Before You Enable AI in Your Audit Management Platform, Check What Your Data Is Doing

Should you enable the AI features in your audit management platform?

These features don't audit your organization; they audit your platform's data quality.

The Situation

On March 9, Workiva, Diligent, and AuditBoard - rebranding that day as Optro - all made AI-centered product announcements at the IIA's Great Audit Minds conference in Las Vegas: three of the main platforms in enterprise audit management, at one event, all with the same message. Each of them can now draft your process narratives, generate your audit plan, recommend testing coverage, rationalize controls, and develop board-ready risk insights. What none of the vendors addressed is whether the data inside your platform is ready to produce reliable output with their AI.

The Exposure

Workiva's own 2025 Global Practitioner Survey across 2,300 finance, sustainability, audit, and risk professionals, found that only about one in three respondents has data of high enough quality to be trusted for AI use. Nearly two-thirds lack the governance policies and role-specific training those features require. When the AI in your audit management platform reads your enterprise risk register to surface emerging threats, or analyzes your control library to recommend testing coverage, that output is calibrated to whatever is in the register including every stale entry, every undocumented gap, and every inconsistency that has accumulated since the platform was deployed. You'll review what the AI generates before it reaches the committee - but that only validates whether the output looks plausible, not whether the data underneath it was complete enough to surface all the material gaps your audit committee actually needs to know about.

The Judgment Call

Diligent reports that early adopters of their AuditAI have cut audit administration from roughly 120 hours to 35, and Standard 10.3 of the IIA's 2024 Global Internal Audit Standards now requires CAEs to regularly evaluate available technology and pursue improvements. That means your vendor and your professional standard are both pointing in the same direction. Turning the features on is easy, and the promise of refocusing your team from evidence-gathering to strategic advisory work is exactly what drives value in the organization. However, the platforms generate AI output from data that already exists inside the system, and even for features that incorporate external regulatory feeds, converting a regulatory change into a finding still requires your control library to be mapped well enough for the AI to identify the gap. Before enabling any AI feature, conduct a structured data quality review: how complete is your control library, how current is your risk register, and how consistently have your team's findings been tagged across audit cycles? Audit functions need to start with that question because a function that holds the organization to documentation and evidence standards can't exempt its own AI deployment from those same standards.

  • Risk: The review surfaces gaps that will take weeks to address, potentially pushing out your audit calendar.

  • Benefit: A defensible foundation for AI-assisted findings, and a remediation list your team needs to know about regardless of whether you ever enable the AI.

This Week’s Action

  • What to do: Pull a random sample of 10 controls from your platform's control library and 10 entries from your enterprise risk register. Score each against three criteria: date last reviewed, completeness of supporting documentation, and consistency of risk and finding tags.

  • Who to involve: Your internal audit platform administrator and one audit manager who has worked in the platform for at least 12 months. The CAE owns the go/no-go conclusion.

  • What outcome to achieve: A go/no-go data readiness assessment with a specific list of gaps that need to be resolved before any AI features are enabled. If your CISO hasn't confirmed the data processing and isolation practices for your platform's AI layer, that needs to be done before anything is turned on.

  • Time required: 30 minutes to pull and organize the sample; 45 minutes to score and document.

Artifact

Platform AI Readiness Checklist: For each item, mark where your GRC platform currently stands. All three items in the AI Governance Readiness section must be ”Fully documented and current” before enabling any AI feature, and all other sections must be at least “Partially addressed”.

Control Library Quality

All in-scope processes are documented in the platform.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

Each control is linked to a specific, named risk.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

Controls were reviewed and updated within the last 12 months.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

Enterprise Risk Register Currency

Risks in the register have been reviewed or updated within the last 12 months.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

Risk ratings are supported by documented evidence, not simply carried forward from prior years.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

AI-related operational and third-party risks appear as named entries.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

Findings and Issue Categorizations

Prior-year findings are consistently tagged by risk category across audit cycles.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

Remediation statuses are current and confirmed by control owners.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

Repeat findings are flagged as repeat in the system, not entered as new.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

AI Governance Readiness

A named individual owns the review of AI-generated output before it reaches the audit committee.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

Your team has a documented protocol for reviewing AI-assisted findings before treating them as conclusions.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

Your CISO has confirmed the data processing and isolation practices for your platform's AI layer.
▢ Not addressed   ▢ Partially addressed   ▢ Fully documented and current

When the stakes exceed your internal capacity:

  • AI Exposure Diagnostic: A 2-hour strategic evaluation for risk, compliance, and legal leaders to identify your highest-priority governance gaps and deliver a 90-day remediation roadmap.

  • 12-Week Governance Sprint: Translate regulatory requirements into audit-ready policies, control frameworks, and accountability structures.

  • Ongoing Advisory Retainer: Embedded judgment for policy updates, vendor assessments, and board prep as regulations and technology evolve.

Reply with "Diagnostic" or “Sprint” to schedule a conversation for next month.

Chris Cook writes Judgment Call weekly for compliance and risk officers navigating AI governance.

Former IBM Vice President and Deputy Chief Auditor. Published in the AI Journal, speaker at Yale.

Chris Cook

Managing Partner & Founder

Blackbox Zero

Forwarded this by a colleague?Subscribe to Judgment Call

Next
Next

Why Your AI Governance Committee Needs a Confirmed Inventory Before Approving New Use Cases