News & Blogs

AI Regulation: What Auditors Need to Know About Emerging Enforcement and Testable Compliance

Global · · zhaomichelle.substack.com

This article provides a critical look at the evolving landscape of AI regulation and its practical implications for auditors. It highlights that AI risk is no longer theoretical, with real-world enforcement actions emerging from various regulatory bodies and legal challenges. For internal audit and assurance professionals, understanding these developments is crucial for identifying and mitigating organizational exposure to AI-related legal and reputational risks, particularly concerning data governance, continuous monitoring, and the trustworthiness of AI system records.


The Shifting Landscape of AI Enforcement

The regulatory environment for Artificial Intelligence is rapidly moving from abstract frameworks to concrete enforcement actions, presenting significant challenges and opportunities for auditors. Recent legal cases, such as Mobley v. Workday, demonstrate that organizations cannot delegate accountability for discriminatory outcomes to AI systems. Courts are increasingly holding that the use of AI does not exempt entities from existing anti-discrimination laws. This trend is further reinforced by actions from regulatory bodies like the Department of Justice and the Federal Trade Commission, which are actively pursuing cases related to discriminatory AI in hiring, deceptive AI marketing claims, and privacy violations. These developments underscore the urgent need for auditors to understand the tangible economic and legal consequences of AI deployment.

Auditing AI: From Frameworks to Testable Obligations

For internal auditors, navigating the complex web of AI regulations requires a strategic approach focused on testable obligations. The EU AI Act and ISO/IEC 42001 stand out as particularly auditable frameworks, as they translate into specific, verifiable requirements such as documented risk management, robust data governance, comprehensive logging, and human oversight. These frameworks provide a solid foundation for designing audit tests and collecting evidence. In contrast, the fragmented US state-level regulations often necessitate an exposure mapping approach, where auditors identify applicable laws, assess organizational vulnerability, and determine the feasibility of demonstrating compliance. A key takeaway from recent enforcement is the critical importance of continuous monitoring and contemporaneous record-keeping, as retrospective audits may not suffice to prove compliance over time.

The Imperative of Trustworthy Evidence and Cross-Disciplinary Collaboration

The ability to produce trustworthy evidence is paramount in AI auditing. Regulations like the EU AI Act mandate detailed logging of AI system events and retention of technical documentation, with significant penalties for non-compliance. This means auditability must be considered at the design stage of AI systems, ensuring that mechanisms for generating tamper-evident, verifiable records are built in from the outset. Auditors must shift their focus from merely finding evidence to ensuring systems are designed to create reliable evidence. Furthermore, AI systems often operate within existing domain-specific regulatory frameworks (e.g., HIPAA for healthcare AI, fair-lending laws for financial AI). Therefore, effective AI auditing requires early identification of these overlaying laws and close collaboration with legal departments to accurately scope audits and interpret compliance requirements. This interdisciplinary approach is essential for comprehensive risk assessment and assurance in the age of AI.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →