7 Best Practices for Implementing Analytics and AI in Your Bank Internal Audit Program
As auditors in the banking industry navigate an ever-evolving and complex regulatory ecosystem, advanced audit analytics and artificial intelligence (AI) technologies offer teams not just a competitive advantage from a recruiting standpoint, but also a strategic advantage by automating aspects of the audit lifecycle and creating valuable efficiencies. However, significant risks may accompany these benefits, underscoring the importance of building strong security controls and internal processes when implementing these tools alongside robust hiring, educating, and training initiatives.
AuditBoard’s guide, Future Forward: Analytics and AI Strategies for Bank Internal Audit Teams, provides actionable insights on effectively implementing these tools while proactively mitigating their associated risks. Download the full guide here, and continue reading to learn best practices for implementing advanced analytics and AI in your bank internal audit team in accordance with your organization’s policies and guidance.
1. Build a strong case for why you want to bring analytics and/or AI applications into your internal audit function.
Set clear objectives that ideally tie to your internal audit strategy for what you aim to achieve using analytics and AI. For example, helping the first line automate manual aspects of their regulatory compliance work such as controls monitoring, so they can focus on higher value tasks. Another common use case is using analytics and automation to create greater assurance around regulatory requirements. In addition to your objectives, it can be helpful to provide to following when making the case for implementing analytics and/or AI:
- POCs demonstrating how the analytics will work.
- Clear examples of how the bank’s sensitive data will be used.
- Examples of questions you want to answer using analytics.
- Examples of how automation enhances internal audit’s ability to support the business’s key strategic objectives.
2. Ensure your data is clean.
To mitigate against feeding incomplete or inaccurate data to your analytics and/or AI applications, take the necessary steps to ensure your data is clean and ready for use. Ahead of implementing an analytics or AI solution, internal audit should engage with other groups in the business to consolidate and cleanse organization-wide risk and control data. To prepare your data for use, you’ll need to have:
1) Data cleaning procedures.
2) Data validation procedures for completeness and accuracy.
3) Questions to ask your data.
3. Invest in people.
Technology alone is not enough. An investment in analytics and AI technology should be more than just developing or buying a tool, it should also be an investment in the people who will be using and maintaining these technologies.
- Analytics: Make sure you have the right employee(s) who can perform the data analysis — either via hiring or upskilling — and train the rest of your team to be comfortable using that analysis. Every internal audit team looks different; some have existing resources that can support analytics, while others may need to hire a consulting firm and/or rely on a technology partner to round out the expertise required to effectively deploy and manage the analytics.
- AI: Prioritize training/education as well as adopting safe enterprise AI options for employees, for instance, purpose-built domain AI or LLM such as ChatGPT enterprise. Team-wide training is essential to educate stakeholders on AI use cases in audit, as well as AI’s limitations and weaknesses. Allocate a specific time in the week to make an hour of AI education/training a priority for your team, and hold your team accountable to it. Training topics can include:
- The importance of having an audit practitioner verify AI results.
- Exercising caution regarding sensitive business information.
- Refraining from entrusting non-vetted AI systems with such data.
4. Invest in processes.
You might have a great analytics solution in place and the right people in charge of using it, but without an overarching process around your analytics program, it will likely falter at some point. Ensuring there is a concrete strategy that can be executed around your analytics, as well as repeatable processes where it can be applied, ensures that it will have longevity. For example, when implementing audit analytics:
- Start with areas of repetition. IT General Controls (ITGCs) and annual recurring audits such as BSA/AML are a great place to start.
- Have a triage process to prioritize your projects. Once an analytics solution is working and adding value, requests can come flooding in. Implementing a framework for triaging your analytics projects can help your audit analyst prioritize which projects have the greatest impact or highest risk so they can focus on those first.
5. Develop strong data privacy, quality, and governance controls.
Prioritize creating a strong internal control environment around your analytics/AI program from the beginning. While formal compliance standards around AI are relatively new — the world’s first standard on AI management systems, ISO 42001, was published in December 2023 — there is a growing movement in the EU and US to develop standards, tools, and tests to help ensure that AI systems are safe, secure, and trustworthy. The IIA released its first AI Auditing Framework in 2017, which it last updated in 2023. In addition, many information security frameworks will likely begin to expand their standards to include more guidelines for AI in the near future. In the meantime, to set strong policies and procedures in place for your analytics/AI programs from day 1, engage your InfoSec team, SOX team, or a consulting partner to utilize their breadth of knowledge and expertise in IT and information security frameworks such as ISO 27001, SOC2, and NIST.
6. Prioritize ease of use when vetting technology solutions.
An application must first demonstrate its ability to solve for your audit team’s automation and workflow needs. Beyond this key requirement, it is important to prioritize ease of use. The more user-friendly an application is, the higher the likelihood it will be adopted by your audit team. One anecdotal example is generative AI chatbots; one of the reasons apps like ChatGPT have been picked up so quickly by the general public is that they are easy and intuitive to use. Analytics tools in particular have a reputation among auditors for being code-heavy and difficult to operate for non-technical users.
If most of your analytics users will be auditors with little to moderate technological expertise, opting for a low-code or no-code analytics solution (i.e. designed for users with no data science or analytics backgrounds) can significantly improve your chances of high adoption rates. The following checklist describes features audit decision-makers should consider when researching analytics applications:
7. Conduct strict vendor due diligence.
There is a common perception among audit practitioners that the safest option for analytics and AI is self-hosting. However, developing your analytics/AI in-house may not always be safer than working with an external technology partner — especially if your business does not have sufficient resources to build secure systems and train models to the highest level of performance and security. In these instances, performing vendor due diligence can help you prioritize security and protect your business’s data, while also enabling your internal audit team to experience the benefits of analytics, AI, and automation. Work closely with your InfoSec and IT teams to vet prospective vendors and provide up-to-date IT questionnaires.
Analytics Security Considerations
- Vendor follows a robust TPRM process validated as part of SOC 2, ISO, and other industry-recognized security certifications
- The audit practitioner retains full control over the selection and utilization of data analytics results, ensuring that an auditor is always required to review and validate which findings are recorded and applied
- Vendor demonstrates robust quality control across their IT infrastructure, e.g., access controls, data encryption, etc
AI Security Considerations
- Vendor due diligence on data privacy and security (don’t expose sensitive data)
- Vendor due diligence on data usage (don’t train on sensitive data)
- Vendor due diligence on practitioner control (user validation/sign-off)
- Vendor due diligence on training data source
- Vendor due diligence on fact-check features and data staleness
- Mitigate against non-vetted AI usage by enabling safe AI options
- Train users on appropriate AI usage
- Familiarize yourself with available governance frameworks and standards such as ISO Standard 42001:2023
One way to start on the right foot is by working with a technology partner with a proven track record of safely and successfully helping audit teams streamline their audit workflows. Ultimately, by adopting analytics and AI solutions with a keen focus on security and responsible implementation, auditors can empower their institutions to chart a proactive course towards operational efficiency and continuous compliance. To learn more, download the full guide, Future Forward: Analytics and AI Strategies for Bank Internal Audit Teams.