News & Blogs

Navigating the AI Regulatory Landscape: A Crucial First Step for Internal Audit

Global · · zhaomichelle.substack.com

Internal audit professionals must prioritize understanding the evolving global AI regulatory landscape before auditing AI systems. This proactive approach allows auditors to identify and mitigate significant regulatory risks, which often carry the most substantial financial and reputational consequences for organizations. By aligning audit strategies with emerging laws and frameworks, internal audit can guide their organizations toward robust AI governance and compliance, avoiding costly reactive measures.


The Imperative of Regulatory Understanding for AI Audit

Just as financial audits begin with an understanding of GAAP and GAAS, auditing Artificial Intelligence (AI) systems necessitates a deep dive into the relevant regulatory frameworks. Regulatory risk represents the most quantifiable and impactful downside for organizations deploying AI, encompassing potential fines, market withdrawals, litigation, and blocked launches. Therefore, internal audit's initial focus should be on mapping this complex regulatory terrain to effectively prioritize audit attention and build a robust approach. This proactive stance helps organizations get ahead of potential issues rather than reacting to enforcement actions or significant failures.

Key Regulatory Regimes: EU and US Perspectives

The European Union's AI Act stands out as the most prescriptive and audit-legible framework globally, categorizing AI systems by risk (prohibited, high-risk, limited-risk, minimal-risk) and imposing significant extraterritorial penalties up to 35 million euros or 7% of global annual turnover. The delay in enforcement for high-risk systems highlights a current gap in practical tooling for compliance, a gap internal audit is uniquely positioned to help fill. In contrast, the United States presents a more fragmented and uncertain landscape, with states like Colorado leading on comprehensive AI laws while federal efforts aim for preemption. For auditors, this uncertainty itself is a risk, necessitating adherence to the strictest applicable state requirements to ensure defensibility.

Voluntary Frameworks and the Formalization of AI Auditing

Beyond binding laws, voluntary frameworks like the NIST AI Risk Management Framework and ISO/IEC 42001 are becoming de facto standards for responsible AI. NIST provides a methodology for AI risk management (Govern, Map, Measure, Manage), while ISO/IEC 42001 offers a certifiable management system, akin to ISO 27001 for information security. The emergence of ISO/IEC 42006, which governs the competence of certifying bodies, and the ISO/IEC 42001 Lead Auditor credential, signals the rapid formalization of AI auditing as a distinct profession. These frameworks, when understood together, allow organizations to build a unified approach to AI governance that addresses both legal obligations and best practices.

A Global Patchwork: Beyond the EU and US

The global AI regulatory landscape is a diverse patchwork. South Korea's AI Basic Act mirrors the EU's risk-based approach but with lighter penalties, reflecting a balance between regulation and industrial promotion. China's regulations are highly prescriptive, focusing on content control and social stability, with specific rules for generative AI and algorithm registration. The UK adopts a principles-based approach, empowering existing sector regulators, while Canada's Artificial Intelligence and Data Act (AIDA) remains pending. Singapore, though not a legislative leader, has significantly influenced global AI governance through practical tools like its Model AI Governance Framework and AI Verify testing toolkit. For globally operating organizations, internal audit must consider this entire spectrum, anchoring their approach to the strictest applicable regimes and international standards, then layering on local specifics to ensure comprehensive compliance and risk mitigation.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →