AI Risk Management: What Not to Do
by
January 27, 2025
A lot of attention is paid to “best practices” when it comes to risk management. A recent article in The CPA Journal takes the opposite approach and calls out AI risk management “worst practices.” Since the publication’s target audience is accountants, it’s not surprising that it highlights the problems associated with ignoring the financial statement impact of AI:
It’s easy to forget that AI does impact financial statement reporting. Unfortunately, some CPAs believe AI is all about increasing revenue or decreasing cost. The Center for Audit Quality’s “Emerging Technologies, Risks, and the Auditor’s Focus”, although not explicitly written for AI, does cover timeless risks including access privileges, erroneous changes, third-party oversight, change management, cybersecurity, and data reliability. Ironically, the risks themselves are similar, no matter the technology. It’s how they are managed that is different.
Other worst practices identified in the article include failure to use existing organizational governance policies, not obtaining a core understanding of AI, neglecting to consider a recognized AI risk management framework, ignoring industry-specific AI risks and challenges, and forgetting the vendor risks involved.