The Age of Generative AI: How Audit Committees Can Respond

The increased integration of generative AI (genAI) in organizations’ financial reporting processes is raising important questions about when and how to invest in appropriate technologies that may have an impact on the speed of transformation and the respective organization’s functions. With these changes, how can audit committees exercise oversight responsibilities effectively?

A recent joint CAQ survey of audit committees found that 33% of audit committee respondents indicated that finance transformation is one of the top three priorities for their audit committee in the next 12 months. As companies explore the transformative potential of genAI, the role of audit committees is also expanding with new oversight responsibilities.

The CAQ has recently published Audit Committee Oversight in the Age of Generative AI as a resource for audit committees navigating these uncharted waters.

The Role of Audit Committees

GenAI’s transformative potential for business processes, including financial reporting, creates exciting opportunities to enhance efficiency, generate new content, and obtain greater insights. However, this technology is not without risks and audit committees can play an important role in overseeing the governance of genAI and understanding its impact on the company’s financial reporting and internal control over financial reporting and the external audit. Audit committees are well-positioned to effectively exercise their oversight given their experience with financial reporting, enterprise risk management, and other emerging topics.

What is GenAI?

Audit committees of companies that are deploying genAI should have a foundational understanding of how genAI works and the benefits and risks that may arise from its use. GenAI is a subset of AI that is based on probabilistic technology that can create content, including text, images, audio, or video when prompted by a user. GenAI creates responses using algorithms that are often trained on open-source information, such as text and images from the internet. AI chatbots, like ChatGPT and Copilot, are well-known examples.

Audit committees should be aware that the probabilistic nature of genAI is a key distinction from other technologies that may have historically been used in a company’s financial reporting processes. To this end, genAI technologies are especially helpful for tasks that need creativity or diversity of responses, including generating new content or information, but they may not always provide reliable or repeatable outputs. GenAI technologies do not work like search engines finding facts within their training data but are instead creating new coherent, human-like text. Consequently, human oversight is needed to ensure the accuracy of information generated by genAI.

Overseeing Management

A key focus of the audit committee’s oversight will likely be management’s approach to the oversight and governance of genAI. Establishing policies and procedures regarding acceptable use of genAI and assigning responsibility for the technology are foundational for successfully managing the use of genAI throughout the company. To help navigate conversations with management, audit committees may consider posing questions, including:

• Does the company have the requisite expertise to select, develop, deploy, and monitor genAI technologies?
• What are the company’s objectives and related success criteria for deploying genAI technologies? Are genAI technologies intended to augment or automate existing processes?
• Who (individual or group) in the company is responsible for oversight of the use of genAI?
• Has management established policies regarding the acceptable and ethical use of genAI?
• Does the company have a process to track and monitor the use of genAI throughout the company, including use by third-party service providers?
• How does the company track risks arising from the use of genAI technologies and mitigating responses?

Data privacy and security will also likely be a key focus area for audit committees. Maintaining the confidentiality of the company’s data, particularly data used in the financial reporting process, should be top of mind when selecting genAI technologies and developing policies regarding the acceptable use of those technologies. Further, the use of genAI technologies can introduce new cybersecurity risks to the company. Appropriate safeguards should be implemented protect against malicious threats.

Through the audit committee’s oversight of the financial reporting process, the audit committee should also understand how genAI technologies are integrated into relevant processes, how those technologies are selected, tested, and monitored, and how the company provides training and guidance to employees to promote consistent and effective use.

Overseeing the External Auditor

The audit committee’s oversight of the external auditor is one of its core responsibilities and directly contributes to audit quality. Active and engaged audit committees have open dialogue with the external auditor on matters critical to the audit, which would likely include discussion to understand how the company’s use of genAI in financial reporting processes or internal control over financial reporting impacts the auditor’s risk assessment and planned audit approach.

Audit committees can use some of the following questions to better understand how the auditor plans to respond to the company’s use of genAI

• What is the experience of the engagement partner and other senior engagement team members with genAI technologies? Would the firm be able to supplement the engagement team’s expertise if necessary (e.g., by engaging qualified specialists)?
• What is the auditor’s understanding of the financial reporting implications of the company’s use of genAI technologies?
• How has the impact of the company’s use of genAI technologies been considered during the auditor’s risk assessment process?
• Does the company’s use of genAI technologies have a significant impact on the planned audit scope?
• Has the auditor identified any fraud risks related to the company’s use of genAI technologies? How has the auditor addressed such risks in the audit?

When it comes to the transformative power of genAI and its integration into the financial reporting process, audit committees play a crucial role. Effective oversight by strong, active, knowledgeable, and independent audit committees significantly furthers the collective goal of providing high-quality, reliable financial information in the capital markets.

Explore our resource, Audit Committee Oversight in the Age of Generative AI, for more detail on how audit committees can effectively exercise their oversight responsibilities related to the use of genAI.

As genAI evolves and becomes a component of how financial reporting professionals operate, the CAQ will continue to monitor its impact on our profession and beyond. To get the latest insights, explore our resources and subscribe to our newsletters to learn more.