From audit trails to AI trails: Managing service firm risks

A traditional world undergoing rapid change

When reputation is essential, governance becomes crucial.

Reputation is especially important to service firms. Some have licensing, certification and reporting requirements. Some act as fiduciaries. Some have defined standards of care that inform definitions of malpractice. But all seek to cultivate trust.

Grant Thornton Risk Advisory Managing Director D. J. Rossini explains what this process looks like in the legal profession.

The need for frameworks and expertise

Broadly speaking, service firms need both a durable framework that reflects the best practices for integrating new technologies and a reliable partner with experience in these processes.

Experience in AI engagements is especially valuable in an area that is quickly changing and where client expertise may be limited. Kohm explains what expertise looks like in this context: a broad knowledge of best practices, cutting-edge technology, and relevant regulations; and an ability to identify quick wins, define priorities, estimate ROI and sketch a roadmap to implementation. 

 Grant Thornton Risk Advisory Partner Ethan Rojhani suggests a third requirement — one that is unique to AI.

Automating the auditors, auditing the automation

Of course, auditing is at the core of governance. How does AI change that role?

Some new questions arise. “How do you audit an algorithm? If you can test everything all the time, what does that mean for audit? What does that infrastructure look like?” Rojhani asked. “What role do external and internal auditors play in such an environment?”

A June 2024 white paper, co-produced by Grant Thornton and by the AICPA Assurance Services Executive Committee, charted an approach to automated auditing. The paper weighs full-population control testing vs. sample-based testing and considers what may support “a well-designed CTA program that tests the full population in a given period.”

Relevant factors spelled out in “Control test automation: From manual testing to use of technology” include the presence of objective or clearly defined controls, the homogeneity of tested populations, the completeness of population and the accuracy of data. Parameters that must be addressed include the frequency of testing, acceptable deviations and failure rates, risk tolerances, definitions of materiality, choice of technologies and conformance to larger governance principles such as transparency and accountability.

Cultural implications also result from the 100% oversight AI enables. Rojhani asks, “Is that something you want? Maybe, it might be. If you have a culture that’s pretty lax and you need to drive some discipline, ramped-up oversight actually might not be a bad thing. But it’s one of those big questions that you have to ask.”

Note that this is fundamentally different from automating transactions. In the case of automation, technology performs an action — say data entry. In the case of AI, technology evaluates that action. In some cases, that means a machine evaluating a human action. Accepting this may require some cultural change. 

AI’s ability to evaluate transactions and make decisions is also useful in applications that are fast-moving, numerous, multi-lingual and decentralized. One example is managing compliance with standards for advertising that vary by jurisdiction or need to be applied on a case-by-case basis — such as a prohibition on displaying cigarette ads to people who have entered “smoking cessation” as a search term. But ultimately, there are as many business cases for using AI in governance as there are businesses. 

Where to start?

Given these challenges, just getting started can be daunting. But the first step is often quite straightforward: taking inventory of your current state. AI has been incorporated so quickly and quietly into so many applications that many compliance executives may not have a firm understanding of how it is being used. Once they gain clarity about where they are, the possibilities for moving forward are exhilarating.