AI, Cybersecurity & Audit Committee Oversight

AI, Cybersecurity, and Audit Committee Oversight

Related ��è��Ƶ: Cybersecurity ��è��Ƶ, Risk Advisory Services, Audits, Reviews, and Compilations

February 9, 2026

Contributors: Jessica R. Dore, CISA, Elizabeth N. Ziesmer, CPA

It’s��important for audit committee��members,��in their��oversight��role��to understand how Artificial Intelligence (AI)��impacts��their institution’s��day-to-day operations. For example, AI��could be��used in financial reporting, enterprise-wide risk management, fraud risk mitigation, and data privacy and security.��

To ensure��their��effectiveness, adaptive��AI��models��rely��on��data��quality, accuracy, reliability,��and integrity. As such,��audit��committees��should��focus on and��understand data management related to the following: ��

Data��governance��to ensure��data privacy��and��access��controls are��established��and implemented��with��supportive��employee education and training.
Data��security��to ensure��sensitive or confidential information��fed into��AI models��is protected, especially if��the��data leaves��financial institutions’��secure��IT systems.
Transparency��to help��regulators understand how��the��selected��AI��models��operate, respond, and provide conclusions and reporting that informs decisions about policies,��operations,��and strategic planning.
Human��oversight��procedures��to��ensure��people review, evaluate, and are accountable for��AI outcomes��to avoid overreliance and reduce risk. ��

Cybersecurity First

Because the use of AI integrates systems and data, which is often shared outside financial institutions’ networks, it can increase the risk of cyberattacks. Ongoing investment in thorough monitoring and oversight of cybersecurity measures is critical to protect confidential data and marketplace reputation. Aligning processes to recognized frameworks like those recommended by the National Institute of Standards and Technology (NIST), International Standard for Organization (ISO), or Cybersecurity and Infrastructure Security Agency Industrial Control Systems (CISA ICS) provides an oversight structure to track effective, secure, and compliant AI use and data collection.��

How��AI Can Address��OBBB��Reporting Requirements��

The One Big Beautiful Bill Act of 2025 (OBBB) includes new reporting requirements��with��tax benefits��for��banks,��credit unions,��and their borrowers.��AI��solutions��can help ensure��accurate��and secure��collection and reporting of data��not only to��comply with��OBBB��requirements, but also to realize financial benefits, such as:��

Agricultural Loans:��Qualified lenders can deduct up to 25 percent of interest income received for loans��
originated after Jul.��4, 2025. The loans must be��secured by��real property��that��is��located��in��the U.S. or a U.S.��territory��and��produces��agricultural products, supports��a��fishing��or seafood processing businesses, or��operates��an aquaculture facility.��When accurately tracked and accounted for, this��new deduction��provides financial incentive to grow��this segment of the loan portfolio��in certain regions.��

Auto Loans:��For tax years 2025 through 2028, individual taxpayers��who��purchase��qualifying new vehicles for personal use are��entitled to an annual deduction of up to $10,000 of��interest paid��on loans originated after Dec. 31, 2024.��

On Dec. 31, 2025, the IRS��proposed regulations��to clarify lenders’��auto loan��reporting requirements,��including:��Lenders receiving $600 or more in interest on a qualifying auto loan��would��be required��to report.��

Lenders required to report must provide to��the IRS and taxpayers: the name, address, and taxpayer identification number of the payor of record and the interest recipient; the amount of interest received for the calendar year; the outstanding loan principal as of the beginning of the calendar year; date of loan origination; year, make, model, and VIN of the vehicle that secures the loan; and date the vehicle was acquired.��

What��Audit Committees��Need to Know About Their Institution’s Use of AI��

Realizing the full potential of AI��means��audit committees��must fully��understand��the��risks��and opportunities��the tool poses��to��ensure management has��defined��and implemented��policies, processes,��and controls��that��govern the acceptable use of AI.��Audit��committee��members��should��ask��management��questions��about��AI��responsible use��and cybersecurity protections, such as:��

How are you using AI?��What are your competitors doing,��and how are you��maximizing opportunities?
What are your��procedures to test��AI��models for accuracy, reliability, data bias,��and other risks? How��is��human��review verifying these��outcomes��and��for��ongoing monitoring of AI post-implementation?
Are you using AI��models you consider to��be��higher risk? Why��and��what are the benefits?��
How��is data used,��protected,��and secured against��risks of cybercrime and data breaches?
How are employees educated and trained��on��the importance of cybersecurity practices? How are you documenting that leadership��provides��clear guidance��to employees about their��responsible use��of AI��to��support��data security?
What’s��your business continuity plan��for��a data breach resulting from a cyberattack��or��AI��failure?��

By prioritizing cybersecurity��and��leveraging��proven principles��regarding��the��acceptable��use of AI, your��financial institution��can��not only��strengthen its��data management and reporting��but also��upgrade��digital��defenses with��strategies��that��protect systems,��drive��innovation, deliver on customer expectations, and reduce unnecessary��risk. Contact your ��è��Ƶ advisor or��Liz Ziesmer, CPA,��at��[email protected]��or��616.975.4100��or Jessica Dore, CISA,��at��[email protected]��or��989.799.9580��for a personal consultation.��