FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorycompliancegovernanceIIA

Internal Audit's New AI Mandate: What Should Be on the 2026 Audit Plan

By Basel IsmailJune 1, 2026

Internal Audit's New AI Mandate: What Should Be on the 2026 Audit Plan

The IIA's Global Internal Audit Standards (effective January 9, 2025) didn't just refresh the old IPPF. They fundamentally restructured what internal audit functions are expected to cover, and AI risk is now squarely in scope. If your 2026 audit plan doesn't include dedicated AI coverage, you're going to have a hard time demonstrating conformance with the new standards. Here's what that actually looks like in practice.

What the New IIA Standards Actually Say

The 2025 Global Internal Audit Standards are organized into five domains (Purpose, Ethics, Governance, Managing the Internal Audit Function, and Performing Internal Audit Services), and the relevant pressure points for AI show up across several of them. Domain IV, Standard 9.1 specifically requires the chief audit executive to develop a risk-based plan that considers "emerging risks" facing the organization. The guidance materials released alongside the standards explicitly reference technology risk, algorithmic decision-making, and data governance as examples of emerging risk categories that audit plans should address.

Standard 9.4 on coordination and reliance is also relevant. If your organization has a separate AI governance committee or a model risk management function (common in financial services), the CAE needs to evaluate whether reliance on that function is warranted or whether independent audit coverage is still necessary. The IIA's position is clear: the existence of a first or second line AI governance function doesn't eliminate the need for third-line assurance.

Standard 13.1 on evaluating governance processes rounds it out. Internal audit is expected to assess whether governance structures adequately address risks arising from new technologies. If your board adopted an AI use policy in 2024 but nobody has tested whether it's actually being followed, that's a gap the IIA standards now expect you to close.

Why 2026 Is the Inflection Point

A few things are converging. The EU AI Act's provisions for high-risk AI systems begin applying in August 2026, which means any organization with EU exposure needs conformity assessments, risk management systems, and human oversight mechanisms in place by then. The NIST AI Risk Management Framework (AI RMF 1.0, released January 2023) has had enough time to mature into the de facto U.S. reference standard, and regulators are starting to cite it. The OCC, FDIC, and Federal Reserve's joint guidance on model risk management (SR 11-7, supplemented by ongoing interagency work) increasingly treats AI and ML models as within scope.

For healthcare organizations, HHS issued its final rule on transparency and nondiscrimination in AI-enabled clinical decision support in December 2024, with compliance timelines extending into 2026. Defense contractors are navigating DoD Directive 3000.09 on autonomous systems alongside CMMC requirements that now intersect with AI data handling.

The point is that 2026 audit plans aren't speculative. They need to address regulatory obligations that already exist or are weeks away from taking effect.

Structuring AI Coverage in the 2026 Audit Plan

Based on what we're seeing across regulated industries, here's a practical framework for AI audit coverage. This isn't meant to be exhaustive, but it covers the areas where audit committees and regulators are most likely to ask questions.

1. AI Inventory and Classification

You can't audit what you haven't cataloged. The first engagement should verify that the organization maintains a complete inventory of AI systems, including third-party tools, embedded AI features in existing software, and internally developed models. Classification should align with whatever risk taxonomy the organization has adopted (the EU AI Act's risk tiers, NIST AI RMF categories, or an internal framework). The audit should test completeness, not just review what's been self-reported.

2. Governance and Policy Effectiveness

Most organizations adopted some form of AI acceptable use policy in 2023 or 2024. The audit question for 2026 is whether those policies are operational. Are they being followed? Do employees know they exist? Is there an approval process for new AI deployments, and is it actually being used? Testing should include sample-based reviews of AI deployment decisions, interviews with business unit leaders, and a comparison of the AI inventory against the approval log.

3. Data Governance and Privacy Controls

AI systems consume data, and the provenance, quality, and permissibility of that data is an audit issue. This is especially acute in healthcare (HIPAA, the HHS AI rule) and financial services (GLBA, FCRA, state privacy laws). Audit should evaluate whether training data sources are documented, whether data minimization principles are being applied, and whether personal data is being processed through AI systems in ways that comply with applicable privacy frameworks.

4. Model Risk and Output Validation

For organizations using AI in decision-making (credit underwriting, clinical recommendations, fraud detection, hiring), the audit plan should include testing of model outputs for accuracy, bias, and drift. This is where SR 11-7 concepts apply directly. Even organizations outside banking should consider adopting a model validation approach. The audit doesn't need to replicate what a data science team does, but it should verify that validation processes exist, are performed at defined intervals, and produce documented results.

5. Third-Party AI Risk

A significant portion of enterprise AI exposure comes through vendors. Your contract management platform added an AI feature. Your cloud provider is processing data through ML models for optimization. Your legal research tool is using generative AI. The audit should assess whether third-party AI use is captured in vendor risk assessments, whether contracts include appropriate provisions (data use restrictions, audit rights, incident notification), and whether the organization's AI policies extend to vendor-provided tools.

6. Incident Response and Monitoring

AI incidents (hallucinated outputs used in regulatory filings, biased automated decisions, data leakage through AI tools) need a response framework. The 2026 audit should evaluate whether the organization's incident response plan has been updated to address AI-specific scenarios and whether monitoring controls exist to detect AI-related issues before they become regulatory findings.

Resourcing and Competency

Standard 7.1 of the new IIA standards requires that internal auditors possess or obtain the competencies needed to perform their engagements. For AI audits, this is a real constraint. Most internal audit shops don't have deep technical expertise in machine learning, data science, or AI governance. The options are co-sourcing with specialized firms, investing in training (the IIA's own AI auditing certificate program launched in 2024), or building hybrid engagement teams that pair audit professionals with internal data scientists or engineers.

Whatever the approach, the CAE should document the competency strategy in the audit plan itself. Audit committees are increasingly asking how the function is equipping itself to cover technology risk, and "we'll figure it out" is not a satisfying answer.

Reporting to the Board

Standard 11.1 requires communication of engagement results to appropriate parties, and for AI audits, that means the audit committee needs to receive findings in a format that connects technical observations to business and regulatory risk. Avoid purely technical reports. Frame findings around regulatory exposure (e.g., "the absence of bias testing for the automated underwriting model creates fair lending risk under ECOA"), operational impact, and remediation timelines. Board members are paying attention to AI governance in 2025 and 2026 in a way they weren't two years ago, and audit findings that are clear and actionable will get traction.

How FirmAdapt Addresses This

FirmAdapt's architecture was designed around the assumption that regulated organizations need AI systems that are auditable by default. The platform maintains detailed logs of data inputs, model interactions, decision pathways, and user actions, which directly supports the inventory, classification, and output validation work that internal audit teams need to perform. When an auditor asks "what data went into this output and who approved its use," FirmAdapt can answer that question without a forensic exercise.

For organizations building out their 2026 AI audit coverage, FirmAdapt also simplifies the third-party risk dimension. Because the platform operates within the organization's own compliance boundaries rather than routing data through opaque external models, it reduces the vendor AI risk surface that audit teams would otherwise need to assess. The governance controls are built into the product, which means audit can test them rather than recommend they be created.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free