GenAI Transformation in Audit Practices

GenAI is making AI more transparent — but not by explaining the model. For years, explainability tools like SHAP and attention maps have helped approximate what contributes to a model's output. That work is valuable — and ongoing. But GenAI opens an entirely different path. 🔍 THE STRUCTURAL LIMIT For many high-performing models, the internal logic isn't human-legible. Post-hoc explainability can illuminate patterns, but it has structural limits — it doesn't fully satisfy auditors, reduce deployment costs, or lower the organizational barrier to AI adoption. ⚡ THE SHIFT Generative AI inverts the stack. Instead of asking a model to predict an outcome, we increasingly ask it to continuously generate the mechanism — working logic, algorithms, and decision rules expressed as code. The model is still a black box. But what it produces is often far more inspectable. DeepMind reports that AlphaEvolve (May 2025) generates human-readable scheduling code that recovered 0.7% of Google's global compute — deployed on standard infrastructure, no GPU inference servers required. The critical caveat: inspectable code can still be wrong or encode hidden assumptions. This paradigm requires rigorous validation — automated tests, security scanning, sandboxed execution, human review — in a continuous cycle. 🎯 THREE LENSES ON WHY THIS MATTERS → 💰 Economics: Deploying compiled algorithms eliminates inference GPU costs for those workloads. It shifts AI from CapEx-heavy to operationally lean. → ⚖️ Governance: For high-risk systems under the EU AI Act, inspectable code artifacts make traceability significantly easier to demonstrate. Auditors inspect actual decision logic — not probability distributions. → 👥 Organization: When AI outputs are versioned code, software engineers — not just ML specialists — can review and maintain them. It broadens who in your org can own and govern AI systems. 🔑 THE PRINCIPLE Use models at design time to generate deterministic, versioned artifacts. Use LLMs for orchestration. Deploy the artifacts into production — and reserve probabilistic inference for the narrow set of use cases where it's genuinely required. You get the creativity of frontier models with the auditability and cost profile of traditional software. ⚖️ THE NUANCE This shift is not universal — nor should it be. Vision, latency-sensitive decisions, and real-time NLP still need neural inference. Governance doesn't disappear — it shifts from "explain the model" to "validate the generated code." But for decision logic, scheduling, and business rules where specs are crisp and testable, this paradigm changes the economics, the risk profile, and the org design simultaneously. Where in your org could deploying generated code — instead of the model itself — change the cost structure and the governance conversation at the same time? #AI #AIGovernance #AIStrategy #EnterpriseAI

A CISO at a Singapore enterprise called me three weeks after their GenAI pilot went live. Their internal security audit had flagged 14 unresolved risks. Leadership was asking questions nobody had prepared for. Her exact words: “We built the AI. We forgot to govern it.” This is the most common GenAI conversation I’m having in 2026 especially with teams doing everything else right. They had: • AWS Bedrock live • Real users • Real business value What they didn’t have was a runtime governance layer. The audit findings: → No prompt injection protection → Sensitive customer data exposed to model context → Broad IAM roles from pilot still active in production → No logging of agent tool calls → No output guardrails → No runtime incident escalation plan 14 flags. Six weeks into production. Not incompetence. Just no governance checklist. Here’s the 7-control framework we implemented before scaling further: 1️⃣ Input validation Adversarial prompt patterns blocked at the API boundary. All inputs logged. 2️⃣ Data masking AWS Macie integrated. PII masked before entering model context. 3️⃣ Least-privilege IAM Service roles scoped to minimum required. Pilot-era admin access removed. 4️⃣ Tool-call audit trail Full logging of every agent invocation via LangSmith + CloudWatch. 5️⃣ Output filtering AWS Bedrock Guardrails configured. Sensitive outputs routed for review. 6️⃣ Runtime monitoring Drift detection + anomaly alerts with automatic incident timelines. 7️⃣ Named governance ownership Each control assigned to a specific person not a committee. Six weeks after implementation: Zero new flags. At the 90-day review, the CISO said: “We can finally scale without looking over our shoulder.” The model didn’t change. The control layer did. For teams deploying GenAI on AWS or any cloud: Which of these 7 controls created the most internal resistance for you technical complexity, budget, or ownership clarity? I’ve seen a consistent pattern across enterprises. Curious if yours matches it.

Dear AI Auditors, Data Lineage and Provenance in AI Audits Data lineage tracks how data moves and transforms through systems, providing a map of its journey, while data provenance details its origin, history, and the entities involved, establishing trust and accountability. Lineage helps with debugging and optimization of pipelines, whereas provenance is essential for validating data integrity, ensuring ethical sourcing, addressing copyright concerns, and demonstrating regulatory compliance for AI models. Every AI system is only as trustworthy as the data that powers it. The risk is very high if an organization can’t fully explain where its model training data comes from, how it’s transformed, or who is responsible for its quality. For AI auditors, this is a critical blind spot. Data lineage and provenance provide both technical details and are the backbone of AI audit evidence. If you can’t trace the journey of the data, you can’t confidently assure the reliability of the AI system. In practice, auditors should approach it as follows: 📌 Map the Data Flow End-to-End Trace data from its original source through collection, cleansing, labeling, storage, and ingestion into the model. A clear lineage map makes risks visible. 📌 Validate Data Sources Are these sources authorized and legitimate? Were they collected ethically and in compliance with privacy laws? Unauthorized or “grey area” data creates legal and reputational risk. 📌 Check Data Transformation Rules Transformation processes, cleaning, deduplication enrichment, can introduce errors or bias. Auditors should verify that these steps are documented and consistently applied. 📌 Review Ownership and Accountability Every dataset should have a defined owner responsible for its accuracy and integrity. If ownership is unclear, the control environment is likely to be weak. 📌 Assess Metadata and Provenance Records Metadata should capture when the data was collected, by whom, under what conditions, and with what permissions. Strong provenance records provide credible audit evidence. 📌 Evaluate Security of Data Pipelines Lineage isn’t just about accuracy; it’s about protection. Confirm whether encryption, access controls, and monitoring protect data across its lifecycle. 📌 Audit Data Retention and Disposal Old or irrelevant data should not remain in pipelines indefinitely. Review retention policies to make sure data is deleted or archived in accordance with compliance requirements. Without verifiable data lineage, every audit conclusion rests on shaky ground. Regulators increasingly demand proof of provenance, and customers expect transparency. Focusing on these helps organizations build trust in their AI systems and strengthen assurance. When the data story is clear, the audit story is strong. #AIAudit #DataLineage #AIControls #AITrust #ModelRisk #InternalAudit #DataGovernance #AIGovernance #AuditCommunity #RiskManagement #CyberYard #CyberVerge

The use-cases for AI and GenAI are truly limitless.    One of the new ways Deloitte is leveraging #GenAI is by supporting internal audit teams in their development of #AI strategies and applied capabilities. Not only are these tools supporting teams in the day-to-day audit process, but they are allowing them to build toward future-state operating models.    Here are a few of the ways Deloitte is offering AI-powered tools for the audit process:    Dynamic Risk Assessments – We utilize AI to develop end-to-end assessment capabilities to create more proactive models, resulting in a dynamic and iterative #risk assessment lifecycle that evolves with the org’s needs.    AI-on-Demand PODs – Our AI-on-Demand Product Oriented Delivery (POD) service delivery model consists of a team of engineers and designers to help clients develop customizable AI solutions that follow our Trustworthy AI Framework ™ (https://deloi.tt/3ywy7K8).    Automated SOX Scoping – We work with our clients to utilize AI to increase efficiency and save time during the Sarbanes-Oxley (SOX) scoping process. The statistical algorithms we put into place help clients develop a more accurate and risk-aligned scope for their SOX programs.    You can read more about how AI is changing the #audit landscape, here: https://deloi.tt/4d4xRBa Chris Griffin, Trevear Thomas, Dipti Gulati, Lynne Sterrett

🚨 Is your finance team using GenAI for journal entries, reconciliations, or board reports? My latest Substack article, GenAI Meets SOX: Audit-Proofing Your Finance Workflows, dives into why unchecked AI use is a compliance risk—and how to fix it. Regulators like the PCAOB and SEC are clear: AI outputs need traceable controls. From prompt logging to updated SOX narratives, learn five practical steps to keep your workflows audit-ready. 📥 Pro subscribers can download templates to streamline compliance. https://lnkd.in/eAThkJCh

Generative AI transforms how we work, learn, and solve problems. As auditors, we play a critical role in helping the organization balance innovation with risk. Here are some actionable steps to guide our organization, based on an article by Charles King in the Internal Auditor Magazine in December 2024: 1. Understand the Frameworks ↳ Familiarize yourself with AI risk management frameworks like NIST AI Risk Management Framework. ↳ This knowledge helps you assess AI risks effectively. 2. Establish Clear Policies ↳ Create an acceptable use policy for GenAI. ↳ Include what tools can be used, what data is allowed, and the usage limits. 3. Prioritize Training ↳ Employees need to understand both the benefits and risks of GenAI. ↳ Train them to use GenAI tools responsibly and to spot inaccuracies. 4. Use Secure Tools ↳ Enterprise-grade GenAI solutions offer better security. 5. Monitor and Adapt ↳ Implement systems to review GenAI usage regularly. ↳ Identify misuse, update policies, and adapt to new risks. What’s your favorite GenAI tool? Share in the comments. Reference: King, Charles. 2024. A Guide to GenAI. Internal Auditor Magazine December 2024 #internalaudit #ITaudit #digitaltransformation

If you’re a finance leader and the GenAI black box has you worried about accuracy, repeatability, and controls. Transform that unease to confidence and familiarity with these steps ⬇️ AI technologies like Klarity, Numeric, Trullion and others, offer impressive ROI, however in the world of accounting and finance, knowing what lies beneath the surface is mandatory as you adopt new tech. 𝗧𝗛𝗘 𝗞𝗘𝗬 𝗖𝗢𝗡𝗦𝗜𝗗𝗘𝗥𝗔𝗧𝗜𝗢𝗡𝗦 🛡️ 📝 𝗧𝗿𝗮𝗰𝗲𝗮𝗯𝗶𝗹𝗶𝘁𝘆 The ability to trace outputs to original source materials and trace actions. 𝘘𝘶𝘦𝘴𝘵𝘪𝘰𝘯𝘴 𝘵𝘰 𝘢𝘴𝘬: - Does the AI provide a detailed audit trail and the ability to find data in source documents? - Can you trace actions performed by users or the systems including changes made, who made these and the date/time of these actions? 💡 𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 The ability to understand the AI’s decision-making processes or to reperform it. 𝘘𝘶𝘦𝘴𝘵𝘪𝘰𝘯𝘴 𝘵𝘰 𝘢𝘴𝘬: - How does the AI makes its decisions? - Are these clearly defined? - Can a user specifically define the logic? - Can a user reperform the logic and get the same outcome? 🤖 𝗔𝗜 𝗖𝗼𝗻𝗳𝗶𝗱𝗲𝗻𝗰𝗲 The ability to understand the AI’s confidence in its decisions. 𝘘𝘶𝘦𝘴𝘵𝘪𝘰𝘯𝘴 𝘵𝘰 𝘢𝘴𝘬: - Does the AI provide confidence scores? - Can it explain them? - Can you manage or define confidence levels? - Can users easily make corrections? 🔄 𝗔𝗜 𝗜𝗻𝘁𝗲𝗴𝗿𝗮𝘁𝗲𝗱 𝗖𝗼𝗻𝘁𝗿𝗼𝗹𝘀 Automated processes within the AI to validate decisions & outcomes. 𝘘𝘶𝘦𝘴𝘵𝘪𝘰𝘯𝘴 𝘵𝘰 𝘢𝘴𝘬: - What steps or procedures are embedded within the technology to improve levels of accuracy? - How does the AI learn and improve over time? 𝗜𝗠𝗣𝗟𝗘𝗠𝗘𝗡𝗧 𝗟𝗜𝗞𝗘 𝗔 𝗣𝗥𝗢 📋𝗘𝗻𝗵𝗮𝗻𝗰𝗲𝗱 𝗘𝘃𝗮𝗹𝘂𝗮𝘁𝗶𝗼𝗻 Build out your technology evaluation process to include explicit questions on the above considerations. Dig into these! 👥 𝗛𝘂𝗺𝗮𝗻 𝗶𝗻 𝘁𝗵𝗲 𝗟𝗼𝗼𝗽 Identify key decision points in the process and establish manual reviews to validate AI outputs. 📝 𝗔𝘂𝗱𝗶𝘁 𝗧𝗿𝗮𝗶𝗹𝘀 Map out the entire process from start to finish. Ensure detailed documentation is created and maintained to support data inputs, AI’s decision rationale, and manual updates. ✔️ 𝗖𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 Establish regular monitoring and control points to address the evolutionary nature of AI. Your human in the loop processes may be a very good way of providing regular comfort in the technology (at least as it relates to accuracy of outputs). 𝗙𝗥𝗘𝗘 𝗘𝗡𝗧𝗘𝗥𝗣𝗥𝗜𝗦𝗘-𝗚𝗥𝗔𝗗𝗘 𝗧𝗢𝗢𝗟 Explore our GenAI Governance Framework [https://lnkd.in/gGjVrqiv] and learn how our Transparency, Accountability, and Continuous Improvement domain provides essential safeguards. Stay ahead in the AI game and safeguard your tech future! Connect with me, Jason Pikoos, to explore the full potential of our framework for your organization.

🚨𝗔𝗜 𝗶𝗻 𝗔𝘂𝗱𝗶𝘁: 𝗧𝗿𝗮𝗻𝘀𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 𝗼𝗿 𝗗𝗶𝘀𝗿𝘂𝗽𝘁𝗶𝗼𝗻? AI isn’t replacing auditors, it’s elevating them. From transcription and risk scoring to contract reviews and agenticorchestration, AI is remapping the internal audit lifecycle. Yet most teams are still testing the waters. Protiviti's white paper outlines what the future demand a blend of smart systems, skilled auditors, and governance that moves at the pace of innovation. This report is a must-read for: Chief Audit Executives, Risk Leaders, Internal Auditors, CFOs, and anyone shaping the future of assurance in the AI era. 🔍 𝗛𝗶𝗴𝗵𝗹𝗶𝗴𝗵𝘁𝘀 & 𝗦𝗶𝗴𝗻𝗮𝗹𝘀: 🧠 𝗔𝘂𝗱𝗶𝘁 𝗶𝘀 𝗯𝗲𝗶𝗻𝗴 𝗿𝗲𝗱𝗲𝗳𝗶𝗻𝗲𝗱 𝗳𝗿𝗼𝗺 𝗰𝗵𝗲𝗰𝗸𝗹𝗶𝘀𝘁 𝘁𝗼 𝗰𝗮𝘁𝗮𝗹𝘆𝘀𝘁 • AI helps identify risk patterns, not just confirm controls • Strategic insights > compliance tasks • Human-in-the-loop is essential oversight doesn’t go away ⚙️ 𝗧𝗵𝗲 𝗥𝗶𝘀𝗲 𝗼𝗳 𝗔𝗴𝗲𝗻𝘁𝗶𝗰 𝗔𝗜 𝗶𝗻 𝗔𝘂𝗱𝗶𝘁 • Think beyond automation. AI now plans, acts, and adapts • Audit agents extract, test, and report data while humans steer. • 64% of auditors are exploring agentic adoption in 2025 📈 𝗨𝘀𝗲 𝗖𝗮𝘀𝗲𝘀 𝗧𝗵𝗮𝘁 𝗦𝗰𝗮𝗹𝗲 𝗡𝗼𝘄 • Auto-generate reports, prep interviews, extract risk patterns • Speed up contract reviews and risk assessments • Run complete audit cycles with digital agents + human oversight 🔁 𝗧𝗮𝗹𝗲𝗻𝘁 + 𝗧𝗲𝗰𝗵 = 𝗧𝗿𝘂𝗲 𝗥𝗲𝗮𝗱𝗶𝗻𝗲𝘀𝘀 • Soft skills + tech fluency will define the new audit profile • Talent stacking, microlearning, and role reinvention are urgent 🔐 𝗚𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 𝗧𝗵𝗮𝘁 𝗞𝗲𝗲𝗽𝘀 𝗨𝗽 • Ethics, transparency, and human oversight must scale with adoption • Treat AI agents like digital employees with accountability and metrics 🚀 𝗦𝘁𝗮𝗿𝘁 𝗦𝗺𝗮𝗹𝗹, 𝗦𝗰𝗮𝗹𝗲 𝗦𝗺𝗮𝗿𝘁 • Pilot > Reflect > Expand • Innovation isn’t an edge case, it’s expected • Auditors must secure a seat at the AI governance table 📌 𝗕𝗼𝘁𝘁𝗼𝗺 𝗹𝗶𝗻𝗲: Internal audit is no longer just about compliance, it’s transforming into a strategic value creator. Fueled by agentic AI, it’s swiftly becoming a key competitive advantage for forward-thinking organizations ❓What part of your audit process is still waiting for its AI moment? ChandraKumar R Pillai|Prof. Dr. Ingrid Vasiliu-Feltes|Helen Yu|JOY CASE|Antonio Grasso|Nicolas Babin| Dr. Khulood Almani🇸🇦| Alberto Espinosa Machado|Phillip J Mostert| Sara Simmonds lNSN Murty| Neville Gaunt| Anthony Rochand |Olivier LABORDE|Prasanna Lohar|Shalini Rao #AI #AgenticAI #CFO #InternalAudit #RiskManagement #AuditInnovation #FutureOfAudit #Governance #TrustTech #leadership

Is Internal Audit ready for 2026? 🚀 In a comment on one of my recent posts, Brian Parrino asked what was in my "crystal ball" 🔮 for IA in 2026. Thought I'd elaborate on my response and look forward to hearing your thoughts 🤔 Here goes... The "Agentic Evolution" is moving fast ⚡, and the IA landscape is set for a massive shift. Here are 5 things I expect to see across the profession in 2026: 1️⃣ Digital Workers Join the Org Chart 🖇️: Expect to see AI agents and agent teams being orchestrated by humans as formal members of the IA function. 2️⃣ Beyond "Basic" GenAI ⚙️: Leading functions will move past simple AI tools to fully integrated agentic workflows across the entire IA lifecycle. 3️⃣ Deepened Assurance & Blended Lines 🤝: IA will use unlocked capacity to broaden coverage and coordinate more closely with other assurance functions, evolving how advisory and assurance are provided. 4️⃣ The Talent Revolution 🧠: Strategies will shift rapidly to upskill auditors in two critical areas: technical acumen and humanistic skills like critical thinking and empathy. (Early results from a recent poll I posted suggest Upskilling Talent as a top priority: https://lnkd.in/g-CTF9iT) 5️⃣ IA as Transformation Advisors 🧭: Teams will "lean-in" to provide advisory support and insights on major transformation programs, including AI adoption and tech modernization. The future of IA isn't just about better tools—it's about a fundamental evolution of our role and impact. I'd love to hear your thoughts, let’s discuss in the comments! 👇 (Slide reel courtesy of Google's NotebookLM) #InternalAudit #FutureOfWork #GenerativeAI #AuditInnovation #Leadership #TechTransformation

At the Center for Audit Quality (CAQ), we have been monitoring the rapid rise and integration of #GenerativeAI in financial reporting. However groundbreaking this new technology is, the profession must consider the impact #GenAI may have on organizational functions and the financial reporting process.   While companies use #GenAI to streamline certain processes, rapid integration can lead to increased risks and vulnerabilities. With these changes, audit committees are crucial in ensuring effective governance.   To help audit committee members better exercise oversight responsibilities over #GenAI, the CAQ’s “Audit Committee Oversight in the Age of Generative AI” can be used as a resource in navigating this new landscape. Take a look: https://lnkd.in/eXvAuAC8