Boards should not form a separate strategy for AI, but should embed it in core business strategy, according to an award-winning entrepreneur.

Priya Lakhani OBE, founder and CEO of AI technology education company Century Tech, was speaking at the Chartered Institute of Internal Auditors’ flagship conference earlier this month in London. Artificial intelligence (AI), technology and the future of the profession were dominant themes at the annual event, for which Board Agenda was media partner

In her opening keynote speech, entitled ‘AI—everything, everywhere, all at once’, Lakhani argued internal auditors have an opportunity to lead by understanding that ‘AI is not magic; AI is maths.’ Through labelling data using numbers, she said, AI can produce information to help the business predict certain outcomes, allowing it to plan accordingly: “Decode information into numbers is the key takeaway.”

According to Lakhani, an AI strategy is useless. For her ‘AI should be embedded in the core business strategy.’ She urged the audience to consider the outcomes they want to achieve and to think about the areas where AI can help, which she termed the three Ps: productivity, predictions and personalisation. She also stressed that CEO sponsorship and culture were vital to bringing about change.

Fighting cybercrime

Sarah Armstrong-Smith, chief security officer at Microsoft, looked at why businesses are currently losing the battle against cyber criminals in her keynote speech, ‘Building and defending your digital fortress.’

Cyber criminals’ tactics are constantly evolving, Armstrong-Smith warned. ‘We’re always in this constant cat and mouse game: they evolve, we have to evolve.’ She gave the striking example of cyber criminals using AI deepfakes to impersonate senior figures in the business.

Armstrong-Smith said cyber criminals also use the psychology of persuasion to make their attacks more effective. Organisations should be especially mindful of the insider threat of apathetic employees, she said, who could be particularly dangerous if targeted by cyber criminals.

Armstrong-Smith added that organisations should focus on protecting the parts of the business cyber criminals want access to—usually data and assets—by plotting where those elements are and who has access to them. From there, the business can assess all possible attack paths, understand any vulnerabilities and report on them. She encouraged internal auditors to “embrace the red” and report the facts to bring about change.

Strength in diversity

Also giving a keynote speech was Sara Weller CBE, chair of the Money & Pensions Service, who talked about the lack of representation of people with a disability in senior positions. Weller, diagnosed with progressive MS in 2009, the only FTSE 100 director with a disclosed disability. She felt a “pressing need for action” in the face of apathy over the lack of disabled people in senior positions.

‘The customer base we serve is way more diverse than it was when I started work,’ Weller said, but business leaders ‘don’t share the diversity that our customers share.’ As a result, she added, two in five customers with disabilities say they struggle to find the products and services they need.

Weller argued internal audit should prioritise disability inclusion because of the business opportunity it presents, citing three reasons for the business case: attracting and retaining talent, ensuring all employees are engaged and productive and being able to innovate for all customers. Weller said progress can be monitored though: open reporting by the board on its progress, faster building of the talent pipeline, and more leaders disclosing their disabilities. For Weller, “disability inclusion is almost all upside”.

Further speeches and panel discussions centred around the state of the internal audit profession. Gijs Borghouts, group chief internal auditor at Barclays, started with a look at one of the bank’s 1899 audit reports, before bringing the evolution of the profession right up to date by speaking about his team’s experience of using AI.

Barclays took a “bottom up” approach, recognising that the more junior members of the team have grown up coding and expect to use technology such as generative AI in their work. These junior team members, he said, are therefore more likely to find ways to innovate with AI. An example of this was that the team now uses Microsoft Copilot to review code, but only knew this was possible because an apprentice told them so. Borghouts said he thinks in the future a core aspect of the internal audit role will be writing prompts and designing AI agents.

Professional courage

In a panel session devoted to discussing what it means to be courageous, Steve Saunders, group chief internal auditor at Bank of Ireland, was joined by David Dart, head of ACO internal audit at NATO, and Apurva Satavalekar, chief operating officer – internal audit at Marex.

Saunders said courage can be not taking the easy path, innovating, or being able to admit you’re wrong. He also said it can be empowering to own your opinions. Dart argued internal auditors have the right to be courageous and that it’s an inherent expectation of the role. He argued for grown-up conversations about risk that invite challenge, adding that courageous acts, such as taking on difficult tasks, should be acknowledged.

‘Remain relevant’

Closing the conference, Isabel Derison, Global Board of Directors for the Institute of Internal Auditors, gave a call to action for internal auditors to embrace change to remain relevant. According to Derison, ‘there is a real risk for us becoming irrelevant if we keep on focusing on our traditional roles and responsibilities.’

She said it was important to change the perception of internal auditors as compliance-focused to being seen as a strategic advisers—something boards increasingly expect. To change how they’re perceived, internal auditors should move from hindsight to foresight, Derison argued, focusing more on emerging risks and how they will affect the company. Internal auditors should go beyond assurance and compliance and start preparing for a stronger advisory role in the future, she said.

Derison also argued that internal audit and risk management should actively collaborate to highlight emerging trends and ensure timely risk responses. “Each line must reinforce each other and not work in isolation,” she said. However, Derison was clear that internal auditors don’t manage risks; they illuminate them. In addition, she said internal auditors will need to have a strategy for stakeholder management and embrace technology. Referring to IIA research of the same name, Dersion said “Vision 2035 calls for influence, visibility, [and] strategic engagement.”