4 Essential AI Adoption Practices You May Be Overlooking

A lot of AI guidance dives straight into the weeds of implementation. Often, that’s exactly what Internal Audit and SOX teams need to overcome their hesitation and get out of the starting blocks.
But it’s also crucial to stand back, see the big picture, and make sure you’re not missing key opportunities to get — and stay — on the right track.
That’s what this week’s article is for. What can you do to ensure you’ve set the vision, mindset, objectives, and strategy to ensure that your AI implementation actually goes somewhere?
David Coulombe’s webinar on moving “From AI Hesitation to Audit Transformation” spotlighted some of the big-picture leading practices teams may miss in their rush to implement. David draws on decades of Internal Audit leadership experience at some of the world’s leading tech companies. In his current role as Audit Executive with agentic AI tech provider Petual, he’s focused on “architecting the future of Internal Audit” by building the AI-enabled technologies that will help the profession cement its future value and relevance.
You can’t reach your destination until you decide what it is. The leading practices David shared can help you come at AI implementation with a more holistic strategy and vision.
1. Communicate the Vision: Internal Audit as a Strategic AI Partner
Internal Audit was made for this.
We understand risk. We’re always focused on efficiency, quality, objectivity, and change management. We balance business and risk acumen with robust knowledge of processes, controls, and opportunities for improvement. Plus, our relationships span the organization.
As David shared, “Agentic AI won’t just make audit more efficient. It will redefine what ‘good’ looks like. Internal Audit is one of the few functions already built for that shift.”
This is the vision every Internal Audit and SOX team needs to get their heads around.
AI implementation is a vital opportunity to redefine what ‘good’ looks like across the organization — including within Internal Audit and SOX.
That makes it an awesome opportunity to step up and show them what we can do, evaluating AI governance, assessing and validating AI-enabled processes and controls, and providing assurance over AI operating models. Instead of being displaced by AI, it can help us become more influential, more strategic, and more firmly embedded as trusted advisors enabling organizational transformation.
“We have a change function to play here, including being crisp on what quality outputs will look like for any process,” said David. “In my mind, we are going to be the tip of the spear — super relevant in those discussions. We just have to position ourselves to have those conversations and gain the right context.”
2. Treat AI Adoption as an Operating Model Change
Everyone knows AI is disrupting business models and changing how work gets done. But David recommends thinking more holistically.
For most companies, AI adoption constitutes both an operating model and workforce transformation. “Internal Audit’s mandate and charter is going to remain the same,” stressed David. “It's how the work is performed that is being changed. This is the critical element for us to think about.” Processes, workflows, sequencing, who does the work (machine vs. human), review processes, and the speed at which things can be done — that’s what’s changing.
The bottom line: AI adoption is much more than a technology implementation. It’s altering operating models, driving widespread process reengineering, role redefinition, and governance redesign.
David added, “It’s a question of reallocation of resources more than anything else. Skill sets will also have to evolve.”
“We are uniquely positioned to oversee that change,” said David. The business risks remain, but managing them within this rapidly evolving landscape will “require a lot of direct oversight — which is exactly what we do within Internal Audit.”
Along the same lines, Internal Audit can help business leaders understand AI adoption not as a one-time tech implementation, but as a long-term journey in capability building. Because AI capabilities evolve rapidly, governance, operating models, and upskilling efforts must also keep evolving.
3. Define Clear Objectives for AI Adoption
What are you trying to achieve by adopting AI within Internal Audit or SOX?
After all, you’re not adopting AI for its own sake. You’re adopting it with at least some goals and objectives in mind, however hazy they may be early on in your AI journey.
In David’s experience, unclear or unrealistic objectives are an incredibly common point of early friction. Teams can avoid this pitfall by formulating short-term objectives and longer-term goals that are:
- Specific. “It can span between the standard efficiency aspect, improving quality, and — because you have new tools that can cover a lot of ground — expanding scope. It can be training your team to be AI-savvy, so they understand what’s being done in the AI space,” said David. You may also consider objectives around cost reduction, workforce upskilling, or enhancing strategic or advisory capabilities. Ultimately, you want “clarity on what you’re trying to achieve,” helping you gauge progress and improve alignment. On that note, make sure key stakeholders (IT, Compliance, External Audit, audit committee, AI governance functions) are aligned with your objectives.
- Realistic. “Make sure you contain your expectations. What we’ve seen in some instances is the desire for the tool to do exactly what a human would do,” cautioned David. At this point, fully autonomous AI applications are still not possible, as that would require Artificial General Intelligence (AGI). So the more realistic notion, said David, is “getting something 80% done rather than 100% done.”
As you set your objectives, however, remember: AI shouldn’t just be about short-term reductions in costs and level of effort. To optimize AI’s value, it should expand organizational capability (e.g., broader risk coverage, faster insights, deeper analysis).
4. Strategically Evaluate Build vs. Buy Approaches
The question is no longer whether Internal Audit and SOX will adopt AI, but how.
Will you build your own AI-enabled workflows internally, adopt pre-built vendor solutions, or use some combination of the two?
As David emphasized, the right answer “is very contextual.” It will vary depending on factors such as the availability of enterprise AI tools, budget, bandwidth, AI skills, company culture, and the objectives you’re hoping to achieve.
David provided a framework to help Internal Audit and SOX teams think through their build vs. buy decisions. In overview, he encourages teams to weigh…
COST: What Is the True Cost of the Solution Over Time?
Companies often lean toward AI solutions that can be implemented quickly and easily — without considering their long-term maintenance costs or sustainability.
Make sure you’re considering both initial implementation costs and the ongoing maintenance burden, bearing in mind how quickly AI technologies are evolving. You’ll want to maintain whatever you build or buy to meet the continually rising bar of AI’s capabilities.
QUALITY: Can the AI Outputs Meet Audit Standards?
“At the heart, this is about taking probabilistic systems — what LLMs are — and turning them into something that is as deterministic as possible,” said David.
To that end, ensure that your AI solutions embed human-in-the-loop validation rigor and other safeguards that help you ensure the right levels of consistency, reliability, transparency, and auditability.
ACCOUNTABLE: Who Owns the AI Outcomes?
Who is ultimately responsible for the AI outcomes? What service-level expectations will help you ensure that accountability?
Said David, “At the end of the day, the Internal Audit function will always be responsible for the quality of what is being produced. But the person building the solution is where the buck will stop.” If it’s vendor-built, some risk can be transferred.
SKILL: What Capabilities Are Required to Make the Solution(s) Work?
As David pointed out, both routes will help your team build AI skills — but each also builds different skills. For example, said David, “The build route can actually be quite compelling, because you will learn firsthand what it takes to be a software engineer.” That could be especially relevant for tech-focused or tech-forward businesses. But the buy route generally requires less upfront AI knowledge and hands-on experimentation. Plus, implementing an existing solution can also help auditors understand how to practically embed — and govern the usage of — an agentic AI solution within a set process, which can be highly relevant in discussions with audit stakeholders.
So, as you decide your path, consider:
- What technical skills you need (or want) internally
- What the learning curve will look like
- What it will take to sustain and scale these skills across your team
SCOPE: What Can the AI Solution(s) Realistically Cover?
It all comes back to your objectives in adopting AI. What do you need it to do? David recommends assessing:
- The breadth of Internal Audit or SOX use cases supported
- Scalability across the team or to adjacent use cases
- Integration potential with existing systems or technologies
- Workflow automation capabilities
THE LAST WORD: Ensure You’re Building a Robust AI Toolkit
The reality for many Internal Audit and SOX teams: They’re just getting out of the AI starting blocks.
Effective AI implementation in Internal Audit and SOX is about thoughtfully combining big-picture strategy — like the lessons David shared — with tactical how-to guidance and ready-to-use prompts that help remove some of the most common hurdles to adoption.
That’s why the Internal Audit Collective is so invested in creating webinars, roundtables, working groups, how-to articles, eBooks, and tools focused on developing and sharing AI guidance and leading practices. For example…
The Internal Audit Collective’s AI Playbook eBook series shares practitioner-developed expert guidance, insights, lessons learned, leading practices, and more.
- FRESH OFF THE PRESSES, Volume II delivers 12 SOX prompts and agents, insights on AI’s impact on risk and control programs, DOs and DON’Ts for implementing AI in SOX, and insights on External Auditor reliance on the use of AI in SOX and management processes. Download your copy today.
- ICYMI, Volume I shared 20 Internal Audit prompts across phases, step-by-step guidance for secure, successful AI deployment, and insights on building your AI business case.
- UP NEXT, Volume III on how to perform an AI governance project will provide real-world insights and how-to information from Internal Audit teams who have completed these projects — and who are leveraging them to expand relationships and share AI knowledge and leading practices across their organizations.
What help do you still need to implement AI in your function or start providing AI assurance and advice to your organization? Let us know how else the Internal Audit Collective can help.

Recent Articles
Want to be updated as new blog posts are released? Subscribe to our newsletter.
Join 1K+ readers of The Enabling Positive Change Newsletter for tips, strategies, and resources to improve your approach to Internal Audit and SOX compliance.

