks associated with AI systems. This global perspective allows Anchoram to help organisations identify potential vulnerabilities and implement robust controls tailored to their specific needs.

Furthermore, Anchoram’s commitment to ethical governance in AI initiatives can guide organisations in establishing frameworks that not only comply with regulatory requirements but also promote transparency and accountability. By leveraging our experience, organisations can foster a culture of responsible AI use, ultimately building trust with stakeholders and enhancing their overall risk management strategies.