Internal Audit and Assurance
AI audit is no longer optional. The methodology, evidence base, and reporting expectations are crystallising — and the IIA, ISACA, and APRA are converging on what good looks like.
For: Chief Audit Executives, internal audit teams, third line of defence, external assurance providers
For internal audit and third line of defence functions, AI represents a category of audit subject that breaks traditional methodology in important ways. Traditional IT audit assumes that controls are deterministic, that evidence is reproducible, and that audit testing produces consistent results. AI systems — particularly frontier systems — violate all three assumptions. The audit profession is responding: the IIA has published AI audit guidance, ISACA has launched the Advanced in AI Risk (AAIR) credential, and APRA's 30 April 2026 industry letter sets explicit assurance expectations for regulated entities. The work for internal audit is to develop the methodology, evidence base, and reporting structure that satisfies these emerging expectations.
What this role is accountable for
The substantive AI governance responsibilities that fall to this role under current Australian and global expectations.
- 1AI audit methodology — control testing approaches adapted for AI-specific risk
- 2Evidence base — model documentation, validation results, monitoring logs, incident records
- 3Assurance over AI risk management, governance, and control effectiveness
- 4Third-party audit and assurance arrangements for AI vendors
- 5Reporting to audit committee and board on AI risk and control posture
- 6Coordination with external assurance (Big 4, specialist AI assurance providers)
- 7Audit capability building — AAIR certification, AI literacy across the audit team
Most relevant intelligence
Curated coverage selected for this role — frameworks, regulatory developments, and operational guidance you can act on.
How to Audit AI Systems
Core methodology for auditing AI systems in regulated and enterprise contexts.
AI Bias Auditing and Testing Guide
NYC Local Law 144 methodology, statistical testing approaches, and audit evidence.
Integrated Assurance for AI Governance
How third line provides assurance across the APRA six-category framing.
Model Risk Management in the Age of AI
SR 26-2, APRA CPG 234, and the audit implications of model risk extension to AI.
AI Governance Maturity Model
A benchmark structure for audit findings and improvement recommendations.
RegTech AI Governance Platforms Guide
The tooling landscape for AI audit, monitoring, and assurance.
Frameworks that apply
The regulatory frameworks, standards, and guidance documents most relevant to this role.
Institute of Internal Auditors guidance on auditing AI systems.
Beta-launched 2025, the leading practitioner credential for AI risk and audit.
Prudential practice guide on information security — now extended in practice to AI.
Control reference for AI management system audit.