As noted in several of the 2024 audit committee agenda papers (see What Should be on the Audit Committee’s 2024 Agenda?), audit committees are beginning to focus on the risks and disclosure implications of business use of artificial intelligence (AI), particularly the rapidly expanding use of generative AI. In Artificial intelligence: An emerging oversight responsibility for audit committees?, Deloitte discusses some of the emerging risks and opportunities that audit committees need to consider as AI becomes more widely integrated with core business processes. The paper also suggests questions for audit committees to consider in overseeing AI strategy and governance. (A somewhat more detailed version of the paper (available here) appears in the National Association of Corporate Directors (NACD) publication, 2024 Governance Outlook.)
The Deloitte paper describes the current state of AI adoption and oversight as “an abstract governance puzzle.” For example, based on a 2022 Deloitte survey:
Twenty-nine percent of respondents reported that AI oversight was not assigned to any committee or the full board; 16 percent said AI oversight was assigned to the audit committee.
Forty-four percent of respondents reported that AI has not been on the agenda of either the full board or a committee; 37 percent said AI had been discussed on an “ad hoc or as needed basis.”
Sixty-eight percent of respondents did not know (or did not respond) when asked how their company mitigates AI-related risk.
The paper identifies some of the risks that AI poses, such as “shadow IT environments” (use of IT assets without the knowledge or oversight of IT security personnel); “IP ownership and infringement” (e.g., disclosure of confidential company data to third parties or infringement of intellectual property rights); and enhanced company exposure to cybersecurity threats. Generative AI also creates risks stemming from the fact that it can be a “black box” with low transparency of how output is derived and from the possibility of “hallucinations” – plausible, but inaccurate, outputs.
Along with risks, the paper details potential benefits of AI, particularly those related to transaction processing, forecasting and modeling, and financial reporting. The authors note that:
“One particular set of benefits is squarely in the audit committee’s wheelhouse—namely, the potential to streamline and enhance a company’s internal audit, financial reporting, and internal control functions. * * * In the shorter term, various subcategories of AI are already capable of improving the quality of financial reporting via reviewing transactions, identifying errors, addressing internal control gaps, and detecting fraud. If AI isn’t being used within these areas, the audit committee might ask if the company is exploring potential use cases—and if the company is not, the committee might ask to hear the reasons behind that decision.”
Deloitte also points out that, while audit committees typically have a role in risk oversight, some aspects of AI oversight seem more aligned with the audit committee’s work than others. For example, the risks associated with the use of AI in such areas as auditing, financial reporting, and internal control functions seem to fall squarely in the scope of the committee’s core responsibilities. At the same time, AI is an emerging technology that is likely to change rapidly. Further, there is a likelihood of government regulation that could impact oversight responsibilities. “Thus, determining now that AI, or aspects of AI, should be overseen by another committee or committees may turn out to be premature.”
The paper concludes with five potential questions for audit committees to consider:
What are the company’s current and potential future use cases for AI, and do any of them have an impact on financial reporting or other audit committee oversight areas?
Has management considered opportunities to use AI that may enhance or improve financial reporting processes?
What processes are, or will be, used to evaluate dependencies that may arise in other areas where the audit committee may have primary oversight, like cybersecurity or data management?
Are processes for use of AI congruent with the company’s risk appetite in terms of level of proactiveness and mitigation strategy?
Given the speed of AI technology development, are existing processes being assessed and updated with appropriate frequency?
Audit committees that are seeking a basic grounding in the impact of AI risks and opportunities on their work may also be interested in a one-hour video presented by the Center for Audit Quality and the NACD on AI. Artificial Intelligence (AI) 101 For Audit Committees includes discussion of what AI is, examples of how businesses are using AI in financial reporting, and questions boards should ask corporate management. In addition, audit committee members may find a recent KPMG publication, AI Transformation: Audit committees play a crucial role, useful.