Are Artificial-Intelligence Software Audits Around the Corner?

Recent weeks have seen a number of news reports and announcements indicating that the Next Big Thing for audits – financial audits, at least, for the time being – is the use of artificial intelligence technologies to facilitate the analysis of large volumes of data in the context of audit-related activities. KPMG’s recent announcement was particularly noteworthy from my perspective, because it indicated that the audit firm would be deploying IBM’s Watson “cognitive computing technology” to KPMG’s professional services offerings. According to the announcement:

One current initiative is focused on employing supervised cognitive capabilities to analyze much larger volumes of structured and unstructured data related to a company’s financial information, as auditors ‘teach’ the technology how to fine-tune assessments over time. This enables audit teams to have faster access to increasingly precise measurements that help them analyze anomalies and assess whether additional steps are necessary.

IBM is, of course, one of KPMG’s biggest software-auditing clients. Big Blue regularly entrusts enterprise-level audit projects to the firm for project-management, data-collection and data-analysis responsibilities.

All of these recent reports mention that the AI technologies currently are being contemplated for use in connection with financial audits. However, it is not at all difficult to imagine the same or similar tools being put into use in connection with software audits, which for larger organizations also can require auditors to process vast quantities of deployment and usage information. In that context, KPMG’s and IBM’s announcement is potentially troubling.

Auditors like KPMG and Deloitte typically characterize their roles in software audits as being independent collectors and analyzers of data. From this writer’s past experience, such assurances do not always seem to align with the standard operating procedures for many audits, where doubts of all degrees almost always are resolved in favor of the software publishers paying the auditors’ bills. However, that concern would be compounded if, in the future, auditors were to merely feed deployment data into an AI tool developed by the publisher of the products being audited and to then transmit the output to IBM. Under those circumstances, the auditors arguably would be nothing more than project planners and button-pushers.

Furthermore, we increasingly are seeing auditors insist on broad rights to “access” their customers’ computers during audits, and we also have started to see indications that some publishers may be moving toward requiring the use of specific tools to measure usage during audits. Companies need to realize that any such access or tool-deployment rights in publishers’ favor almost certainly would run counter to licensees’ best interests. Such terms must be avoided at all costs.

It will be very interesting to see in coming years how new developments in technology change the scope of software audits and processes they entail.