Machine learning is bantered around in the media often these days, many times erroneously. The key question that concerns auditors is not how to build machine learning algorithms or how to debate on the relative merits between L1 and L2 regularization, but rather, in what context is the algorithm operating within the business? Additionally, do we have assurance that it meets all regulatory and business constraints and fulfills the needs of the enterprise?
Data scientists, of which I am one, have the most fun working with algorithms and spending time clustered together attempting to eke out half of a percentage of accuracy from our models. However, this extra half of a percentage point almost never turns into improved results for the organization, or at least relative to the risk reward. For technology auditors, knowing how to create machine learning algorithms or understanding the actual mathematical mechanics behind the models is not required, or even very helpful, in evaluating the effectiveness of machine learning in the enterprise. As auditors, we need to provide assurance over how the algorithms are functioning in the business and find out whether proper governance and controls are in place to make sure the models are operating in the best interests of the enterprise. A favorite example of mine is that you can have a model that has 99% accuracy, say for fraud detection, that is practically worthless. For example, if 99 out of 100 transactions are not fraud, we could get a model with 99% accuracy by just saying that all transactions are not fraud. This does nothing for us though; we care about the recall of the model in this example. We want to make sure we detect the 1% of fraudulent transactions, even if we have 4 false positives. So, the moral of the story is in understanding the business ramifications and providing assurance that the models accomplish something. This is where audit can provide the most value and where we as auditors should focus: understanding the context of machine learning algorithms and applications and providing assurance that they are fulfilling the business requirements while staying within the bounds of relative regulations.
Read Andrew Clark’s recent Journal article:
“The Machine Learning Audit—CRISP-DM Framework,” ISACA Journal, volume 1, 2018.