Ricardo, you’ve spent your career at the intersection of internal audit, risk management, and regulatory compliance. How has this background shaped the way you look at artificial intelligence and its integration into assurance services at Mazars Portugal?
My career started at EY, where I worked across financial institutions and regulatory engagements. That gave me a cross-sector view early on. You quickly spot the same governance weaknesses repeating across banks, insurers, and fintechs. Then at CGD, I moved inside a large institution and saw the operational reality up close: millions of daily transactions, complex regulatory obligations, and an audit function still largely built on manual sampling and annual cycles.That combination shaped a simple but firm conviction. The traditional model of assurance was not built for the speed and complexity of today's risks. And AI is where that gap is most exposed.What my background gave me is a practitioner's instinct: the question for an auditor is never just "does this AI system work?" It is who is accountable for it, how was it built, on what data, and what happens when it fails quietly. Those are governance questions, and governance is where audit adds real value. That is what I bring to Forvis Mazars every day.
When you assess financial institutions or tech companies today, where do you see AI already having the most concrete impact on internal audit, risk assessment, and AML/CFT controls—and where is its potential still largely untapped?
The most visible impact today is in transaction monitoring. Traditional rule-based AML systems generate an enormous volume of false positives, and the vast majority of alerts are dismissed after manual review. AI is changing that by reducing alert volumes, speeding up investigations, and improving the quality of suspicious activity reports. For a compliance team buried in backlogs, that is a genuine transformation, not a marginal gain.
In fraud detection, AI is making decisions in milliseconds on live transactions, a speed and scale that human review simply cannot match.
Where the potential is still largely untapped, three areas stand out. First, continuous auditing, because most institutions still work on quarterly or annual cycles when risk changes daily. Second, unstructured data, since most conduct and culture risk lives in emails, call recordings, and board minutes rather than transaction tables. Third, and most urgently, auditing the AI itself. We are deploying machine learning to manage risk and then trying to audit it with methods designed for entirely different systems. Closing that gap is one of the defining challenges for our profession.
Based on your experience with AML frameworks and KYC systems at CGD and EY, what are the most critical risks you see when organizations introduce AI into their financial crime and regulatory risk processes, and how should they be governed and audited?
The stakes here are high because the consequences are not just regulatory, they are societal. If an AI system is missing financial crime or producing biased outputs, that harm scales with the model.
The first risk is training data integrity. AML models learn from historical data labelled by human analysts. Those labels carry every institutional blind spot and every typology that was previously missed. FATF guidance is clear that the integrity of the underlying data is foundational, because you cannot build sound detection on unsound ground. The first question I always ask when reviewing a monitoring model is who labelled this data, under what criteria, and has anyone independently challenged those labels.
The second is model drift. Financial criminals adapt to bypass detection systems. A model trained on last year's typologies can become ineffective within months if it is not continuously monitored and updated against current FATF and EBA guidance on emerging threats.
The third is explainability. When an AI system flags a customer or restricts an account, the Wolfsberg Group principles and EBA supervisory expectations are clear: institutions must be able to explain why. "The model said so" is not a defensible answer. Internal audit must be equipped to challenge the quality of those explanations, not just accept them.
In practical terms, how are you and your team at Mazars adapting assurance methodologies to audit AI-driven models and data pipelines—especially in sensitive areas like transaction monitoring, customer due diligence, and sanctions screening?
On this particular case, we have had to rebuild significant parts of our audit programmes, because frameworks designed to assess defined processes were not built for adaptive algorithms.
Our approach now follows the full machine learning lifecycle: data governance, data engineering, feature engineering, model training, model evaluation, and deployment. Each stage has different risks and requires different tests.
At the data stage, we look at accountability. Is there a clear owner for data quality with the authority to escalate problems? For transaction monitoring models, we examine whether the training data actually reflects the institution's current customer base, or whether it mirrors a historical portfolio that no longer captures today's exposure.
At the validation stage, we do not rely on the developer's own test results. We independently validate performance on separate datasets and test against current FATF typologies. For sanctions screening, we focus particularly on false negatives, because missing a true match is categorically more serious than a false alarm, and aggregate metrics can hide dangerous gaps.
We have also brought colleagues with data engineering backgrounds into our audit teams to interrogate data pipelines directly. Silent failures between source systems and model input can corrupt a model's outputs completely without triggering any visible alert. That is a risk traditional IT audit was never designed to catch.
You’ve worked with complex regulatory environments such as MiFID II, FATCA, and CRS. How do you see regulators’ expectations evolving regarding AI use in compliance and internal audit, and what are the main gaps you observe between regulatory ambition and what institutions are actually doing?
Regulators are moving faster and with more precision than many institutions realise, and the pressure is coming from multiple directions at once.
The EU AI Act classifies many financial services applications, including credit scoring, AML risk rating, and customer due diligence, as high-risk systems with binding requirements around explainability, human oversight, documentation, and incident reporting. DORA adds operational resilience obligations that directly affect AI systems. The EBA and ECB have been increasingly specific in their expectations on model risk management. AMLA, the EU's new anti-money laundering authority, will bring direct supervisory intensity to exactly the systems that AI is most actively reshaping. At the global level, the Basel Committee and FATF are setting expectations that travel well beyond EU borders.
The gap I see most consistently in practice has three dimensions. The first is model inventory, as many institutions simply do not have a clear picture of how many AI systems are in production or which would be classified as high-risk. The second is documentation, because institutions can show a model performs well but struggle to produce a coherent, auditable record of how it was built and why it makes the decisions it does. The third is skills on both sides. There is a real shortage of supervisors at national and European level who can meaningfully interrogate a model architecture. That creates a risk of compliance theatre: documentation that satisfies a checklist without anyone being able to genuinely challenge its substance.
Looking ahead five to ten years, how do you envision AI transforming the role of internal auditors and compliance officers in Portugal’s financial and technology sectors? Do you expect AI to mainly automate existing work, or fundamentally change the nature of assurance and risk management?
Two misleading narratives dominate this conversation and both need to be set aside. One is that AI will solve everything. The other is that it will replace everyone. Neither is accurate.
Some work will be automated, and there is no value in defending it. Repetitive testing, population-level data analysis, standard control reviews: AI can do these faster, more consistently, and at a scale no team can match. That reallocation of human effort is not a threat. It is an opportunity to move the profession toward work that is genuinely harder and more valuable.
The work that will define the credibility of auditors and compliance officers in the coming decade is exactly what AI cannot do: exercising real professional scepticism, challenging governance assumptions, reading the organisational dynamics that shape risk culture, and holding accountable the humans who are ultimately responsible for what algorithms do at scale. AI can surface a suspicious pattern in ten million transactions. It cannot tell you whether management is using model complexity to avoid scrutiny.
What I expect in Portugal's financial sector is a clear divide. Institutions that build genuine AI governance competence will gain a real advantage in regulatory credibility. Those that treat it as a documentation exercise will be exposed, both by regulators whose expectations are rising under AMLA and the EU AI Act, and by the failures they were not equipped to prevent.
For professionals in audit, risk, and compliance who may feel overwhelmed by AI, what concrete steps would you recommend they take now to build relevant skills and ensure they remain credible, independent, and effective in an increasingly AI-driven control environment?
Start by changing the framing. The professionals most at risk are not those who feel overwhelmed, because that feeling means they are paying attention. The dangerous ones are those who have decided AI does not really apply to their work yet. It does, and the window to build the necessary skills while the field is still forming is getting shorter.
The first step is building model risk fluency, not data science skills. You do not need to understand the mathematics of machine learning to audit it well. You do need to understand what training data is, why model drift happens, what explainability means in practice, and what the EU AI Act, EBA model risk guidelines, FATF digital transformation guidance, and Wolfsberg principles actually require. These are your starting points: authoritative, accessible, and directly relevant.
The second step is learning to challenge a model through its documentation. Every AI system should come with a governance record. Practise the structured questions: who owned the training data, what were the performance metrics and on which dataset, what are the known failure modes, and what happens when conditions change from what the model was trained on.
The third step is to embed AI risk into your existing frameworks rather than building a separate track for it. AI risk belongs in the enterprise risk register, in the audit universe, and in the compliance monitoring programme. Treating it as a standalone topic is how it becomes underfunded and insufficiently challenged.
Finally, stay close to the regulatory horizon because it is moving quickly. The EU AI Act, DORA, AMLA, and the evolving guidance from the EBA, ECB, FATF, and Basel Committee are not background reading. They are defining what the audit and compliance function will be held to account for in the next five years. The professionals who combine domain expertise with regulatory fluency and structured AI methodology will not be displaced by this technology. They will be the ones trusted to govern it.
Ricardo Cardoso is a Senior Manager at Forvis Mazars in Portugal, leading Assurance Financial Services and Technology & Digital Consulting projects and initiatives. His work focuses on internal audit, regulatory compliance, risk assurance, AML assessment, cybersecurity and IT assurance, supporting financial institutions and multinational organisations in navigating increasingly complex governance and risk environments.
With previous experience at Caixa Geral de Depósitos and BNP Paribas, Ricardo has led projects related to financial crime compliance, AML frameworks, internal governance, regulatory implementation and risk management across international markets. His expertise spans areas such as anti-money laundering, reputational risk, compliance assurance, internal control and AI-related governance challenges.
He holds several professional certifications, including Lean Six Sigma Green Belt, ISO 27001 Lead Auditor, ISO 37301 Lead Auditor and SOC 2 Reporting, and is currently attending an Executive Program in Cybersecurity at Faculdade de Ciências da Universidade de Lisboa. He also frequently contributes with articles and expert commentary on technology, cybersecurity and AI, particularly in their intersection with audit and risk governance.
To better understand Ricardo’s perspective on three blind spots that are often overlooked by companies using or implementing AI systems, read this excellent article
