Skip to main content
Contact Us
Search
Weaver Connect
Payment Portal Client Login Weaver Alumni
Home    /    Insights & Resources

AI Is Here – What’s Next? How to Implement the IIA’s AI Auditing Framework

Article
Explore how to apply the IIA’s AI Auditing Framework with practical tips and a risk-based lens. Assess and govern AI risk in any organization.
8 minute read
May 22, 2025
David Lange
David Lange
Director, Governance, Risk and Compliance Services

Related

Never miss a thing.

Sign up to receive our insights newsletter.

Subscribe

Audit-business-charts-with-words-and-concepts

Internal audit is no longer only about assurance as we outlined in our analysis about The Institute of Internal Auditors (IIA) 2025 Pulse report. It’s evolving into a strategic, tech-literate and forward-looking function. However, internal audit must be willing to take initiative to seize opportunity. One opportunity that is most prevalent is the world of artificial intelligence (AI) where the technology is longer emerging — it’s already embedded across most organizations.

The IIA’s updated “Artificial Intelligence Auditing Framework” provides a starting point for internal auditors to understand, evaluate and advise on AI. Like many frameworks, the real challenge isn’t in reading the framework and its requirements — it’s in implementing them. This framework is also particularly relevant given the U.S. Department of Justice’s (DOJ) updated guidance that stresses the need for organizations using advanced technologies like AI to assess and mitigate associated risks through comprehensive risk management, governance and controls.

We break down the IIA framework and provide a step-by-step guide for internal audit teams to successfully apply it in their organizations.

What The IIA’s AI Auditing Framework Is and Isn’t

Released in 2023, the IIA’s updated AI Auditing Framework is designed to help internal auditors provide oversight, insight and foresight around AI use in their organizations. This strategic guide is built around the Three Lines Model, laying out responsibilities for:

  • Governance: Setting policies, expectations and ethical boundaries for AI
  • Management: Building and using AI responsibly, from design to deployment
  • Internal audit: Providing independent assurance and advisory to help organizations use AI safely, ethically and effectively

The framework also includes foundational content helping auditors get up to speed about AI with definitions, as well as a practitioner’s guide and guidance for understanding AI’s business applications and risks. Its greatest strength is the framework’s flexibility. The framework has been created to apply whether your organization is designing proprietary models or simply using AI-enabled Software as a Service (SaaS) tools. This reinforces why it’s important to proactively act now in this space.

Why This Matters for Every Audit Function

Three takeaways from the framework set the stage:

  • AI is already in your business: Even if you haven’t audited it yet, AI might be hidden in third-party tools or lightly governed shadow IT systems.
  • Internal audit should not wait: AI creates new risks, such as bias, opacity and overreliance, that affect compliance, ethics, operations and reputation.
  • Nontechnology companies can use this framework: You need a roadmap, a risk lens and a willingness to ask the right questions.

Preparing for AI Now for the Future

You can prepare for AI even without a tech team. Any internal audit function can begin implementing this framework by taking some key steps today.

Step 1: Identify Where AI Is Already in Use

You can’t audit what you can’t find. Many organizations don’t realize where AI is already embedded — especially in third-party tools or systems running in the background.

What to do:

  • Talk with department leaders about how decisions are made and where automation plays a role
  • Inventory third-party tools that may include embedded AI (e.g., human resources (HR), customer relationship management (CRM), marketing platforms, etc.)
  • Build a simple AI inventory, including system name, process supported, decision type and owner

Outcome: The audit team will have a clear picture of where AI is operating within the organization and what processes it influences. This inventory will serve as the foundation for assessing AI risks and designing appropriate controls.

Step 2: Clarify Roles and Responsibilities

Governance is a core element of the IIA framework, but most organizations don’t yet have clear accountability for AI use.

What to do:

  • Identify who approves AI use cases and owns implementation
  • Determine who is responsible for performance, monitoring, ethics and fairness
  • If no structure exists, recommend creating a lightweight AI Use Committee with representatives from legal, IT, risk, compliance and operations

Outcome: The audit team will be able to identify key roles and responsibilities for every AI system, ensuring that there is accountability and governance in place to manage AI risks effectively.

Step 3: Build Functional Fluency in AI

Auditors don’t need to code, but they do need to understand how AI works conceptually to identify potential risks and controls.

What to do:

  • Learn the basic AI lifecycle:
    • Data input → model training → testing → deployment → monitoring
  • Ask core, risk-based questions:
    • What data is used for training?
    • How is fairness or bias assessed?
    • How is model performance tracked over time?

Outcome: The audit team will have functional fluency in AI, enabling them to ask intelligent questions, have informed conversations and connect AI risks to business outcomes without needing to a technical background.

Step 4: Conduct a Micro-Audit to Test Your Approach

Starting small allows audit teams to build confidence and uncover quick wins before launching a broader AI assurance strategy.

What to do:

  • Select a low-risk, high-visibility AI system (e.g., chatbot, hiring tool, pricing algorithm, etc.)
  • Review documentation, ownership, data inputs, testing protocols and monitoring processes
  • Focus on producing a narrative report with observations and improvement suggestions

Outcome: The audit team will be able to deliver a concise, practical report that demonstrates value, opens dialogue with stakeholders and builds internal momentum for broader AI oversight.

Step 5: Upskill the Audit Team Selectively

Not everyone needs to be an AI expert, but everyone should be comfortable with AI basics. Target the training to team member roles.

What to do:

  • Provide general awareness sessions for the whole team on AI concepts and risks
  • Deepen audit fluency among leads and managers on controls, validation and governance
  • Designate one to two team members to attend external training or collaborate with IT/data science

Outcome: The audit team will have shared knowledge and varying levels of AI, enabling consistent, risk-focused evaluations and better engagement with stakeholders.

Step 6: Modernize Your Reporting Approach

Traditional audit reporting methods don’t capture the nuance and complexity of AI. A more dynamic, narrative style improves clarity and impact.

What to do:

  • Use narrative findings instead of binary pass/fail checklists
  • Include simple visuals, like lifecycle charts with traffic light indicators
  • Offer forward-looking recommendations in areas such as fairness testing and retraining protocols

Outcome: Executives and boards will have a clearer understanding of the business implications of AI-related risks and feel more confident in internal audit’s ability to provide meaningful assurance.

Step 7: Lay the Groundwork for a Long-Term AI Audit Strategy

AI oversight isn’t a one-time effort. Building a repeatable, risk-based strategy ensures internal audit remains aligned with business innovation.

What to do:

  • Maintain the AI inventory as a living document
  • Schedule periodic reviews with business and IT teams to capture new use cases
  • Incorporate AI into the annual audit plan, prioritized by risk and complexity
  • Develop a maturity model to track progress across governance, testing, ethics and documentation

Outcome: The audit team will have a repeatable, scalable strategy for AI risk management, positioning internal audit as a strategic partner in innovation and governance.

AI Is a Leadership Moment

As AI quietly reshapes the way organizations make decisions, serve customers and manage risk, internal audit is uniquely positioned to ensure these advancements are implemented with intention and foresight. This is a defining opportunity for internal audit leaders to guide responsible innovation, build trust and shape the future of governance in an increasingly automated world. Weaver is here to help you lead with confidence, align your strategy and governance, and turn AI uncertainty into assurance. Contact us today to get started.

©2025

Featured
Beyond the Benchmarks: 2025 IIA Pulse Report Insights and the Future of Internal AuditRead Article
 
Article
Beyond the Benchmarks: 2025 IIA Pulse Report Insights and the Future of Internal Audit