Decades ago, it was unimaginable that videos could be automatically edited within minutes or that books could be written in a matter of seconds. But with the advancement of Generative AI (Gen AI), the business world is undergoing rapid transformation.
Does Gen AI also impact the IS audit profession? The answer is absolutely “Yes.”
I suggest the following approach to enhance the efficiency and effectiveness of applying Gen AI in the IS audit industry.
In future IS audit engagements, Generative AI is poised to do more than simply provide binary responses of “Yes” or “No.” It will offer justifications for the effectiveness of control activities based on its professional judgment. Given the potential for misleading conclusions, training in professional judgment is crucial. I recommend that during training of Gen AI for IS audit purposes, organizations provide ample data from previous engagements for study, and such data needs to be examined to ensure its data quality is accurate and usable. This approach will facilitate the development of its professional judgment. Although time-consuming, this investment promises significant rewards in the long-term.
Furthermore, professional judgment training for Gen AI is not a one-time initiative. Continuous training is imperative due to the perpetual evolution of requirements and standards. Without ongoing training, Gen AI runs the risk of deriving inappropriate conclusions or overlooking critical control activities.
In the concluding phase of the IS audit, the working papers require thorough examination by human reviewers to guarantee the accuracy and completeness of the conclusions drawn, thereby mitigating the potential for misinterpretation by the Gen AI. I recommend that human users assume ultimate responsibility for the IS audit, as Gen AI cannot be held accountable in a legal context.
Another concern relates to privacy issues. While preparing the data for the Gen AI training, I recommend bearing in mind that to comply with national and local legislation strictly, obtain related parties’ consent, anonymize the information provided by related parties, and ensure secure data storage and transfer. Such measures can help enterprises prevent financial, legal and reputational risks.
In a nutshell, although there are some risks applying Gen AI into IS audit, we also have to recognize and capitalize on the opportunities. I cannot wait to see how Gen AI will make an impact into our IS audit Industry. I can assure that the story will be rewritten soon.
Editor’s note: For further insights on this topic, read Rui Feng Isaac Lee’s ISACA Journal article, “Exploring Opportunities and Challenges: An IS Audit Perspective on Generative AI Adoption.”
