PwC’s Governance Insights Center has released Oversight in the AI era: understanding the audit committee’s role.  The report discusses the role of audit committees in overseeing the use of artificial intelligence (AI), focusing on risk management, financial reporting, and governance practices.  It provides a catalogue of issues that audit committees may need to consider as the use of AI transforms business models and creates new risks.

The Role of the Board and the Audit Committee

Although the full board typically has primary responsibility for oversight of AI, in some cases, the audit committee may have primary responsibility.  In PwC’s 2024 Annual Corporate Directors’ Survey, 57 percent of directors reported that the full board had primary oversight of emerging technology like AI, while 17 percent said the audit committee had primary responsibility.

Even when the board has primary oversight, AI has significant implications for the audit committee's work.  The audit committee typically has responsibilities for overseeing the use of AI in financial reporting, internal control over financial reporting (ICFR), risk management, and compliance. Many audit committees also oversee data security and privacy, both of which can be affected by the use of AI.

Considering these responsibilities, PwC suggests that audit committees ask four foundational questions in their conversations with C-suite executives:

• “Strategic opportunities: How are you using AI in your function? What are the immediate and larger transformative opportunities? What are your competitors doing and how are you staying ahead of them?”

• “Responsible AI: How are you driving the responsible use of AI through strong governance and risk frameworks? How are you testing AI models for accuracy, completeness, reliability, data bias and other risks prior to deployment? How are humans in the loop to validate outcomes? What is the plan for ongoing monitoring?”

• “Higher-risk AI models: Which AI models are you using that you deem higher risk, and why? What data are you using for these models? How are you addressing development, deployment, and validation for these models?”

• “Talent: What is the impact of AI on your function’s talent strategy? How are you monitoring whether your team is getting upskilled on AI?”

Key Areas of Audit Committee AI Oversight

1. Financial Reporting, Internal Controls, and Financial Statements 

Oversight of the company’s financial statements and related disclosures is a primary audit committee responsibility.  The audit committee is also responsible for oversight of the processes and controls that govern the recording and aggregation of the data on which the company’s financial reporting is based.  “As companies begin to evaluate and use AI in the financial reporting process, audit committees will want to understand where, why and how they are using it and verify that appropriate controls and processes are in place to manage unique AI-related risks.”  PwC also points out that, despite the advanced capabilities of AI, human oversight is crucial, and company employees are responsible for confirming the accuracy of AI-generated outcomes.

Audit committees should also understand how AI affects ICFR.  “For example, has the company updated its controls to address the use of AI agents that perform reviews and approvals that were formerly done by humans?  What are the controls and how are outcomes monitored?  How are humans involved in monitoring outcomes?”

The audit committee should also review disclosures concerning the use of AI.  AI applications may create risks that are – or should be -- discussed in the company’s risk factors.  Conversely, audit committees should be alert to disclosures that could be viewed as “AI washing” -- exaggerated or false statements concerning the company’s AI capabilities.

2. Internal Audit

The audit committee typically oversees the company’s internal audit function.  Internal audit can be key to helping the committee understand and assess whether the company’s AI governance and risk management programs are effective.  The audit committees should also explore how internal audit uses AI to conduct audits more effectively and efficiently. Among other things, PwC suggests:

• “Audit committees will want to understand how internal auditors are developing, deploying, validating and monitoring AI models, and how they are managing their risks, particularly with regard to data integrity and the reliability of AI-generated information. As in other areas, it is crucial for internal auditors to incorporate human judgment in evaluating AI outcomes for fairness, accuracy, reliability and consistency.”

• “[A]udit committees should discuss with the chief audit executive (CAE) how internal audit is evolving and how the technology affects the function’s talent strategy and skill sets.”

• “[T]he audit committee can leverage internal audit capabilities to assess risks associated with AI models embedded in third-party software in addition to those developed internally. Audit findings can deliver valuable insights to the audit committee, highlighting successes, risks and challenges associated with AI model use. It is important that the audit committee and the CAE engage in discussions regarding these findings.”

3. External Audit

The use of AI in financial reporting and in the audit have important implications for audit committee oversight of the external auditor.  Areas that PwC suggests audit committees explore include:

• The audit committee should discuss with the engagement partner how AI affects the auditor’s methodology, how the engagement team uses AI in the audit, and how it tests and validates its AI models and ensures that they “produce accurate, reliable and consistent outcomes.”  The audit committee should also understand how AI affects the auditor’s talent strategy.

• The audit committee should discuss with the engagement partner how AI regulation could impact the audit. Audit committees should be aware of any guidance issued by regulators or changes to auditing standards regarding the use of AI in audits.

• The auditor should adjust the audit plan to address the company’s AI-related risks in financial reporting and in the underlying processes and controls. Audit committees should understand these changes and the insight they may provide into the company’s financial reporting risks.

• Audit committees should monitor any representations related to AI in the management representation letter and understand the process management undertook to support its representations.

4. Compliance, Ethics, and Fraud Deterrence

The audit committee is usually responsible for overseeing the company’s compliance and ethics programs.  The committee should discuss with the chief compliance officer AI's role in managing compliance and ethics programs. Unless the full board is responsible for AI regulatory risk, the audit committee should also understand how evolving AI regulation might impact the company’s use of AI and how management is tracking AI regulation at the global, federal, state, and industry levels.  The audit committee (or full board) should inquire whether the company’s legal team has reviewed contractual agreements for potential legal liabilities, indemnity rights, data ownership, data protection and privacy, and other issues that may arise from the company’s use of AI.

​Examples of the possible role of AI in compliance include:

• AI can create draft compliance policies based on an analysis of compliance rules and policy examples.

• AI can summarize and analyze regulatory requirements across agencies or global regulators and identify alignment and differences in compliance obligations, gaps in the company's compliance program, and opportunities for more effective compliance.

• AI can detect anomalies in employee behavior or systems access. AI can also flag potentially risky communication in emails, chats, or documents.

• AI can play a role in deterring fraud by identifying and flagging suspicious activities in real time. At the same time, audit committees should be mindful that AI can be used to perpetrate fraud by creating “deep fakes” such as fraudulent documentation, voice cloning, video manipulation, and other deceptive tactics.

5. Risk Management

In many cases, the audit committee is responsible for overseeing the company’s enterprise risk management (ERM) program.  Audit committees should understand how the company is incorporating AI risks into its ERM program and “whether the ERM program is leveraging AI to drive a more proactive approach to risk management.”  AI can enhance risk management processes by simplifying and transforming data gathering and analysis. “With AI, an ERM process can begin to include real-time data analysis and predictive analytics, helping to make its view of potential risks far more dynamic and future-facing compared to ERM’s traditional orientation toward historical data.”

Conversely, the use of AI creates risks that the company’s ERM program must address.  These risks include:

• Model risks (risks related to the training, development, and performance of the AI system and the reliability of outcomes). Audit committees should understand which of the company’s AI models are higher risk and focus on understanding these models and how the company manages the associated risks.

• Legal and compliance risks (risks of not complying with applicable laws, rules, and regulations).

• Use risks (risks related to intentional or unintentional misuse or manipulation of AI systems).

• Third-party risks (risks related to vendors supplying AI-driven tools that are biased or unreliable or that create privacy issues).

Many audit committees also oversee risks related to cybersecurity and data privacy.  Committees with this responsibility should explore with the chief information security officer how AI affects data security and privacy. AI presents both opportunities and challenges for cybersecurity. ​ While cybercriminals exploit AI for sophisticated attacks, including phishing and deep fakes, AI can enhance cybersecurity defenses by improving threat detection and response times. ​

Audit Committee Takeaways

The use of AI and the capabilities of AI models are increasing exponentially.  AI issues are on the agenda of almost every audit committee.  PwC’s paper provides a good overview of AI issues that audit committees should be considering. While not every issue that PwC identifies will be relevant to every audit committee, committees may want to use Oversight in the AI era as a checklist to help ensure that they have considered the implications of the company’s use of AI for the audit committee’s work.