Interested in this topic? Visit the links below for more resources:
Visit The IIA’s website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents all things internal audit tech. Deep pigs are changing how fraud happens, and even what organizations can trust as real evidence. In this episode, Andrew Guasp sits down with Corey Chatterton to break down how AI generated media is being used to impersonate leadership.
00:00:23 The IIA
Slip past controls and exploit trust. They also discuss why these tools are now so easy to access and what internal auditors need to do to strengthen governance, training and response. As these risks grow heading into 2026.
00:00:40 Andrew Guasp
What are deep fakes and why should auditors be paying attention to them now?
00:00:45 Corey Chadderton
Alright. Well, let me begin by saying thank you Andrew for the opportunity for us to be here today and to and to have this conversation well to the question that you asked the fix, they are realistic looking but altered and I want to focus on that.
00:01:01 Corey Chadderton
Were altered media.
00:01:03 Corey Chadderton
Created using artificial intelligence AI, those two letters that have been enraged for these past few years.
00:01:11 Corey Chadderton
Particularly focusing on learning techniques now, if we go back a few years to 2017, when the term made its way into our lexicon, deep fakes were almost exclusively video content. But today these fabrications have expanded by leaks and bones to to to not only touch on video.
00:01:31 Corey Chadderton
But they also know include in.
00:01:33 Corey Chadderton
Which and they also include audio. Now you ask an important question. Why should auditors be paying attention to them? But I think that that the thing for should has long gone and auditors must pay attention to this technology, if for no other reason than for the significant threats that they opposed.
00:01:54 Corey Chadderton
Or organizations to the integrity and to the reputational risk that they bring. When we look at it, the fakes are increasingly used in fraud and by all the metrics that I have seen.
00:02:07 Corey Chadderton
In their usage continues to increase year on year and another reason why I think that we must pay attention to them has quite a bit to do with the fact that the entry barrier, if I may put it that way, it has collapsed. So what initially required Hollywood studios?
00:02:28 Corey Chadderton
Yeah, it not only takes a pretty much a $20 subscription and a few seconds of of of voice audio, so this has catapulted us from being a novel.
00:02:40 Corey Chadderton
City to becoming a very serious and material business risk, one that we cannot afford not to pay attention to.
00:02:50 Speaker 2
How does this deep fake technology work, and what do internal auditors need to understand without, you know, without us becoming technical experts?
00:02:57 Corey Chadderton
At a very basic level, deep fake technology uses machine learning algorithms, and these algorithms have been trained on large data sets, data sets of.
00:03:10 Corey Chadderton
Images, videos, audio, you name it.
00:03:13 Corey Chadderton
But depending on the context, this training then is able to facilitate a mapping from one person from one individual to another. So for example, what we can have as a result of this is that we can see the swapping of faces in videos, or we can hear and.
00:03:34 Corey Chadderton
Not see but hear the synthesizing of voices.
00:03:38 Corey Chadderton
When we listen to audio, when we analyze speech patterns, so internal auditors, we don't need to become technical experts, but we must be able to understand, as I said at the very basic level, that these defects rely on vast amounts of data simply to mimic human expression, whether it is.
00:03:58 Corey Chadderton
Appearance or voice, and recognizing the potential for misrepresentation, is critical for us when it comes to assessing risks in audit scenarios as these fabrications, or certainly most definitely can impact the authenticity of the evidence.
00:04:17 Speaker 2
Well, it's pretty terrifying stuff. I mean, I think we, we've all heard a couple of horror stories about these deep fakes, but kind of go along the lines of that. How does AI driven deep fake technology expand or change the traditional fraud risks that internal audit already evaluates, like such these impersonations, social engineering.
00:04:20 Corey Chadderton
And telling me about it.
00:04:25 Corey Chadderton
Well.
00:04:37 Speaker 2
Or is there even payment fraud that this is impacting?
00:04:40 Corey Chadderton
I see deep fake as I kind of like to term it as a force multiplayer for fraud. This technology, it amplifies traditional fraud risks simply by providing these new avenues for impersonation your words exactly how our stories, who hasn't heard stories of of CEO's authorising payments.
00:05:02 Corey Chadderton
Based on on on one employee perceived to be, our thought was the CEO who hasn't heard the stories of of CEOs, misleading employees asking them to do Chariot a particular instruction.
00:05:16 Corey Chadderton
And when it turned out quite later to be anyone but the CEO, and then you made mention of of of social engineering, that element where do we even begin as it relates to social engineering, you see traditional audit controls be relay. They relay rather heavily on.
00:05:37 Corey Chadderton
On on confirmation.
00:05:40 Corey Chadderton
Never call a vendor to confirm a bank account change and and a deep fake answers the control has failed.
00:05:48 Corey Chadderton
The risks haven't changed.
00:05:50 Corey Chadderton
The.
00:05:51 Corey Chadderton
But the efficacy of our current controls has diminished.
00:05:56 Corey Chadderton
So as internal auditors, we must.
00:06:00 Corey Chadderton
Position ourselves in such a way that we can adapt our methodologies to address these evolving threats and to ensure that the assessments that we conduct of fraud risks include these potentials for manipulative data. We cannot avoid these. We cannot afford to miss.
00:06:22 Corey Chadderton
On these.
00:06:24 Speaker 2
And you kind of alluded to what I I want to talk about next, which is this, you know you call your vendor thinking that you're getting a, you know, a confirmation to go ahead and you know, shift some funds around. What are some of these real world examples of deep fakes being used in ways that internal auditors should view as a control or governance failure?
00:06:43 Corey Chadderton
I think they know most of us, if not all of us, should have heard somewhere along the line, you know, the impersonation of the CEO, the one there, there was that one coming out of Hong Kong where a call was received and and because of the urgency.
00:06:59 Corey Chadderton
That came along with the with the call. It led to a transaction $25 million being transferred and not just transferred, but essentially ended up being lost. Why? Because that employee was duped into facilitating that transaction because.
00:07:18 Corey Chadderton
What they thought they saw on the on the video call, the voice that they thought they were hearing every other participant.
00:07:27 Corey Chadderton
Was a deep fake other than the employee who was receiving was receiving the instruction there, we had most of us, perhaps might have seen it as well. There were deep fake videos of of Elon Musk promoting fake cryptocurrency investments, you know, and they were all on the very familiar platforms X.
00:07:47 Corey Chadderton
You chew.
00:07:48 Corey Chadderton
Also these things they expose the governance gaps in content monitoring. They're not just content monitoring, but in the response that comes when these things are are are made known and we have there. There are other cases, you know and me sometime back and and and this one.
00:08:08 Corey Chadderton
Phone, rather rather hilarious. I don't remember the year, but I think it was 20.
00:08:12 Corey Chadderton
The one where there was something circulating of the put in a puffer jacket. I mean that one took the cake for me. You know, when I when I saw when I saw this in a puffer jacket. You.
00:08:23 Corey Chadderton
Know I was.
00:08:23 Corey Chadderton
Like, whoa, what have we come to? And then there was the release that came out saying that it was a fake, you know, so seeing is no longer believing.
00:08:34 Corey Chadderton
Neither is hearing.
00:08:36 Speaker 2
It's funny you mentioned that that content monitoring it's, you know, in the initial days of social media and stuff you, your content monitoring was heavily focused on what are you as a company saying, what are you as a company doing? I think now we we're having this big change where it's not only what are you doing but then what are people?
00:08:55 Speaker 2
Trying to do on your behalf.
00:08:56
Yes.
00:08:57 Corey Chadderton
Correct, correct and and it goes back to what what I would have touched on at the beginning, that element of reputational risk and reputational reputational risk is is one of the biggest risks that organizations face. No one. It's not just internally but externally. Because if you have somebody purporting to be.
00:09:17 Corey Chadderton
Who they are not.
00:09:19 Corey Chadderton
Imagine the implications for that, you know. So in orange is.
00:09:24 Corey Chadderton
The new black.
00:09:25 Corey Chadderton
But reputational risk is the new cyber risk.
00:09:29 Speaker 2
Said the the old adage. Trust but verify.
00:09:32 Corey Chadderton
Woah.
00:09:33 Speaker 2
Gets a lot harder when you can't, you know. Can't trust these sources either. Very true. So go along those lines like where our organizations the most vulnerable today from a control standpoint and how can internal audit assess whether existing controls are sufficient against these deep fake enabled threats?
00:09:51 Corey Chadderton
Thinking about it there, there are really a few areas of vulnerable vulnerability. But if I if I have to name of a few of them on the floor, I'd say that organizations are especially and particularly vulnerable in in two areas.
00:10:08 Corey Chadderton
Areas that involve 1 remote authorization processes and why? Because of the heavy reliance that they have that they employ that they.
00:10:18 Corey Chadderton
Age as it relates to digital communications. So that's area #1, remote authorization processes and then another area that I would say would be areas where there are high pressure workflows. Now what do I mean when I say high pressure work flows?
00:10:38 Corey Chadderton
Those will be areas where the workflow you know, including things like financial transactions and and those things that require executive approval. Let's go back to the same example I gave the the well documented case of the of the CEO in Hong Kong.
00:10:55 Corey Chadderton
If a CEO calls a controller or calls or calls his secretary, or calls whoever has the call demanding an urgent transfer, the sychology equal pressure combined with the voice clone, these things immediately by pass logic, if our employees are trained, you know when they say.
00:11:15 Corey Chadderton
And then really, really trend to really pause, pause for a moment.
00:11:22 Corey Chadderton
Those two seconds can really make a tremendous difference, but these things are and, and the attackers, they understand this, they understand and they they.
00:11:31 Corey Chadderton
Work on our.
00:11:33 Corey Chadderton
Response to urgency when they can hit up and get us to, you know, have to create that sense of urgency and all that logic goes through the door.
00:11:43 Corey Chadderton
And then what I mentioned about the remote authorization process is is being documented as well, you know attackers using deep fake voices to reset passwords or or even bypass MFA by pretending multi factor authorization. Sorry, by pretending to be an employee in distress as internal auditors.
00:12:04 Corey Chadderton
I think we've come to the stage where our internal audits, they, they need to assess the effectiveness of controls.
00:12:12 Corey Chadderton
By evaluating processes that authenticate identity and those that validate content, those two things authenticate identity and validate content. Internal audit can assess sufficiency by conducting threat analysis. You know by by testing.
00:12:32 Corey Chadderton
Controls biometric multifactor authentication, reviewing incident response plans, and they would even go as far as saying that internal audit should even to the greatest degree possible, even simulate deep faith attacks.
00:12:51 Corey Chadderton
What better way are we able to identify gaps in our detection and verification protocols?
00:12:59 Speaker 2
So it's almost like taking some of those cyber security control tests and applying them to these deep fake area. You know, they talk about doing penetration testing, but then also you have some places where they.
00:13:10 Speaker 2
Leave random flash drives in the parking lot to see if people will pick them up and try to plug them in so it's almost applying some of these old testing techniques and.
00:13:19 Speaker 2
Tips to this new area?
00:13:22 Corey Chadderton
Correct. Looking back at what you've said, these are trade and true methods. You know these, these these aren't things that are what we would call or considered to be out-of-the-box. There are things that we have always been a custom doing and that's the beauty of it.
00:13:39 Corey Chadderton
The technology improves. We have advancements and all of these kind of things, but the basics are still tried and true and we can always revert to them with a great degree of success.
00:13:55 Speaker 2
What indicators or red flags can internal auditors look for when assessing whether media communications or approvals may have been manipulated?
00:14:04 Corey Chadderton
There are quite a few of them that we should be, that we should be on the lookout for and, you know, internal auditors, red flags, you know, they go together like the Chiefs and Super Bowl. But up until this year, that is. Yeah. Right. But as it relates to these, what we should be looking for these indicators.
00:14:22 Corey Chadderton
But if it is that we are talking about in a visual a visual context where we are having a conversation and say digital communication that we're we are having a a remote conversation that we're looking at someone on a screw, you know there is what is referred to these days as you you look for these factors that contribute to what we call.
00:14:43 Corey Chadderton
Liveliness, you know whether the the liveliness is is what they describe it as active or passive. So the.
00:14:50 Corey Chadderton
Encourage you to look at things like King Toon. If you can see the person is if they're inconsistencies between the words that you are hearing and and and and the sinking of the licks, the movement of the links and the words and all those things are are aligning right. But if we're not talking about in a visual context.
00:15:10 Corey Chadderton
If we consider perhaps just the auditory, we can perhaps look at things such as unusual request, where where there is an an.
00:15:19 Corey Chadderton
A request that has come through for you to meet or to take an urgent action that doesn't quite square with your established protocol.
00:15:30 Corey Chadderton
There could also be and we we always are on the lookout for these a lack of corroborating documentation to, you know, to support the to support the communication. I mean they are, they are, they are so, so very many things that we can be and should be on the lookout for because.
00:15:49 Corey Chadderton
These red flags, as I said in terms of this facial expression, the lighting, the shadows, those environmental mikes mismatches, those things, they are key. So it's not just a matter of just talking, you know, but we have to be observant, especially especially in this age of technology in which we live and we.
00:16:09 Corey Chadderton
She can't get away from.
00:16:10 Corey Chadderton
It at all at all.
00:16:13 Speaker 2
Yeah, that seems.
00:16:14 Speaker 2
To be a recurring theme with these deep fakes is this pressure and this like you need to do this immediately. There's all this like pressure coming from someone above that, you know we need something to be done and it it's so timely. It needs to be done immediately. Needs to be done. Right now there's no time to think. There's no time to act and it's like we you.
00:16:31 Speaker 2
Constantly try to tell people, take a deep breath.
00:16:34 Speaker 2
Read it. That doesn't seem right. Have I ever gotten a request like this from this person? No. Why would today be the day that I get 1? So I think, yeah. Taking it back to some of these things, you know how we apply it through other fraud lenses?
00:16:47 Speaker 2
It's no different than applying it here in the deep fake situation.
00:16:50 Corey Chadderton
To continue along the same the same footballing you know, I mentioned the Kansas City Chiefs and the and the Super.
00:16:55 Corey Chadderton
Bowl analogy I I think.
00:16:58 Corey Chadderton
Fosters they have their own playbook as well. The sooner we recognize that there are certain things that they play on creating scenarios.
00:17:09 Corey Chadderton
Of urgency, where the pressure is so great that you know you don't have time to reach out to anyone and you have to, you have to address this thing now. They play on these things, you know, they they work on these, these, these mental and emotional heuristics.
00:17:26 Corey Chadderton
You know, they they they're really, really do a very good job when it when it comes to these things. And again why why are they so successful? Because I don't think that our organizations give the amount of respect to to training in in these particular.
00:17:45 Corey Chadderton
Areas, that is, it is really necessary and appropriate for the threats that we face today. So to my mind, and that's just, that's just my opinion to my mind that is one of the reasons why these things will continue to grow and they will continue to proliferate.
00:18:01 Corey Chadderton
Is the training as it relates to teaching, teaching, teaching our employees to, you know, value the power of the Poors. Yes, you hear what you are hearing, but just talk for a minute, take a deep breath, listen to what they're saying. How does it square with what we have?
00:18:22 Corey Chadderton
I mean doing, you know and a couple of other things I somehow think that we will touch on as we continue in our conversation.
00:18:28 Speaker 2
I really like the way you put that the.
00:18:30 Speaker 2
Power of the pause. Like just take a step.
00:18:33 Speaker 2
Reevaluate what's going on. What's being presented to you before you act, and a lot of times we act quickly. It, you know, can spell for disaster. How effective are current deep fake detection tools and how should internal audit evaluate managements reliance on AI based detection tools including their limitations?
00:18:52 Corey Chadderton
That is a gem of a question, Andrew. Yeah, it really is, you know, because I have no preference for any particular vendor. As a matter of fact, I I like to think of myself as as being vendor vendor agnostic, you know. But when we, when we look at what is being offered there on the market, you know the tools that are being.
00:19:12 Corey Chadderton
Offered.
00:19:13 Corey Chadderton
They're varying effectiveness when you look at the reviews and you read and you listen the reports, they're very as it related effectiveness of these tools. You know, I touched on mentioned before of of liveliness, you know whether that liveliness is active or or passive. But but the reality is this, Andrew more often than not.
00:19:34 Corey Chadderton
If we think about it.
00:19:36 Corey Chadderton
Detection tools are invariably one step behind the generation to sync.
00:19:43 Corey Chadderton
About it, more often than not, what comes out is a response to something that has come before, and to answer your question later, go back to again, going back to the basics and banking provides a really a really powerful analogy for me.
00:19:59 Corey Chadderton
Because when you come into banking, let's say for example you have a customer service representative, someone who who's whose function is to take and to share money over the counter, that customer service representative, that agent, when they are onboarded, when they are being trained.
00:20:21 Corey Chadderton
Culture money has always, always been a big thing. Wherever you go in the world, come to feed, money has always been a big thing, but when it comes to banking, let me put it this way. Employees are trained to detect, to free money, not by focusing on counterfeits, but by focusing on the real thing.
00:20:43 Corey Chadderton
The permutations and combinations that can result when it comes to control. These are endless. There are countless, but the real is limited and when we train in that using that same banking context, when those employees are trained.
00:21:00 Corey Chadderton
To know what the real looks like, what it feels like, what it smells like they are, then better able to detect.
00:21:10 Corey Chadderton
What is not real? So for me, instead of depending heavily or even solely on on on a, it's a catch a I if I can turn it that way. I'm a firm believer in training, supporting and empowering the human beings.
00:21:31 Corey Chadderton
That have to still stand as the as the as the Guardians or the watchdogs of of this of this software of these software detection tools, organizations really need to invest in the human component as the not, I would say the ultimate, but a very important.
00:21:52 Corey Chadderton
Control in this whole exercise, yes, detection tools are a layer of defects. But.
00:21:59 Corey Chadderton
They are not.
00:22:01 Speaker 2
The solution? That's a really good point. I think we get so wrapped up in these technologies that, oh, we gotta have the latest tech in all of this and we kind of forget to go back to the basics like the soft skills of internal auditing, those interview techniques, getting to know your auditees getting to know your audience. You know, the best way to detect if your.
00:22:21 Speaker 2
CEO is acting erratically through a deep fake is to truly know your CEO, right? If you are in the sense your CFO, if your CFO is never talked to you about going and buying a bunch of gift cards online and sending them to the, why would why would that be normal course of visits if you truly knew your CF.
00:22:37
Well.
00:22:38 Corey Chadderton
Absolutely. You know, you know and and even to expand it even even beyond auditing any real internal auditors, you know, but.
00:22:46 Corey Chadderton
If we can have the employees and our organizations to employ.
00:22:52 Corey Chadderton
And internal auditing mindset, I think that that would go a significant ways in terms of empowering them as well help our employees, the non auditors to develop professional skeptic.
00:23:07 Corey Chadderton
This is, you know, I see you, I hear you. But this is what you're saying to me, you know? But, you know, I think we've come to the stage where where we where? We don't see it as necessarily.
00:23:21 Corey Chadderton
Or or or or.
00:23:22 Corey Chadderton
Take it personal. When persons ask US questions, you know to verify verification is is very, very important, especially when we are talking about what we are discussing here this afternoon. Deep fake technology, we have to insist.
00:23:40 Corey Chadderton
On these on these verification protocols, there must be part and parcel of our control framework. Yes, this is what you.
00:23:49 Corey Chadderton
Say to me but.
00:23:51 Speaker 2
So going along those lines, what role should internal audit play in helping management design or strengthen policies, training and instant response plans related to deep fakes?
00:24:02 Corey Chadderton
The poor, active and I want to emphasize that word. The proactive conversations needed to be heard with management so that they can develop comprehensive policies. Policies are wrong, things like like like media integrity and communication verification as internal auditors.
00:24:22 Corey Chadderton
You know we can't design it.
00:24:24 Corey Chadderton
Because.
00:24:25 Corey Chadderton
It's a conflicted designer, then, to have to turn around and to audit it. So while we may not necessarily be involved in the design, you know that there is an advisory role that internal audit players, and if we want to talk about being value and and I don't know about your experience, but mine has been as.
00:24:46 Corey Chadderton
I have met no shortage of internal auditors who love to tell the value added concept internal audit will add value to our organizations, but if we really, really want to have and to add value to our organizations and to add meaningful value.
00:25:04 Corey Chadderton
To.
00:25:05 Corey Chadderton
Should they add to our organizations, then our response to my mind, it can't be a responsive one. It has to be, it has to be proactive. So as internal or we we have to have those conversations as I said you know help them.
00:25:21 Corey Chadderton
Not to say this is what you must do.
00:25:25 Corey Chadderton
But have you considered?
00:25:27 Corey Chadderton
Including incorporating XY and Z when it comes to building out your your your policies around around media integrity, your policies around communication verification, because these things can assist internal audit rather can assist in designing training programs that raise.
00:25:47 Corey Chadderton
Of weirdness. Again, going back to the basics.
00:25:50 Corey Chadderton
Raise awareness about defects and outlining protocols for responding. When we believe that these kind of things have happened in our organizations. Anything that by facilitating these mock incident responses, you know, internal audit can really, really help.
00:26:11 Corey Chadderton
Ensure that staff are equipped to identify and having identified them, to take the next step now and to escalate these concerns when they should away so.
00:26:24 Corey Chadderton
Summarily, then, internal audit we we should act as, as I said as advisors, that's a crucial word in this context, by conducting risk assessments to help to identify deep fake vulnerabilities, you know, recommend policies. As I said, the main mention of of those of those two, what were the media integrity?
00:26:45 Corey Chadderton
Communication verification. You know, we help our organizations to refine our incident response plan.
00:26:52
Yes.
00:26:53 Corey Chadderton
And I think we've come to the stage now where any incidents, response plan that does not incorporate an AI detection element or an AI detection integration is outdated, it needs to be revisited and it needs to be revised at the earliest.
00:27:14 Corey Chadderton
Opportunity because AI is in everything, everything.
00:27:23 Speaker 2
So as these deep.
00:27:24 Speaker 2
Fake technologies and AI more broadly continue to evolve. How can internal audits stay ahead through risk assessments, audit planning and ongoing assurance?
00:27:33 Corey Chadderton
To get ahead and to stay ahead, internal audit needs to let me throw this in. In, in, in, in other, in other places and on other platforms and other forums. But it becomes more accentuated given this discussion that we are having around deep fakes and and deep fake technology and artificial intelligence.
00:27:54 Corey Chadderton
But internal auditors, we need to adopt A forward thinking approach.
00:28:01 Corey Chadderton
For much of my career, much of what I have done until quite recently has always focused on on, on looking back, what has happened and you know, having a focus in the in the, in the rear view mirror. But given where we are at in today's world, our we.
00:28:21 Corey Chadderton
Have to be we must be adopting a forward thinking approach.
00:28:27 Corey Chadderton
We've come to the time where we need to be continuously updating our risk assessments to account for these emerging technologies. We can't just wait for them to be happening and then say, OK, let's see what adjustments we can make here. We need to engage in ongoing assurance activities and may.
00:28:47 Corey Chadderton
You touched on it in the previous question that you asked. You know, such as regular workshops, engaging with management and staff on the implications of of artificial intelligence and and this deep fake technology.
00:29:00 Corey Chadderton
Gee, I think doing things like these will help auditors and not just auditors, but our organizations to remain informed, we must shift from a periodic mindset, as has been the culture in many places, to a continuous risk assessment minds.
00:29:20 Corey Chadderton
Set as internal auditors, we are very well positioned, very well placed in our organizations to act or rather to be the catalyst for preparedness. What do I mean by that? You know it, I mean mentioned earlier of, you know of of the policies.
00:29:40 Corey Chadderton
We can't. We can't craft the policies. We can't rate the policies, but we are well positioned to to review it is incumbent on us. It is a necessity that auditors remain strive to remain ahead of the curve.
00:29:57 Corey Chadderton
We must be constantly upskilling and and that's something that I am passionate about personally.
00:30:04 Speaker 2
Well, Corey, thank.
00:30:04 Speaker 2
You for joining us today, this topic seems like it can go on and on forever and ever, but we got to frame it somewhere. So I really appreciate you joining us, taking the time to explain all these scary things that are are coming up, but also how we can start to manage them some way somehow. So thank.
00:30:19 Corey Chadderton
You not a problem at all, Andrew. Thank you so very much for having me. The pleasure was all mine.
00:30:25 The IIA
If you want to hear more from Cory on deepfakes and digital deception, you can catch him live at GAM 2026 happening March 9th through the 11th in Las Vegas. Secure your spot and register at theia.org. You can join audit leaders from around the world for three days of insight, innovation and forward-looking conversations.
00:30:47 The IIA
If you like this podcast, please subscribe and rate US. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or at theia.org. That's theia.org.
