A U D I T A N D A S S U R A N C E

AUDITING
ARTIFICI AL
INTELLIGENCE
 2 AUDITING ARTIFICIAL INTELLIGENCE

CONTENTS
4 Potential Impact of Artificial Intelligence
on Organizations
4 Why Should Auditors Care About AI?
​4 ​ /​Challenges​for​the​Auditor
​6 /​Mapping​COBIT​to​Strategy:​A​Visual​
Representation​of​How​to​Apply​COBIT ® 2019​
in​the​Auditing​of​AI
​8 ​ /​Challenges​and​Solutions​for​the​AI​Auditor
9 Conclusion
10 Resources and References for Auditing AI
12 Acknowledgments

© 2018 ISACA. All Rights Reserved.

3 AUDITING ARTIFICIAL INTELLIGENCE

ABSTRACT
There​are​many​potential​challenges​for​IT​auditors​preparing​to​equip​themselves​to
audit​artificial​intelligence​(AI).​But​solutions​do​exist​that​can​transform​challenges​into
successes.​This​white​paper​focuses​on​what​auditors​need​to​know​as​they​prepare​to
focus​on​AI.​It​explores​the​definition​of​AI,​describes​the​challenges​of​auditing​AI,​and
discusses​how​the​current​version​of​COBIT® (COBIT® 2019)​can​be​leveraged​to​audit​AI.
Additionally,​it​identifies​other​frameworks​that​are​also​relevant​today.​Auditors​will
explore​initial​keys​to​successfully​auditing​AI​and​uncover​relevant​references.

© 2018 ISACA. All Rights Reserved.

 4 AUDITING ARTIFICIAL INTELLIGENCE

Potential Impact of Artificial

Intelligence on Organizations
There​are​many​truths​and​half-truths​out​there
concerning​the​impact​that​AI​will​have​across​a​range​of
industries​and​professions.​Some​industries​have​adopted
elements​of​the​technology​faster​than​others,​with
varying​degrees​of​success​and​challenges.​Given​the
hype​surrounding​AI​we​can​be​certain​that​there​will​be​a
significant​impact​on​many​areas​in​the​business​world
for​the​foreseeable​future.​AI​will​have​a​far-reaching
impact​on​the​audit​profession​as​well,​given​auditors’
need​to​provide​assurance​around​it.​The​purpose​of​this
paper​is​to​prepare​auditors​for​what​to​expect​and​how​to
approach​AI​in​a​real-world​audit​scenario.

Why Should Auditors Care About AI?

Like​many​complex​emerging​technologies,​AI​is​defined represented​in​the​smaller​circles.​Machine​learning​is​a​subset

in​many​ways,​by​many​experts.​Whereas​the​ISACA of​AI​in​that​it​focuses​on​machines’​ability​to​receive​a​set​of

research​team​has​elected​to​retain​flexibility​in​the data​and​learn​for​themselves,​changing​their​algorithms​as

definition,​due​to​the​technology’s​ever-changing​scope needed​as​they​learn​more​about​the​information​they​are

and​context,​one​general​definition​can​serve​as​an processing.3

indicator​as​to​the​nature​and​purpose​of​AI.​Russell​and
3

• AI does not operate based on a set of predetermined rules.

Norvig,​two​of​the​leading​minds​in​the​field,​call​AI​the Predetermined rules are associated with traditional software

study​of​“intelligent​agents,”​devices​that​perceive​their engineering. However, an excessive number of rules tends to

environment​and​take​actions​that​maximize​their​chance inhibit the technology’s ability to learn and adapt to its

of​successfully​achieving​their​goals. 1 1
circumstances. Therefore, AI does not always operate based

Two​other​concepts​may​also​be​helpful​in​understanding
on a predefined set of rules.

AI:
Challenges for the Auditor
• ​AI may be envisioned as a large circle with several smaller
Tractica​Research​expects​AI​software​revenue​to​grow
circles within it. AI,​which​is​machines​carrying​out​tasks​based
from​US​$3.2​billion​in​2016​to​US​$89.9​billion​by​2025.4
4

on​algorithms​in​an​“intelligent”​manner,2 is​the​large​circle;
With​the​support​of​adjacent​technologies​(such​as​cloud
2

other,​more​specific​types​of​AI,​such​as​machine​learning,​are
computing​and​storage),​AI​has​emerged​from​the​so-
called​“AI​winter”​of​2010​to​garner​up​to​US​$40​billion​of

1
Russell,​S.;​P.​Norvig;​Artificial Intelligence: A Modern Approach (3rd Edition),​Pearson,​USA,​2009,​https://www.pearson.com/us/higher-
education/program/Russell-Artificial-Intelligence-A-Modern-Approach-3rd-Edition/PGM156683.html
2
Venkatesan,​M.;​“Artificial​Intelligence​vs.​Machine​Learning​vs.​Deep​Learning,”​Data​Science​Central,​7​May​2018,
https://www.datasciencecentral.com/profiles/blogs/artificial-intelligence-vs-machine-learning-vs-deep-learning
2

3
Ibid.
Tractica​Research,​“Artificial​Intelligence​Software​Market​to​Reach​$89.8​Billion​in​Annual​Worldwide​Revenue​by​2025,”​21​December​2017,
3

https://www.tractica.com/newsroom/press-releases/artificial-intelligence-software-market-to-reach-89-8-billion-in-annual-worldwide-revenue-by-2025
4

© 2018 ISACA. All Rights Reserved.

 5 AUDITING ARTIFICIAL INTELLIGENCE

investment​capital,​at​the​same​time​production source​of​audit​challenges.​However,​this​assumes​that
deployments​have​been​limited. 5
traditional​technology​auditors​are​responsible​for
auditing​algorithms.​This​is​not​the​case.​IT​auditors
5

AI’s​rise​has​been​accompanied​by​the​traditional​lag​time
should​look​at​the​governance​of​AI​and​the​integration
between​early​adoption​and​the​establishment​of​regulatory
among​systems.​Although​the​algorithms​should​be
and​compliance​frameworks.​There​is,​for​example,​no
audited​by​model​specialists,​auditors​having​a​basic
mature​auditing​framework​in​place​detailing​AI
understanding​of​the​would​be​beneficial.​In​fact,​auditors
subprocesses,​nor​are​there​any​AI-specific​regulations,
already​do​so,​using​information​in​regulations​such​as​US
standards​or​mandates.​Clark​pioneered​the​cross-industry
Office​of​the​Comptroller​of​the​Currency​(OCC)​2011-12.
process​for​data​mining​(CRISP-DM)​framework​in​early
2018,​but​individual​auditors​are​challenged​with​how​to There​are​also​claims​the​challenge​is​due​to​a​lack​of
perform​audits​successfully​when​there​are​virtually​no academic​research​and​industry​publications​on​the​topic.
widely​adopted​precedents​for​handling​AI​use​cases.6 This,​too,​is​inaccurate.​There​is​a​considerable​amount​of
research,​but​it​is​highly​technical​and​not​typically​aimed
6

In​addition​to​a​lack​of​explicit​audit​standards​around​AI,
at​the​traditional​auditor.​Historically,​traditional​IT​auditors
there​are​additional​challenges​impacting​the​audit
have​looked​at​governance​and​integration,​without​diving
process.​As​previously​noted,​the​definition​of​AI​is
deeply​into​algorithms.
frequently​debated​and​the​IT​world,​including​auditors,
has​not​reached​a​common​definition​or​taxonomy​on Most​enterprises​have​not​yet​begun​to​think​about​how​AI
which​to​specify​a​set​of​world-class​practices. may​play​a​role​in​their​businesses,​so​they​are​unlikely​to
have​a​documented​plan​to​align​AI​use​cases​to​the
Moreover,​AI​systems​and​solutions​vary​widely​from​each
business​or​to​recognize​return​on​AI​investments.
other,​and​the​vast​set​of​existing​and​emerging
However,​if​they​do​decide​to​adopt​AI,​executives​will
technologies​foundational​to​AI​architecture​give​birth​to
demand​clarity​of​a​higher​order​as​they​begin​their​efforts
complex​systems.​This​complexity​points​to​a​high
to​develop​an​effective​AI​strategy.​Because​the​business
likelihood​of​uncertainty​around​the​scope​of​AI​within​the
case​and​strategy​documents​represent​typical​starting
business.​Despite​this​uncertainty​in​the​business,
points​on​the​AI​journey,​auditors​will​be​challenged​to
auditors​are​fairly​well​positioned​to​take​on​their
cascade​down​the​COBIT® 2019​hierarchy​from​the
responsibilities​relative​to​AI.​Good​technology​auditors
strategic​to​the​tactical​parts​of​the​audit.
are​already​likely​to​possess​enough​skill​and
understanding​to​effectively​assess​AI​in​the​enterprise. In​sum,​IT​auditors​should​not​go​down​the​path​of
overthinking​the​challenges​of​auditing​AI.​Reflecting​on
In​addition,​the​complexity​of​AI​and​the​shortage​of
how​they​first​audited​cloud​computing​or​cybersecurity
qualified​data​scientists​will​routinely​lead​to​the
should​provide​them​with​a​useful​frame​of​reference.​For
outsourcing​of​AI​development​projects​to​one​or​more
example,​it​is​unlikely​they​examined​all​the​protocols​in
third-party​resources.​A​coherent​understanding​of
depth​and​tested​that​the​Open​Systems​Interconnection
enterprise​AI​will​be​dispersed—and,​over​time,​perhaps
(OSI)​layer​5​implementation​was​functioning
even​lost—across​tiers​of​AI​providers.​This​will
appropriately.​Instead,​with​AI,​as​with​those​previous​new
subsequently​increase​the​challenge​for​the​AI​auditor.
technologies,​auditors​will​focus​on​the​controls​and
While​there​will​undoubtedly​be​challenges​for​AI​auditors governance​structures​that​are​in​place​and​determine
as​they​ramp​up​for​their​new​responsibilities,​the​situation that​they​are​operating​effectively.​Auditors​can​provide
is​not​as​dire​as​might​be​assumed.​The​“black​box”​effect some​assurance​by​focusing​on​the​business​and​IT
often​ascribed​to​machine​learning​is​often​cited​as​a governance​aspects.

5
Bughin,​J.;​E.​Hazan;​S.​Ramaswamy;​M.​Chui;​T.​Allas;​P.​Dahlstrom;​N.​Henke;​M.​Trench;​“Artificial​Intelligence:​The​Next​Digital​Frontier?”​
McKinsey​Global​Institute,​June​2017,
5

https://www.mckinsey.com/~/media/McKinsey/Industries/Advanced%20Electronics/Our%20Insights/How%20artificial%20intelligence%20can
%20deliver%20real%20value%20to%20companies/MGI-Artificial-Intelligence-Discussion-paper.ashx
6
Clark,​A.;​“The​Machine​Learning​Audit—CRISP-DM​Framework,”​ISACA® Journal,​vol.​1,​2018,​https://www.isaca.org/Journal/archives/2018/
Volume-1/Pages/the-machine-learning-audit-crisp-dm-framework.aspx
6

© 2018 ISACA. All Rights Reserved.

 6 AUDITING ARTIFICIAL INTELLIGENCE

Mapping COBIT to Strategy: A areas​of​risk​should​then​be​compiled​in​a​document​such

Visual Representation of How

as​a​risk​and​control​matrix​(RCM),​which​lists​each​risk
and​related​controls.​COBIT® 2019​provides​a​good
to Apply COBIT® 2019 in the framework​for​considering​the​risk​of​any​initiative​or

Auditing of AI process​within​an​organization.​

As​the​application​of​AI​in​the​business​world​is​still​in​its
early​stages,​there​is​limited​guidance​on​how​to​approach
auditing​an​AI​initiative​for​an​organization.​Therefore,​this
example​leverages​ISACA’s​COBIT® 2019​framework​as​a
starting​point.​The​COBIT® 2019​framework​provides​the
auditor​with​tools—including​process​descriptions,​desired
outcomes,​base​practices​and​work​products​across
virtually​all​the​IT​domains—to​enable​the​auditor​to
provide​assurance​over​the​AI​initiative​for​any
organization.
A​starting​point​for​an​audit​of​an​organization’s​AI​is​to
define​the​scope​and​objectives​of​the​audit​and​consider
risk​to​the​organization​related​to​the​AI​initiative.​These
There​are​several​examples​of​risk​related​to​AI​strategy:
• ​Lack​of​alignment​between​IT​plans​and​business​needs
• ​IT​plans​that​are​inconsistent​with​the​organization’s
expectations​or​requirements
• ​Improper​translation​of​IT​tactical​plans​from​the​IT​strategic
plans
• ​Ineffective​governance​structures​that​fail​to​ensure
accountability​and​responsibility​for​IT​processes​related​to​the
AI​function
Figure 1 highlights​several​examples​of​processes​within
COBIT® 2019​that​may​provide​help​in​compiling​a​list​of
risks​and​controls​for​the​AI​initiative​within​an
organization.​

FIGURE 1: Select​COBIT ® 2019​Governance​and​Management​Objectives​Relevant​to​AI​Risk​and​Controls​Review

EDM01—Ensured
Governance EDM02—Ensured EDM03—Ensured EDM04—Ensured EDM05—Ensured
Framework Setting Benefits Delivery Risk Optimization Resource Stakeholder
and Maintenance Optimization Engagement

EDM01 Ensured Governance

Framework Setting and Maintenance
EDM01.02 Direct the governance system.
EDM01.03 Monitor the governance system. APO01—Managed APO02—Managed APO03—Managed APO06—Managed APO07—Managed
I&T Management APO04—Managed APO05—Managed
Strategy Enterprise Innovation Portfolio Budget and Costs Human Resources
Framework Architecture MEA01—Managed
Performance and
Conformance
Monitoring
APO09—Managed APO12—Managed APO13—Managed APO14—Managed
APO08—Managed Service APO10—Managed APO11—Managed
Relationships Vendors Quality Risk Security Data
APO02 Managed Strategy Agreements

APO02.03 Define target digital capabilities.

APO02.04 Conduct a gap analysis.
APO02.05 Define the strategic plan and
road map. MEA02—Managed
System of Internal
BAI03—Managed BAI04—Managed BAI07—Managed Control
BAI01—Managed BAI02—Managed Solutions BAI05—Managed IT Change
Programs Requirements Availability BAI06—Managed
Identification Organizational IT Changes Acceptance and
Definition and Capacity Change
and Build Transitioning

MEA03—Managed
BAI08—Managed BAI09—Managed BAI10—Managed BAI11—Managed Compliance With
Knowledge Assets Configuration Projects External
Requirements
APO04 Managed Innovation
APO04.04 Assess the potential of emerging
technologies and innovative ideas.
APO04.06 Monitor the implementation and
use of innovation.
DSS01—Managed DSS02—Managed DSS05—Managed DSS06—Managed
Service Requests DSS03—Managed DSS04—Managed Security Business MEA04—Managed
Operations Problems Continuity Assurance
and Incidents Services Process Controls

Source:​ISACA,​COBIT® 2019 Framework: Introduction and Methodology, USA,​2018

© 2018 ISACA. All Rights Reserved.

 7 AUDITING ARTIFICIAL INTELLIGENCE

DSS06​provides​a​more​in-depth​example​of​how​the
auditor​can​leverage​COBIT® 2019​during​the​course​of​an
AI​assurance​review.
DSS06​Managed Business Process Controls includes
management​practice​DSS06.05​Ensure traceability and
accountability for information events,​which​could​be​used
to​ensure​AI​activity​audit​trails​provide​sufficient
information​to​understand​the​rationale​behind​every​AI
decision​made​within​the​organization.​The​DSS06.05
description​(figure 2)​follows:​“Ensure​that​business
information​can​be​traced​to​an​originating​business​event
and​associated​with​accountable​parties.​This
discoverability​provides​assurance​that​business
information​is​reliable​and​has​been​processed​in
accordance​with​defined​objectives.”7 7

FIGURE 2: COBIT 2019:​Relevance​of​DSS06​to​AI

®

A. Component: Process (cont.)

Management Practice Example Metrics
DSS06.05 Ensure traceability and accountability for information events. a. Number of incidents in which transaction history cannot be recovered
Ensure that business information can be traced to an originating b. Percent of completeness of traceable transaction log
business event and associated with accountable parties. This
discoverability provides assurance that business information is reliable
and has been processed in accordance with defined objectives.
Activities Capability Level
1. Capture source information, supporting evidence and the record of transactions. 2
2. Define retention requirements, based on business requirements, to meet operational, financial reporting and compliance needs. 3
3. Dispose of source information, supporting evidence and the record of transactions in accordance with the retention policy.
Related Guidance (Standards, Frameworks, Compliance Requirements) Detailed Reference
No related guidance for this management practice
Source:​ISACA,​COBIT ® 2019 Framework: Governance and Management Objectives,​USA,​2018

Process​outcomes​in​COBIT​2019​are​derived​from​the 1 Capture​source​information,​supporting​evidence​and​the​record

practice​itself,​and​for​DSS06.05,​can​be​articulated​as of​transactions.

“Business​information​is​traced​to​an​originated​business 2 Define​retention​requirements,​based​on​business​requirements,

event​and​is​associated​with​accountable​parties.” to​meet​operational,​financial​reporting​and​compliance​needs.

3 Dispose​of​source​information,​supporting​evidence​and​the
The​following​activities​are​listed​for​DSS06.05:
record​of​transactions​in​accordance​with​the​retention​policy.

Figure 3 shows​the​inputs​and​outputs​from​DSS06.05.

7
ISACA,​COBIT® 2019 Framework: Governance and Management Objectives,​USA,​2018,​http://www.isaca.org/COBIT/Pages/COBIT-2019-Framework-
Governance-and-Management-Objectives.aspx
7

© 2018 ISACA. All Rights Reserved.

 8 AUDITING ARTIFICIAL INTELLIGENCE

FIGURE 3: COBIT ® 2019:​DSS06​Inputs​and​Outputs

C. Component: Information Flows and Items (see also Section 3.6) (cont.)
Management Practice Inputs Outputs
DSS06.04 Manage errors and exceptions. From Description Description To
Error reports and root Internal
cause analysis
Evidence of error MEA02.04
correction and
remediation
DSS06.05 Ensure traceability and accountability for Record of transactions Internal
information events.
Retention requirements Internal;
APO14.09
DSS06.06 Secure information assets. Reports of violations DSS05.03
Related Guidance (Standards, Frameworks, Compliance Requirements) Detailed Reference
National Institute of Standards and Technology Special Publication 3.1 Preparation (Task 10, 11): Inputs and Outputs
800-37, Revision 2, September 2017
Source:​ISACA,​COBIT ® 2019 Framework: Governance and Management Objectives,​USA,​2018

Audits​should​evaluate​the​work​products,​retention
requirements​and​records​of​transaction​as​part​of
fieldwork​testing.​Criteria​the​auditor​would​use​for​testing
include,​“Does​the​decision​made​by​AI​seem​appropriate,
given​the​decision​inputs​and​use​case?”
Challenges and Solutions for
the AI Auditor
While​there​are​several​potential​challenges​for​IT​auditors
preparing​to​equip​themselves​to​audit​AI,​solutions​do
exist​that​can​convert​the​challenges​into​successes.​The
list​in​figure 4 provides​examples.

FIGURE 4: Challenges​and​Solutions​for​AI​Auditing

CHALLENGES FOR THE AUDITOR OF AI KEYS TO THE SUCCESSFUL AUDITING OF AI

1.​Immature​auditing​frameworks​or​regulations​specific​to​AI
2.​Limited​precedents​for​AI​use​cases
3.​Uncertain​definitions​and​taxonomies​of​AI
4.​Wide​variance​among​AI​systems​and​solutions
5.​Emerging​nature​of​AI​technology
6.​Lack​of​explicit​AI​auditing​guidance
7.​Lack​of​strategic​starting​points
8.​Possibly​steep​learning​curve​for​the​AI​auditor
9.​Supplier​risk​created​by​AI​outsourcing​to​third​parties
1.​Adopt​and​adapt​existing​frameworks​and​regulations.
2.​Explain​and​communicate​proactively​about​AI​with​stakeholders.
3.​Explain​and​communicate​proactively​about​AI​with​stakeholders.
4.​Become​informed​about​AI​design​and​architecture​to​set​proper
scope.
5.​Become​informed​about​AI​design​and​architecture​to​set​proper
scope.
6.​Focus​on​transparency​through​an​iterative​process.​Focus​on
controls​and​governance,​not​algorithms.
7.​Involve​all​stakeholders.
8.​Become​informed​about​AI​design​and​engage​specialists​as
needed.
9.​Document​architectural​practices​for​cross-team​transparency.

The​following​information​expands​on​the​keys​to​success programming,​data​warehousing,​stream​processing​platforms,

listed​in​figure 4,​to​help​auditors​address​the​challenges machine​learning​tool​kits,​algorithms,​cloud​computing,​cloud

of​auditing​AI: storage,​computing​clusters,​compute​kernels,​application

software​testing​and​debugging,​data​process​and​modeling,
• ​Become informed about AI design and architecture to set
and​commercial​off-the-shelf​(COTS)​software.​From​a​skills
proper scope. AI​includes​a​large​set​of​technologies,​people
perspective,​AI​projects​may​require​data​scientists,​data
and​processes​and,​therefore,​will​require​significant​attention​to
engineers,​data​architects​and​programmers​capable​in​Python,
controls,​policies​and​governance.​AI​architecture​may​combine
R,​Java​and​matrix​laboratory​(MATLAB).8 8

8
8
Op cit Tractica

© 2018 ISACA. All Rights Reserved.

9 AUDITING ARTIFICIAL INTELLIGENCE

• ​Involve all stakeholders. AI​not​only​integrates​a​variety​of impediment​to​a​successful​audit.​COBIT​2019​and​other

enterprise​technologies​but​also​involves​multiple​internal existing​frameworks​can​be​adopted​to​handle​most​of​the

teams​and​external​third​parties.​Internal​stakeholders​involve existing​AI​use​cases​that​will​be​encountered​in​the​field.​Also,

engineering​and​security​teams​on​the​technical​side​and from​a​regulatory​perspective,​existing​charters​such​as​the

business​leaders​engaged​with​the​AI​strategy.​The​use​of​cloud United​States​Health​Insurance​Portability​and​Accountability

computing​is​widespread​with​AI​and​implies​that​third​parties Act​(HIPAA)​and​Fair​Lending​Act​and​the​European​Union’s

will​control​part​of​the​infrastructure.​Where​cloud​computing​is General​Data​Protection​Regulation​(GDPR)​can​be​adopted​to

used,​for​example,​auditors​must​address​risk​(such​as​vendor provide​legal​guidance.​The​existing​frameworks​and​regulation

lock-in​and​partitioned​knowledge)​differently​from​the​on- (adapted​by​an​auditor​who​knows​the​AI​landscape)​and​legal

premise​applications. consultation​will​suffice​until​more​specific​AI​standards​are

• ​Explain and communicate proactively about AI with implemented.

stakeholders. Due​to​the​immature​state​and​limited • ​Focus on transparency through an iterative process.

deployment​of​AI,​enterprise​stakeholders​may​be​uninformed Transparency​is​an​essential​aim​for​the​AI​auditor​due​to​the

about​its​use​and​strategy.​AI​auditors​must​be​proactive​to complexity​of​the​AI​environment.​Algorithms​require​multiple

address​AI​concerns​and​be​able​to​break​down​and​simplify rounds​of​tuning​by​data​scientists​and​data​engineers.​Some

complex​designs​and​issues​into​terms​stakeholders​can enterprise-based​commercial​off-the-shelf​solutions​may

understand.​Auditors​must​be​aware​of​the​different​contexts already​contain​components​of​machine​learning.​Likewise,​the

for​AI​discussions​and​be​able​to​adjust​the​level​of​the auditing​process​must​ensure​vigilance​of​current​and​new​AI

conversation​appropriately. developments​and​promote​continuous​improvement​and

• ​Adopt and adapt existing frameworks and regulations. The explicit​documentation​throughout​the​AI​life​cycle.​AI​itself​can,

lack​of​new​frameworks​specific​to​AI​should​not​be​an in​fact,​become​a​tool​for​the​AI​auditor.

Conclusion
Artificial​intelligence​promises​to​transform​more​than​just social​environments.​Initial​disruptions​being​caused​by
the​way​enterprises​do​business.​It​will​touch​every​corner emerging​AI​technologies​will​evolve​and​affect​the​way
of​society. people​work​until​machines​act​like​human​beings​for​all
conceivable​functions.​This​emerging​phase​offers​a​great
Auditors​should​ask​themselves​whether​organizations
opportunity​for​the​business​and​information​technology
and​audit​teams​are​ready​for​the​tough​questions​around
community​to​step​up,​prepare​and​establish​sound
AI​and​the​approach​for​auditing​it.​The​key​points​covered
governance​around​auditing​AI.​COBIT® 2019,​a​powerful
in​this​white​paper​can​be​helpful​in​getting​off​to​a
and​time-tested​methodology,​can​be​leveraged​to​pave
successful​start.
the​way.
Despite​ambiguity​around​a​conceptual​definition,​AI
continues​to​proliferate​across​business,​academic​and

© 2018 ISACA. All Rights Reserved.

10 AUDITING ARTIFICIAL INTELLIGENCE

Resources and References for

Auditing AI
The​Association​for​the​Advancement​of​Artificial
Intelligence,​Digital​Library,​Conference​Proceedings,
https://aaai.org/Library/conferences-library.php
Azoff,​M.;​“2017​Trends​to​Watch:​​Artificial​Intelligence,”
Ovum,​26​January​2017,
https://ovum.informa.com/~/media/Informa-Shop-
Window/TMT/Files/Whitepapers/2017-trends-to-watch-
in-AI.pdf
Davenport,​T.;​J.​Raphael;​10Rule;​“Creating​a​Cognitive
Audit,”​CFO,​12​July​2017,
http://ww2.cfo.com/auditing/2017/07/creating-cognitive-
audit/
Faggella,​D.;​“What​is​Artificial​Intelligence?​An​Informed
Definition,”​TechEmergence,​15​May​2017,
https://www.techemergence.com/what-is-artificial-
intelligence-an-informed-definition/

Bughin,​J.;​E.​Hazan;​S.​Ramaswamy;​M.​Chui;​T.​Allas;​P. The​Institute​of​Internal​Auditors,​“Global​Perspectives​and
Dahlstrom;​N.​Henke;​M.​Trench;​“Artificial​Intelligence: Insights​Series,​Artificial​Intelligence—Considerations​for
The​Next​Digital​Frontier?”​McKinsey​Global​Institute,​June the​Profession​of​Internal​Auditing,”​2017,
2017, https://na.theiia.org/periodicals/Public%20Documents/
https://www.mckinsey.com/~/media/McKinsey/Industrie GPI-Artificial-Intelligence.pdf
s/Advanced%20Electronics/Our%20Insights/How
The​Institute​of​Internal​Auditors,​“Global​Perspectives​and
%20artificial%20intelligence%20can%20deliver%20real
Insights​Series,​The​IIA’s​Artificial​Intelligence​Auditing
%20value%20to%20companies/MGI-Artificial-Intelligence-
Framework—Practical​Applications,​Part​A,”​2017,
Discussion-paper.ashx
https://na.theiia.org/periodicals/Public%20Documents/
Clark,​A.;​“The​Machine​Learning​Audit—CRISP-DM GPI-Artificial-Intelligence-Part-II.pdf
Framework,”​ISACA® Journal,​vol.​1,​2018,
The​Institute​of​Internal​Auditors,​“Global​Perspectives​and
https://www.isaca.org/Journal/archives/2018/Volume-
Insights​Series,​The​IIA’s​Artificial​Intelligence​Auditing
1/Pages/the-machine-learning-audit-crisp-dm-
Framework—Practical​Applications,​Part​B,”​2017,
framework.aspx
https://na.theiia.org/periodicals/Public%20Documents/
Conitzer,​V.;​W.​Sinnot-Armstrong;​J.​S.​Borg;​Y.​Deng;​M. GPI-Artificial-Intelligence-Part-III.pdf
Kramer;​“Moral​Decision​Making​Frameworks​for​Artificial
The​Institute​of​Internal​Auditors,​“Artificial​Intelligence:
Intelligence,”​Association​for​the​Advancement​of​Artificial
The​Future​for​Internal​Auditing,”​Tone at the Top,
Intelligence,​2017,
December​2017
https://users.cs.duke.edu/~conitzer/moralAAAI17.pdf
Internal​Audit​Foundation,​“Request​for​Proposals,
Cummings,​M.​L.;​“Artificial​Intelligence​and​the​Future​of
Artificial​Intelligence​Research​Project,”​2017,
Warfare,”​Chatham​House,​January​2017,
https://na.theiia.org/iiarf/Public%20Documents/
https://www.chathamhouse.org/sites/default/files/public
RFP-Artificial-Intelligence.pdf
ations/research/2017-01-26-artificial-intelligence-future-
warfare-cummings-final.pdf

© 2018 ISACA. All Rights Reserved.

11
International​Standards​Organization​(ISO),​“ISO/IEC
27000:2018(en),​Information​technology—Security
techniques—Information​security​management​systems—
Overview​and​vocabulary,”
https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:e
ISACA,​COBIT® 2019 Framework: Governance and
Management Objectives,​USA,​2018,
http://www.isaca.org/COBIT/Pages/COBIT-2019-
Framework-Governance-and-Management-
Objectives.aspx
ISACA,​COBIT​4.1​Brochure,
http://www.isaca.org/Knowledge-Center/cobit/
Documents/CobiT-4.1-Brochure.pdf
Issa,​H.;​T.​Sun;​M.​Vasarhelyi;​“Research​Ideas​for​Artificial
Intelligence​in​Auditing:​The​Formalization​of​Audit​and
Workforce​Supplementation,”​Journal of Emerging
Technologies in Accounting,​vol.​13,​no.​2,​2016,
http://aaapubs.org/doi/pdf/10.2308/
jeta-10511?code=aaan-site
Koenig,​M.;​S.​Bee;​D.​Applegate;​Artificial Intelligence: The
Data Below,​Internal​Audit​Foundation,​2018
KPMG,​“Capitalizing​on​robotics:​Driving​savings​with
digital​labor,”​2017,
https://assets.kpmg.com/content/dam/kpmg/is/pdf/
2017/03/capitalizing-robotics-digital-labor-savings.pdf
Kuang,​C.;​“Can​A.I.​Be​Taught​to​Explain​Itself?”​The New
York Times Magazine,​​21​November​2017,
https://www.nytimes.com/2017/11/21/magazine/
can-ai-be-taught-to-explain-itself.html
Meek,​T.;​“How​Humans​and​AI​Will​Share​the​Auditing
Function​of​the​Future,”​Forbes,​10​July​2017,
https://www.forbes.com/sites/workday/2017/07/10/
how-humans-and-ai-will-share-the-auditing-function-of-
the-future/#63d3bf774fa1
Peter​Davis​and​Associates,​www.pdaconsulting.com/
Russell,​S.;​P.​Norvig;​Artificial Intelligence: A Modern
Approach (3rd Edition),​Pearson,​USA,​2009
Sandvig​C.;​K.​Hamilton;​K.​Karahalios;​C.​Langbort;
“Auditing​Algorithms:​​Research​Methods​for​Detecting
Discrimination​on​Internet​Platforms,”​Paper​Presented​at
the​“Data​and​Discrimination:​Converting​Critical​Concerns
into​Productive​Inquiry”​preconference​of​the​64th Annual
Meeting​of​the​International​Communication​Association,
http://www-personal.umich.edu/~csandvig/research/
Auditing%20Algorithms%20—%20Sandvig%20—
%20ICA%202014%20Data%20and%20Discrimination
%20Preconference.pdf
Tegmark,​M.;​Life 3.0: Being Human in the Age of Artificial
Intelligence,​Knopf,​USA,​2017
Tractica​Research,​“Artificial​Intelligence​Software​Market
to​Reach​$89.8​Billion​in​Annual​Worldwide​Revenue​by
2025,”​21​December​2017,
https://www.tractica.com/newsroom/press-releases/
artificial-intelligence-software-market-to-reach-89-8-
billion-in-annual-worldwide-revenue-by-2025
Venkatesan,​M.;​“Artificial​Intelligence​vs.​Machine
Learning​vs.​Deep​Learning,”​Data​Science​Central,​
7​May​2018,​https://www.datasciencecentral.com/
profiles/blogs/artificial-intelligence-vs-machine-learning-
vs-deep-learning
12 AUDITING ARTIFICIAL INTELLIGENCE

​Acknowledgments
ISACA​would​like​to​recognize:

Lead Developers ISACA Board of Directors

ISACA Phoenix Chapter Rob Clyde, Chair Chris K. Dimitriadis, Ph.D.
John Livingston,​CISA,​ITIL​v3,​Lean​Six CISM ISACA​Board​Chair,​2015-2017
Sigma​Black​Belt Clyde​Consulting​LLC,​USA CISA,​CRISC,​CISM
Advisor,​Information​Security​Compliance INTRALOT,​Greece
Brennan Baybeck, Vice-Chair
&​Audit​Governance​,​USA
CISA,​CRISC,​CISM,​CISSP
Oracle​Corporation,​USA
Joe Norris,​CGEIT,​COBIT,​ITIL​v3
Director,​Enterprise​Risk​Management, Tracey Dedrick
USA Former​Chief​Risk​Officer​with​Hudson
City​Bancorp,​USA
Jon Oppenhuis,​CCSK,​CCSP,​CISSP,​ITIL
SS/SD,​TOGAF Leonard Ong

Client​Solutions​Architect,​USA CISA,​CRISC,​CISM,​CGEIT,​COBIT​5
Implementer​and​Assessor,​CFE,​CIPM,

Expert Reviewers
CIPT,​CISSP,​CITBCM,​CPP,​CSSLP,​GCFA,
GCIA,​GCIH,​GSNA,​ISSMP-ISSAP,​PMP
Andrew Clark Merck​&​Co.,​Inc.,​Singapore

Michael J. Podemski R.V. Raghu

CIPM,​CIPT,​USA CISA,​CRISC
Versatilist​Consulting​India​Pvt.​Ltd.,​India
Marc Vael
CISA,​CRISC,​CISM,​CGEIT,​Belgium Gabriela Reynaga
CISA,​CRISC,​COBIT​5​Foundation,​GRCP
Holistics​GRC,​Mexico​

Gregory Touhill
CISM,​CISSP
Cyxtera​Federal​Group,​USA​

Ted Wolff
CISA
Vanguard,​Inc.,​USA

Tichaona Zororo
CISA,​CRISC,​CISM,​CGEIT,​COBIT​5
Assessor,​CIA,​CRMA
EGIT​|​Enterprise​Governance​of​IT​(Pty)
Ltd,​South​Africa

Theresa Grafenstine
ISACA​Board​Chair,​2017-2018
CISA,​CRISC,​CGEIT,​CGAP,​CGMA,​CIA,
CISSP,​CPA
Deloitte​&​Touche​LLP,​USA

© 2018 ISACA. All Rights Reserved.

13 AUDITING ARTIFICIAL INTELLIGENCE

About​ISACA
1700​E.​Golf​Road,​Suite​400​
Nearing​its​50th​year,​ISACA® (isaca.org)​is​a​global​association​helping
Schaumburg,​IL​60173,​USA
individuals​and​enterprises​achieve​the​positive​potential​of​technology.
Technology​powers​today’s​world​and​ISACA​equips​professionals​with​the
Phone: +1.847.660.5505
knowledge,​credentials,​education​and​community​to​advance​their​careers
and​transform​their​organizations.​ISACA​leverages​the​expertise​of​its​half- Fax: +1.847.253.1755
million​engaged​professionals​in​information​and​cyber​security,​governance,
assurance,​risk​and​innovation,​as​well​as​its​enterprise​performance Support: support.isaca.org

subsidiary,​CMMI® Institute,​to​help​advance​innovation​through​technology.
Website: www.isaca.org
ISACA​has​a​presence​in​more​than​188​countries,​including​more​than​217
chapters​and​offices​in​both​the​United​States​and​China.

DISCLAIMER
Provide Feedback:
ISACA​has​designed​and​created​Auditing Artificial Intelligence (the​“Work”)
www.isaca.org/auditing-AI
primarily​as​an​educational​resource​for​professionals.​ISACA​makes​no​claim
that​use​of​any​of​the​Work​will​assure​a​successful​outcome.​The​Work Participate in the ISACA Online
should​not​be​considered​inclusive​of​all​proper​information,​procedures​and Forums:
tests​or​exclusive​of​other​information,​procedures​and​tests​that​are https://engage.isaca.org/onlineforums
reasonably​directed​to​obtaining​the​same​results.​In​determining​the​propriety
Twitter:
of​any​specific​information,​procedure​or​test,​professionals​should​apply​their
www.twitter.com/ISACANews
own​professional​judgment​to​the​specific​circumstances​presented​by​the
particular​systems​or​information​technology​environment. LinkedIn:
www.linkd.in/ISACAOfficial

RESERVATION OF RIGHTS
Facebook:
www.facebook.com/ISACAHQ
©​2018​ISACA.​All​rights​reserved.

Instagram:
www.instagram.com/isacanews/

Auditing Artificial Intelligence

© 2018 ISACA. All Rights Reserved.