All opinions are Ashwathama Rajendran's own and do not represent his employer, and all scenarios discussed are hypothetical and based on broad industry experience rather than any specific organization.
Interested in this topic? Visit the links below for more resources:
Visit The IIA’s website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit Tech.
00:00:06 The IIA
In this episode, Paula Michaels talks with Ash Rajendran about how AI can support more connected, continuous, and coordinated assurance across 3 lines.
00:00:16 The IIA
They discuss why combined assurance can be difficult to achieve in practice, how AI can act as a connecting layer across risk, compliance, operations, and internal audit.
00:00:30 Paula Michaels
Hi, Ash.
00:00:30 Paula Michaels
I'm so glad you're able to join us today.
00:00:33 Paula Michaels
Before we get started, can you tell me a little bit more about your background and your work when it comes to AI-enabled assurance?
00:00:40 Ashwathama Rajendran
Thanks, Paula, for having me.
00:00:42 Ashwathama Rajendran
It's great to be here.
00:00:43 Ashwathama Rajendran
By way of background, I currently work as a data analytics lead at Stripe.
00:00:47 Ashwathama Rajendran
Before Stripe, I worked at major financial institutions such as BlackRock and Barclays.
00:00:52 Ashwathama Rajendran
I actually started my career as a software engineer.
00:00:55 Ashwathama Rajendran
Then I moved
00:00:56 Ashwathama Rajendran
into a second line monitoring function, and finally into audit.
00:01:00 Ashwathama Rajendran
So I have worked across all three lines, and that actually shaped how I approach my audit work.
00:01:06 Ashwathama Rajendran
And more importantly, my technology and engineering background has been particularly valuable within internal audit.
00:01:12 Ashwathama Rajendran
Having written code for a long time and being close to technology, I have a strong sense of where things can go wrong, what are the edge cases, and how do we
00:01:23 Ashwathama Rajendran
design more innovative ways to test complex automated controls.
00:01:29 Ashwathama Rajendran
So across all these roles, the question that I've been working on is the same.
00:01:34 Ashwathama Rajendran
How do we use data and emerging technologies such as AI to move the audit function forward?
00:01:41 Ashwathama Rajendran
And I've been applying AI to that question for a while now.
00:01:44 Ashwathama Rajendran
And earlier this year, I shared some of that work in a global webinar.
00:01:50 Ashwathama Rajendran
which reached an audience from more than 100 countries.
00:01:53 Ashwathama Rajendran
So between that work, my technology background, and my time across all three lines, I get to look at this topic from a few different angles, such as strategy, technology, and day-to-day practice.
00:02:05 Ashwathama Rajendran
That's my high load background.
00:02:07 Paula Michaels
Thanks.
00:02:08 Paula Michaels
And you recently authored an article in Internal Order Magazine about the topic.
00:02:13 Paula Michaels
So let's kind of dive right into combined assurance.
00:02:17 Paula Michaels
It sounds really great in theory, but even with our frameworks like the three lines model, why do so many organizations find it difficult to truly achieve?
00:02:26 Ashwathama Rajendran
The main thing is the combined assurance works really well on paper, but it is slightly challenging in real world.
00:02:33 Ashwathama Rajendran
So let me explain with the
00:02:36 Ashwathama Rajendran
simple hypothetical but realistic scenario.
00:02:39 Ashwathama Rajendran
Let's say a company's cybersecurity team sees unusual activity and tags it as a low severity issue.
00:02:46 Ashwathama Rajendran
And at the same time, second line monitoring function is seeing some customer compliance about the same problem.
00:02:52 Ashwathama Rajendran
And internal audit is also documenting control weaknesses about the same system during a routine review.
00:02:59 Ashwathama Rajendran
So looked at independently, everything looks fine.
00:03:02 Ashwathama Rajendran
But when we look at the bigger picture that show systemic control failure, the core problem is that the three lines are working in parallel, but not really together.
00:03:12 Ashwathama Rajendran
And the data backs this up as well.
00:03:14 Ashwathama Rajendran
The IAS recent research has shown that only four in 10 organizations share the methodology and risk registers between the enterprise risk management and internal audit.
00:03:25 Ashwathama Rajendran
And only one in four share the risk management software.
00:03:29 Ashwathama Rajendran
So when we are talking about coordination and collaboration, the teams are not even on the same systems.
00:03:35 Ashwathama Rajendran
So these are some of the issues, but there are other issues as well.
00:03:39 Ashwathama Rajendran
They have their own priorities.
00:03:41 Ashwathama Rajendran
Every function have their own goals and they have their own reporting lines and they have their own definition of what a good quarter looks like.
00:03:48 Ashwathama Rajendran
And in addition to this, all these functions have their own.
00:03:53 Ashwathama Rajendran
Risk taxonomy is not consistent.
00:03:55 Ashwathama Rajendran
These are all different.
00:03:56 Ashwathama Rajendran
They could have different names to represent the same risk.
00:04:00 Ashwathama Rajendran
So the three lines model is round, but the challenge is implementing combined assurance in the real world for the reasons I just walked through.
00:04:08 Ashwathama Rajendran
The more important issue is the lack of shared infrastructure to actually deliver it.
00:04:14 Ashwathama Rajendran
Every function is doing its job well, but not just together.
00:04:18 Ashwathama Rajendran
And AI can definitely close that gap.
00:04:21 Paula Michaels
As you said, you've got 3 functions probably trying to get to the same goal, but they're using different disparate systems or not using the same technologies and might be at different points of where they are in discovery.
00:04:33 Paula Michaels
So, when you think about AI in terms of automation, most of us think about doing tasks better, but how are organizations treating AI as a connective tissue?
00:04:45 Paula Michaels
And does it really become a tool to help leverage or, as you'd say, align combined insurance?
00:04:51 Paula Michaels
to be more effective.
00:04:54 Ashwathama Rajendran
So when most people think about AI and audit, most of them think about doing tasks faster, efficiently, such as drafting work papers or summarizing findings.
00:05:07 Ashwathama Rajendran
running a risk assessment.
00:05:08 Ashwathama Rajendran
I mean, those are all real value exercises.
00:05:11 Ashwathama Rajendran
I did share some of these examples in my IA webinar earlier this year.
00:05:16 Ashwathama Rajendran
It's a good starting point, but the real impact comes when AI is used as a connecting layer to see the bigger picture.
00:05:23 Ashwathama Rajendran
Imagine an AI layer sitting underneath the three lines and it reads and understands what the three lines are producing and try to understand the overall theme
00:05:34 Ashwathama Rajendran
Bring the bigger picture, so that's a totally different idea.
00:05:37 Ashwathama Rajendran
Take, for example, combined assurance map, which provides the overall coverage of the assurance activities.
00:05:44 Ashwathama Rajendran
Currently, it is a manual document that is maintained by someone.
00:05:49 Ashwathama Rajendran
by talking to multiple teams.
00:05:51 Ashwathama Rajendran
But imagine an AI agent scanning through the audit plans, compliance reports, risk assessments, monitoring output across all the different lines, and it actually generates a real-time living document.
00:06:05 Ashwathama Rajendran
The information is going to be available on demand instead of an outdated document.
00:06:09 Ashwathama Rajendran
So this is one of the examples of how AI could be used for the combined assurance piece.
00:06:15 Ashwathama Rajendran
Again, the other thing is when we frame AI
00:06:18 Ashwathama Rajendran
AI as an automation, it might seem like a threat to the roles, but if we aim it as a connecting layer, it could enable folks to do their jobs much better.
00:06:29 Paula Michaels
This kind of gets into one of the most compelling applications is continuously monitoring integration.
00:06:36 Paula Michaels
That's probably what you were talking about.
00:06:39 Paula Michaels
What does it look like in practice and how does it work and who owns it?
00:06:43 Paula Michaels
Or is there really a true owner?
00:06:45 Ashwathama Rajendran
The continuous integration, in my view, is one of the most valuable application of AI combined assurance, but it is also the hardest thing to get it right.
00:06:55 Ashwathama Rajendran
For example, let's say the first line produces the operational metrics.
00:06:59 Ashwathama Rajendran
The second line produces a constant stream of monitoring data.
00:07:03 Ashwathama Rajendran
This could be data privacy team generating incident reports or other metrics, or cybersecurity team producing threat intelligence reports, or it could be
00:07:15 Ashwathama Rajendran
AIML team producing surveillance reports.
00:07:18 Ashwathama Rajendran
And the third line, internal audit, produces findings, annual review reports.
00:07:23 Ashwathama Rajendran
Every system, every report that is being produced are in a different format, different schedule, and on a different dating scale.
00:07:31 Ashwathama Rajendran
So what is AI?
00:07:33 Ashwathama Rajendran
What can AI do here?
00:07:34 Ashwathama Rajendran
So AI can sit underneath all these things, read the unstructured data, such as instant write-ups, audit findings, cybersecurity alerts.
00:07:43 Ashwathama Rajendran
So what it can do here is it can do
00:07:45 Ashwathama Rajendran
two things here.
00:07:46 Ashwathama Rajendran
It can normalize the language, so the control deficiency from internal audit, and then observation from a second line testing, and instant from the first line could be all mapped together to get us the overall big picture view.
00:07:59 Ashwathama Rajendran
And the second thing is it can correlate all these things and find the pattern and themes that no single function can do on its own.
00:08:06 Ashwathama Rajendran
So that's the key thing that could be done with AI in the continuous monitoring integration piece.
00:08:13 Ashwathama Rajendran
So now on the ownership,
00:08:15 Ashwathama Rajendran
It all depends on the use case, right?
00:08:16 Ashwathama Rajendran
How complex the use case is.
00:08:18 Ashwathama Rajendran
If it is a single AI agent that needs to be developed, or do we have a multi-agent, you know, AI agent system?
00:08:26 Ashwathama Rajendran
Depending on the complexity, if it is a really complex implementation, the first line could own the implementation.
00:08:32 Ashwathama Rajendran
The second line could monitor how the system performs, and Intel Audit could perform, you know, the overall independent assessment.
00:08:40 Ashwathama Rajendran
This also clearly maps into the three lines model.
00:08:43 Ashwathama Rajendran
The technology is new, but the governing principle is not.
00:08:46 Ashwathama Rajendran
And how this differs from the periodic assurance, right?
00:08:50 Ashwathama Rajendran
Historically, we do periodic assessments, which is more of a backward looking view.
00:08:55 Ashwathama Rajendran
But with this continuous combined assurance model, we are actually looking into the live view and see what is actually happening in all these complex systems.
00:09:07 Paula Michaels
Can you walk us through a real world scenario?
00:09:11 Paula Michaels
where it's worked, in terms of finding a risk earlier than the traditional approaches?
00:09:17 Paula Michaels
And also as an internal auditor, how do you get the first and second line to coordinate or, collaborate on this, continuous monitoring and assurance process?
00:09:30 Ashwathama Rajendran
Yeah, let me expand upon the previous example that I shared.
00:09:34 Ashwathama Rajendran
Again, a hypothetical, but very realistic that a lot of large organizations would have encountered.
00:09:40 Ashwathama Rajendran
Let's imagine a company that processes millions of customer billing transactions.
00:09:46 Ashwathama Rajendran
And suddenly over a two-week period, the customer support team is noticing a small number of customer complaints.
00:09:54 Ashwathama Rajendran
I know looked on its own, it's just a customer experience metric.
00:09:58 Ashwathama Rajendran
And now separately, engineering team has pushed their code change two weeks earlier, tested everything, nothing was identified, nothing stood out.
00:10:08 Ashwathama Rajendran
Separately again, let's say internal audit has documented related finding related to reconciliation controls, I know six months ago, right?
00:10:18 Ashwathama Rajendran
And separately again,
00:10:19 Ashwathama Rajendran
The second line monitoring system compliance, for example, has also identified something related to the same system like 2 weeks ago, right around the corner when the code was implemented.
00:10:30 Ashwathama Rajendran
At the current state, we can see your four signals, four different systems, four different tickets, and are not talking to each other.
00:10:38 Ashwathama Rajendran
There's a lot of missing pieces here.
00:10:40 Ashwathama Rajendran
And I believe this is where continuous combined assurance changes the picture, right?
00:10:45 Ashwathama Rajendran
The AI layer reading all the four streams in real time sees
00:10:49 Ashwathama Rajendran
the customer compliance and it can read the code that was released two weeks ago and it can read the internal audit finding that was created six months ago and it can also map it to the second line exception report so it can bring everything together now instead of four different tickets.
00:11:09 Ashwathama Rajendran
which are just sitting there, we have one alert that is a cross-functional escalation, which could prevent a large impact incident with the use of AI.
00:11:20 Ashwathama Rajendran
So this is a simple example of how these AI agents can bring a lot of value when we combine all these things together.
00:11:29 Paula Michaels
Makes sense.
00:11:30 Paula Michaels
Every team has a different risk language.
00:11:34 Paula Michaels
so how can AI kind of align those languages, but don't oversimplify, really identify those clear opportunities, but also keeps everyone aligned and attuned and understanding each other's functions?
00:11:49 Ashwathama Rajendran
Yeah, so when we find that different functions such as compliance, risk, other monitoring teams use different terms for the same risk,
00:12:01 Ashwathama Rajendran
The first instinct is that we require, we force everyone to use the same taxonomy.
00:12:08 Ashwathama Rajendran
But that almost never works, right?
00:12:10 Ashwathama Rajendran
The reason is pretty simple, because everyone have their own use case.
00:12:14 Ashwathama Rajendran
They have come up with these terms because it works best for their use case.
00:12:19 Ashwathama Rajendran
For example, compliance categorizes risk in a way the regulator wants to see.
00:12:25 Ashwathama Rajendran
and audit categorizes in a way according to IAA standards and other frameworks and operations uses the term to best represent their business KPI.
00:12:34 Ashwathama Rajendran
So each one is correct in their own way, so we don't want to lose it.
00:12:38 Ashwathama Rajendran
So what we want is this translation layer, right?
00:12:42 Ashwathama Rajendran
So I described this in my article, how AI could read all this terminology, understand that they all represent the same risk, and we could combine everything and represent as a one single thing when a leadership asks for it.
00:12:57 Ashwathama Rajendran
So in the past, organizations have tried to do this using an approach or even more advanced keyword.
00:13:05 Ashwathama Rajendran
mapping.
00:13:06 Ashwathama Rajendran
I mean, it used to work, but it breaks down when the terms changed drastically, but still mean.
00:13:12 Ashwathama Rajendran
the same thing, but the new large language models have that intelligence, so they understand what they actually mean, even if the terms are drastically different.
00:13:22 Ashwathama Rajendran
So that's the key idea for everyone thinking about is, we should not force the organization to use one single taxonomy, but rather use the AI to make things work together.
00:13:35 Paula Michaels
In terms of, internal audit, maintaining that independence, professional judgment and perspective, how can our organization not over rely on AI and the insurance works and having those checks and balances to ensure it is reading the data, reading the findings from these areas?
00:13:56 Ashwathama Rajendran
We talk a lot about what can be done with AI, but we talk much less what the new risk will create, right?
00:14:03 Ashwathama Rajendran
The first thing is accuracy.
00:14:05 Ashwathama Rajendran
So if we go to any of the AI tools that are out there, the first.
00:14:10 Ashwathama Rajendran
message that you see is AI can make mistakes.
00:14:13 Ashwathama Rajendran
And I don't think that warning message is going to go away anytime soon.
00:14:17 Ashwathama Rajendran
So the key thing is accuracy, right?
00:14:20 Ashwathama Rajendran
We need to make sure whatever the output that AI is generating is accurate.
00:14:25 Ashwathama Rajendran
So how do we fix this?
00:14:27 Ashwathama Rajendran
The fix is pretty straightforward.
00:14:28 Ashwathama Rajendran
Human in the loop.
00:14:29 Ashwathama Rajendran
Everything that AI generates needs to be reviewed by a person.
00:14:34 Ashwathama Rajendran
Either it goes to a work paper or it goes to a report, always there should be someone reviewing it, at least as of now, where we stand with all the AI models, LLMs, so we can't just take the output and go with it.
00:14:48 Ashwathama Rajendran
The second thing is the data privacy, right?
00:14:51 Ashwathama Rajendran
Again, this should be taken very seriously, anything that we put into the public tools.
00:14:56 Ashwathama Rajendran
that we go into the browser and we access anything.
00:14:59 Ashwathama Rajendran
Anything that we, any information like prompt or anything, any information that is gonna be retained by these models and it could be used to train the third party models.
00:15:08 Ashwathama Rajendran
That's a huge risk.
00:15:10 Ashwathama Rajendran
I mean, this is not accessible for anything involving PII, payroll, or any.
00:15:15 Ashwathama Rajendran
company-related data, we need to be really clear.
00:15:18 Ashwathama Rajendran
The solution for this is the organization should work with their technology team to set up a secure AI platform where the prompts outputs are private or excluded from external training.
00:15:30 Ashwathama Rajendran
And the third thing is independence, right?
00:15:33 Ashwathama Rajendran
This is really important.
00:15:35 Ashwathama Rajendran
I think Intel audits value comes
00:15:37 Ashwathama Rajendran
from independence and objectivity and AC-led AI systems that are built and owned by the 1st and the second lines to rely upon our work, I think that's a slightly different problem.
00:15:50 Ashwathama Rajendran
We can extend our reach with the use of AI.
00:15:54 Ashwathama Rajendran
We can outdo things that were not previously possible with the use of AI, but we cannot use AI to outsource our judgment.
00:16:03 Ashwathama Rajendran
So that's a really important thing.
00:16:05 Ashwathama Rajendran
The other final thing that I want to add is the auditability of AI itself.
00:16:11 Ashwathama Rajendran
If you are using AI for our assurance activities, we should be able to explain it to the regulators.
00:16:18 Ashwathama Rajendran
For example, how did we come up with that conclusion?
00:16:21 Ashwathama Rajendran
What model did we use?
00:16:22 Ashwathama Rajendran
What prompt did we use?
00:16:23 Ashwathama Rajendran
What portion of the LLM model that we used?
00:16:27 Ashwathama Rajendran
we should be able to explain that to our regulators.
00:16:31 Ashwathama Rajendran
So the way I think about it is AI is a powerful tool, but it is still a tool.
00:16:37 Ashwathama Rajendran
The audits proportions value comes from the independence that we add, the judgment and the professionals' criticism.
00:16:45 Ashwathama Rajendran
So those are all the things that we cannot delegate to the model.
00:16:48 Ashwathama Rajendran
So the judgment will always stay with the internal auditors.
00:16:52 Paula Michaels
How do these various lines work together to continue to improve combined insurance and continuous improvement in those systems?
00:17:02 Paula Michaels
And continuing to look at prompts, whatever, if it's new tools, any kind of best practice on how often you should be looking at your systems?
00:17:12 Paula Michaels
And does each line have a role in that?
00:17:14 Ashwathama Rajendran
Again, it depends on the use cases, I would say.
00:17:17 Ashwathama Rajendran
Depending on the complexity, the first line would go on the core implementation, and they would also have a high-level monitoring of how the model performs, how the output is, the output is consistent, the change management and stuff.
00:17:31 Ashwathama Rajendran
And the second line would, again, perform a high-level monitoring, periodic monitoring to see there isn't a drastic drift in the model performance.
00:17:40 Ashwathama Rajendran
And internal audit, again, will play a critical role
00:17:44 Ashwathama Rajendran
and making ensure how the overall design is.
00:17:47 Ashwathama Rajendran
And we will ensure that there is human in the loop governance, to make sure whatever has been decided, there is always a human component to ensure accuracy and consistency.
00:18:01 Paula Michaels
Now, the recent report on collaboration without compromise issued by the Internal Audit Foundation showed organizations are still struggling, as we talked about, siloed probe processes and ununified programs.
00:18:16 Paula Michaels
So where can an organization start, especially if they don't have any kind of AI-enabled combined insurance?
00:18:25 Ashwathama Rajendran
The temptation would be to look at the end state and then conclude that everything needs to be built from scratch, but that is not the case.
00:18:32 Ashwathama Rajendran
I would suggest going an approach that is more of a phased approach, starting with the simple use cases.
00:18:40 Ashwathama Rajendran
For example, the AI-assisted assurance map is an easy thing to achieve, like scanning audit reports, compliance plans and all the
00:18:53 Ashwathama Rajendran
audit level, annual review reports, first line monitoring in a specific domain, and then identify what are the overlaps and gaps.
00:19:02 Ashwathama Rajendran
So that's a quick win before the teams could ask for the next big investment.
00:19:08 Ashwathama Rajendran
And also the risk taxonomy translation is a pretty easy win as well.
00:19:14 Ashwathama Rajendran
We could pick all the different taxonomies that are being used by various organizations and then combine it
00:19:20 Ashwathama Rajendran
using AI to see where the risk and opportunity is for each or for their organization.
00:19:26 Ashwathama Rajendran
So that is an easy win as well.
00:19:28 Ashwathama Rajendran
For the continuous monitoring integration, that is a bit more complex.
00:19:32 Ashwathama Rajendran
The best approach here would be to create some kind of proof of concept during fieldwork and then use AI to read the incident reports, the second line monitoring reports, Jira tickets, and the code base to understand the implementation, not in a full-fledged manner or a specific
00:19:50 Ashwathama Rajendran
Fix scope area, and then once the impact is visible, the other lines would be, usually we need to collaborate to build a more scalable solution.
00:20:02 Ashwathama Rajendran
There are a few guardrails as well that needs to be made sure.
00:20:06 Ashwathama Rajendran
One is the data quality.
00:20:08 Ashwathama Rajendran
If the data is not good, the data quality is not good, it's only going to make the AI output even worse.
00:20:15 Ashwathama Rajendran
And the second thing is to treat AI itself as something the three lines need to oversee.
00:20:20 Ashwathama Rajendran
The first line operates at some level of monitoring.
00:20:23 Ashwathama Rajendran
The second line would monitor end-to-end, the monitor the end-to-end implementation and internal audit always provides independent assurance.
00:20:31 Paula Michaels
And when you talk about trying to implement or suggest this model, do you have any experience of trying to talk to the 1st and 2nd lines on, as you said, maybe low hanging fruit or a starting point?
00:20:45 Paula Michaels
Is internal audit sometimes that catalyst and how should they approach those lines or do they, you know, identifying the problem, the potential issue and seeing an opportunity?
00:20:55 Paula Michaels
Any scenarios you can talk us through on that?
00:20:58 Ashwathama Rajendran
The main thing is, when we are working on certain engagements, the key thing to see is are there to identify are there any AI usage in the actual field work, right?
00:21:10 Ashwathama Rajendran
Can I use the AI to perform this complex, you know, reconciliation between when a 50K program module versus the actual policy, right?
00:21:20 Ashwathama Rajendran
And how the first line or second line have implemented something like this.
00:21:24 Ashwathama Rajendran
It's good to talk to them to understand
00:21:26 Ashwathama Rajendran
Do they have any such implementation?
00:21:28 Ashwathama Rajendran
If not, partner with the technology team to have the secure AI platform implemented first because we cannot upload the code or the policy into the publicly available AI tools.
00:21:41 Ashwathama Rajendran
That's a huge risk.
00:21:43 Ashwathama Rajendran
So most organizations would already have by now a secure platform where they could perform this kind of reconciliation.
00:21:50 Ashwathama Rajendran
So this is what the policy says.
00:21:52 Ashwathama Rajendran
This is the core implementation.
00:21:55 Ashwathama Rajendran
with a proper prompt, you could identify exceptions.
00:22:00 Ashwathama Rajendran
So I talk about certain use cases in my IAA webinar earlier this year, explaining how this could be done.
00:22:07 Ashwathama Rajendran
So once you see if there are any gaps or anything, and that's a really good way to start the conversation with the second line and first line, hey, I was trying to use AI.
00:22:18 Ashwathama Rajendran
At this point, they would be more than willing to take your implementation, take it to their end, and then implement on a more scalable manner.
00:22:27 Ashwathama Rajendran
And then Internal Audit could go back and provide an independent assurance on the overall implementation as part of the next review.
00:22:35 Paula Michaels
So when we talk about organizations moving to be in a more connective approach with a continuous assurance model, what does realistically change for internal audit teams day-to-day and over the next five years?
00:22:49 Paula Michaels
What have you seen with continuous assurance applications?
00:22:54 Ashwathama Rajendran
Yeah, so this is, again, areas are relatively new.
00:22:58 Ashwathama Rajendran
It's, I mean, future, there's gonna be a lot of moving parts, but what I can see is in a mature AI-enabled combined assurance environment, I know a few things are changing drastically.
00:23:13 Ashwathama Rajendran
The first thing is sampling is gonna be an exception.
00:23:16 Ashwathama Rajendran
I mean, it is already an exception.
00:23:18 Ashwathama Rajendran
But I'm even talking about more unstructured, complex data, even which are challenging, even with the full population testing.
00:23:26 Ashwathama Rajendran
Like, say, for example, you want to analyze hundreds of contracts, even those kind of things, sampling is kind of, it's going to kind of move away from that.
00:23:34 Ashwathama Rajendran
It's going to be a full population thing.
00:23:37 Ashwathama Rajendran
And the second thing is the audit life cycle, right?
00:23:40 Ashwathama Rajendran
It might get shortened.
00:23:43 Ashwathama Rajendran
instead of backward looking view, we might start asking ourselves, how is the control behaving as of today?
00:23:50 Ashwathama Rajendran
how is it going to behave going forward?
00:23:53 Ashwathama Rajendran
So that's the second thing.
00:23:55 Ashwathama Rajendran
And the third thing is the overall mindset shift, right?
00:23:59 Ashwathama Rajendran
The role of auditors is going to get harder.
00:24:02 Ashwathama Rajendran
It's not going to get easier because AI is going to do the reading, matching, surfacing all these issues.
00:24:09 Ashwathama Rajendran
So auditor,
00:24:11 Ashwathama Rajendran
would have new set of responsibilities.
00:24:13 Ashwathama Rajendran
They need to take all these results from AI and they need to see what actually matters, what needs to be escalated and how do we explain these kind of findings to a regulator.
00:24:27 Ashwathama Rajendran
The output was generated by an AI.
00:24:29 Ashwathama Rajendran
How do I explain this to a regulator or the third party?
00:24:33 Ashwathama Rajendran
So the thing is, as a profession, auditors need to be trying for this world
00:24:40 Ashwathama Rajendran
The traditional skills, certain things, they're not gonna go away.
00:24:44 Ashwathama Rajendran
IA standards, professional skepticism, the control design, everything is gonna stay.
00:24:50 Ashwathama Rajendran
But a layer of data, fluency, and AI literacy are gonna be a basic requirement.
00:24:58 Ashwathama Rajendran
Yeah, this is how I can see the features.
00:25:01 Ashwathama Rajendran
AI is not going to replace auditors.
00:25:03 Ashwathama Rajendran
I keep telling this thing.
00:25:05 Ashwathama Rajendran
I also mentioned around these things in my IA webinar as well.
00:25:09 Ashwathama Rajendran
It's just going to amplify their capabilities and shift the profession towards deeper insight and broader risk coverage, I would say.
00:25:17 Paula Michaels
Yeah, I think critical thinking and being able to deliver those insights is going to be really the powerful
00:25:26 Paula Michaels
strengths of internal audit in the future.
00:25:28 Ashwathama Rajendran
Yep, totally agree.
00:25:29 Paula Michaels
Ash, we appreciate you joining us today.
00:25:32 Paula Michaels
Great insights and hopefully some practical tools that our members can walk away with and make sure that you read his article in the Internal Auditor Magazine.
00:25:44 Paula Michaels
And thank you again.
00:25:45 Ashwathama Rajendran
Thanks, Paula, for having me.
00:25:47 Ashwathama Rajendran
Thank you very much.
00:25:48 Ashwathama Rajendran
Take care.
00:25:49 The IIA
Ash shares more on AI-enabled combined assurance in Internal Auditor Magazine.
00:25:55 The IIA
You can read the full article using the link in the show notes.
00:25:59 The IIA
If you like this podcast, please subscribe and rate us.
00:26:02 The IIA
You can subscribe wherever you get your podcasts.
00:26:05 The IIA
You can also catch other episodes on YouTube or at the iia.org.
00:26:09 The IIA
That's T-H-E-I-I-A.org.
