SEARCH

Audit is not the function that fulfills obligations. Here's a breakdown of the different functions: Audit : An audit is an independent review process that An audit can identify areas where controls are weak or where procedures aren't being followed. Auditing of voluntary obligations can and is often misunderstood. In many cases internal audit is only concerned with external or legal obligations.

Audits go beyond the "what" and provide remedies for the "how" Auditing should verify the integrity Audit findings are used to set compliance obligations Audit findings produce a list of corrective actions conducts the audit. Audit findings are used as the only source for compliance improvement Many companies only use audit Companies are now conducting pre-audits to get ready for internal audits to get ready for external audits

When it comes to compliance, we often hear about audits and assessments. Let's dive into the key differences between audits and assessments, and why it matters for your organization The Origins and Purpose of Audits Audits have their roots in finance and accounting practices. The core purpose of an audit remains consistent across these fields: to verify conformance to standard and approach: Audits are retrospective (what did happen?)

The evaluation and auditing of system effectiveness is not part of the auditing or the compliance function , so which function is it a part of and what should it be auditing? Auditing as Quality Control / Assurance Auditing has become the core function across almost all compliance What Then Should Be Audited? This is why compliance now should audit outcomes over outputs.

AI Assurance isn't just about checking boxes before deployment. As the European Defence Agency shows us, it's now a continuous journey involving rigorous engineering and real-time monitoring. With today's AI systems, we simply can't predict everything in advance—we need to stay vigilant while they're running in the real world. This shift is especially crucial in high-risk, mission-critical applications where failure isn't an option. In the paper published by the European Defence Agency (EDA), entitled “Trustworthiness for AI in Defence”, they discuss the difference between Development and Runtime Assurance. ⚡️ Development Assurance: “Traditionally in system engineering (including software and hardware), the term assurance defines the planned and systematic actions necessary to provide confidence and evidence that a system or a product satisfies given requirements. A process is needed which establishes levels of confidence that development errors that can cause or contribute to identified failure conditions (feared events defined by a safety/security/human factor assessment) have been minimized with an appropriate level of rigor. This henceforth is referred to as the development assurance process.” ⚡️ Runtime Assurance: “When the system is deployed in service, runtime assurance refers to a set of techniques and mechanisms designed to ensure that a system behaves correctly during its execution. This involves monitoring the system's behaviour in real-time and taking predefined actions to correct or mitigate any deviations from its expected performance, safety, or security requirements. Runtime assurance can be particularly important in critical and/or autonomous … systems where failures could lead to significant harm or loss.” The evolution of the balance between development assurance and runtime assurance is shown in the following figure: Trustworthiness for AI in Defence - Figure 14 The introduction of AI technologies and autonomy capabilities has tipped the balance towards needing greater runtime assurance, as comprehensive a priori development assurance activities become increasingly challenging. These same definitions can be used for AI assurance in commercial applications, particularly for high-risk, mission-critical applications: AI Assurance involves: planned and systematic actions necessary to provide adequate confidence and evidence that the AI system satisfies the intended function (System Assurance) a process to establish levels of confidence that design/development errors (risk) have been minimized with appropriate level of rigour. (Development Assurance) a set of techniques and mechanisms designed to ensure the system behaves correctly during its execution. (Operational Assurance) The paper is available here: https://eda.europa.eu/docs/default-source/brochures/taid-white-paper-final-09052025.pdf

in reference to IIA’s 3 line model “should risk management be connected more closely with internal audit Internal audit does have accountability with respect to the delivery of audit services. Audit effectiveness depends on many thing but mostly on its independence and objectivity. When businesses lean to much on audit’s advise, managerial accountability is diminished along with audit Conclusion: Should risk management be connected more closely with internal audit?

When it comes to audits there is a popular meme that goes something like this: Before the audit : documents out of conformance During the audit: documents in conformance After the audit : documents out of conformance Companies hoping to act more like adults will conduct pre-audits to get ready for an internal audit to get ready for an external audit. It's not about audit readiness The goal is not to always be ready for an audit as many suggest.

This is not unlike how audit-correction cycles work. However, what many don't consider is: The more often things change, the higher the frequency of audits Let’s assume you audit conformance to prescribed controls once every year. That’s why audits are often too slow and too late to protect value creation. Never mind that audits seldom evaluate effectiveness against targeted compliance goals and outcomes.

Compliance because I believed there had to be a better way than reactive box-checking and last-minute audit Not just effective at passing audits and inspections, as important as that is. Not just once or right before an audit, but all the time. But here's the thing: they wanted this not primarily to pass audits and inspections. Doubling down on audits or doing them faster was never going to be enough.

In my previous blog , I discussed four misuses of audits that result from a reactive approach. benefits from being directly embedded into each process rather than only by means of inspections or audits Embedding will enable the level compliance to be known at all times rather than after an audit. Many are already spending excessive effort conducting pre-audits, internal audits, and third-party audits Why wait for an audit when you can experience the benefits of being in compliance right now?

They use multiple frameworks, standards, and certification regimes - each with their own audit processes But it requires taking a stand that may make life harder for auditors. Auditors often want to see compliance done their way, according to their specific methods. decide - are they willing to optimize for compliance effectiveness, even if it means a more challenging audit There are better approaches that integrate multiple compliance needs, but they require rethinking audit

The role of internal audit in assessing and providing assurance on culture is discussed, with the report presenting insights from a survey of internal audit leaders. A significant number of senior internal audit executives have not been asked by the board or audit committee However, the report does not raise (but it should) the question of whether the audit function should the very thing that the report asks internal audit to change.