ASIC questioned about regulation of AI and audits in recent hearing

In a recent hearing, the Joint Committee on Corporations and Financial Services has questioned ASIC about its role in regulating the use of AI in audits, particularly those undertaken by the big four firms.

Speaking in the hearing on Friday, Senator Deborah O'Neill noted that Deloitte Australia had recently ordered its audit staff to stop uploading confidential client or firm information into ChatGPT, according to an article by The Australian Financial Review.

O'Neill also referred to the 28 instances in which KPMG staff used AI to cheat on internal exams.

ASIC commissioner Kate O’Rourke noted that there had been an extraordinary increase in the use of AI in both financial services companies and more broadly within the economy over the last 18 months.

O'Rourke said some of the examples given by Senator O'Neill about the use of AI by audit firms had raised concerns.

"What the government has been grappling with is whether we have all sorts of bespoke guardrails or whether we use existing guardrails that control the use of new tools, including AI tools. Where we've landed is the latter, so we're using existing guardrails and identifying if additional safety steps are required," she said.

"[However], we have said publicly that there are plenty of existing rules that apply to the use of any tool, including AI tools."

Audit firms must ensure that information is properly protected and that training is done appropriately, she said.

"Information provided to auditors is sensitive, important and confidential and so those controls are important," said O'Rourke.

Senator O'Neill asked ASIC what the regulator was doing to ensure auditors met their professional responsibilities in their use of AI for audits.

"I think it's quite shocking that this has happened [at Deloitte]. What's the consequences for doing this? Because if it's efficient and the whole goal is about grabbing every dollar no matter how that might breach ethical standards or privacy legislation, then we've got a problem of incredible scale in this sector?" she said.

O'Rourke said that ASIC's regulatory role in relation to auditors was "reasonably confined" and that the use of AI by audit firms was not something that ASIC had the power to regulate.

"We register particular individuals, registered company auditors. We do not register or licence firms. We do not regulate audit firms. So if your question is, what are we doing in relation to the firms? That is not something that we have regulatory oversight of," she said.

O'Rourke said at this point ASIC had not had any specific engagement or communications with any individual registered company auditors regarding the use of AI.