Internal auditors want role in US's AI action plan

The Institute of Internal Auditors is asking the federal government to give the internal audit function a key role in providing assurance over the use of artificial intelligence as part of a nationwide action plan.

The IIA submitted a comment letter last week in response to a request for information from the U.S. Office of Science and Technology Policy on developing an AI Action Plan ordered by President Trump. On Jan. 23, Trump signed Executive Order 14179 (Removing Barriers to American Leadership in Artificial Intelligence) to establish a U.S. policy for sustaining and enhancing America's AI dominance. The order requires the development of an AI Action Plan to advance America's AI leadership, in a process led by the assistant to the president for science and technology, the White House AI and crypto czar, and the national security advisor, while also revoking an October 2023 executive order from the Biden administration calling for the safe, secure and trustworthy development and use of AI. The Trump administration contends the Biden executive order has hampered the private sector's ability to innovate in AI by imposing burdensome government requirements restricting AI development and deployment. 

In its letter, the IIA stressed the importance of establishing clear and measured safeguards governing AI applications, pointing to the significant impact the technology will have on Americans and the need to involve internal auditors. 

"An internal audit function — operating in conformity with the Global Internal Audit Standards — is the entity responsible for providing an organization's governing body with objective assurance over AI-related risk management and internal control processes," wrote IIA president and CEO Anthony Pugliese. "The work of internal audit promotes confidence among stakeholders due to its independence from management and direct reporting relationship to the governing body (i.e. board of directors)." 

The IIA pointed out that a comprehensive AI Action Plan should highlight the importance of governance, internal controls, and risk management to support organizations that use AI and said a critical component of any robust risk management analysis that should be recognized in the AI Action Plan is the complementary role of an organization's internal audit function.

The IIA suggested the AI Action Plan should empower the private sector to execute assurance responsibilities through internal audit, rather than "establish a traditional regulatory regime directing a specific government agency to audit AI operations."

The IIA asked the U.S. Office of Science and Technology Policy to address the following topics in the AI Action Plan:

Recognize the significance of AI risk management and governance: The IIA said it supports a greater policy emphasis concerning the need for appropriate risk management and governance processes related to implementing and using AI in business operations.

Strengthen internal AI oversight: The IIA recommended using internal audit-led assurance processes for evaluating an organization's AI-related internal controls, risk management and governance structures. "The presence of a qualified internal audit function will strengthen independent oversight efforts and increase consumer confidence," Pugliese wrote.