Podcast icon
The Bottom Line.

The Bottom Line.

Your roadmap for weekly insights into audit, risk, and compliance. Whether it’s a shift in global regulatory standards, emerging risk trends, or the latest internal audit best practices, we get you to the "so what" in a flash. Stay informed and ahead of the curve in three minutes or less.

Recent Episodes

AI robot performing on stage about to be yanked off with a stage hook.

6/29/2026  ●  2 min 46 sec

A Blueprint for Responsible AI [Part 3]

How do you move from identifying AI risks to actively managing them? Join Allyson Edwards on The Bottom Line as she outlines the practical framework needed to govern technology responsibly. Discover the four essential controls, ranging from tool inventories to model drift monitoring, that protect your organizational data without stalling innovation. Read the full insight, AI Is Great But Stupid (Part 3): Governing AI.

  • Read Full Transcript

    Hi, I'm Allyson Edwards from AdviseUp Consulting, and this is The Bottom Line.


    At this point in our series, AI might be starting to sound more risky than useful. But these challenges aren't a reason to avoid the technology entirely; instead, they're a reason to govern it thoughtfully.


    The reality is that AI adoption is happening faster than formal oversight structures. Employees are experimenting with tools independently, integrating AI into existing processes, and entering sensitive data into systems that haven't been fully vetted by leadership.


    The biggest misconception about AI governance is that it belongs entirely to your IT department. In reality, AI affects nearly every part of an organization, and the risks differ wildly based on the use case. An AI tool used to summarize meeting notes creates very different operational exposures from one reviewing contracts, analyzing insurance claims, or assisting with hiring decisions. Governance has to account for those differences.


    Effective governance starts with visibility. Organizations should already be asking what tools our employees are actually using, what data is being entered, and who validates the outputs?


    Once you understand your footprint, you don't need to reinvent the wheel. It’s about adapting existing governance concepts to these new technological risks through four practical controls.


    First, approved AI tool inventories. Document exactly which tools are approved, restricted, or prohibited to eliminate unvetted privacy and compliance gaps.


    Second, prompt and data handling guidelines. Give employees clear boundaries about what information can be entered into these tools, and how prompts should be structured to protect sensitive data.


    Third, access restrictions and permission right-sizing. AI tools can only be constrained by the permissions they are given. If an employee has broad access rights, an AI system operating through their credentials inherits those same capabilities. You must enforce least-privilege access.


    And fourth, model drift monitoring. Unlike traditional software, AI systems change over time as models update and input patterns shift. Governance cannot be a one-time implementation exercise; it requires recurring testing and human-in-the-loop validation.


    Here is the bottom line, AI governance is not about eliminating risk entirely. We all know that’s a losing proposition. It’s about creating enough structure and oversight to use the technology responsibly while still benefiting from its capabilities.


    The businesses that succeed with AI won't be the ones that trust it blindly. They will be the ones that govern it thoughtfully.


    Stay tuned for our final installment where we'll pivot from high-level oversight to the daily habits, tips, and tricks that will make your team more effective AI users.


    Thanks for joining The Bottom Line.


AI Robot standing next to a small dog in a cage with a sign that reads

6/16/2026  ●  2 min 10 sec

The Illusion of AI Accuracy [Part 2]

If up to 81% of AI responses contain serious errors, why do we trust it so easily? Join Allyson Edwards on The Bottom Line as she breaks down the four predictable points of failure every compliance team needs to watch out for. Discover how hallucinations, hidden biases, incomplete context, and automation bias introduce massive organizational risk and why thoughtful controls are your best defense. Read the full insight, AI Is Great But Stupid (Part 2): Where AI Goes Wrong.

  • Read Full Transcript

    Hi, I'm Allyson Edwards from AdviseUp Consulting, and this is The Bottom Line.


    Right now, researchers are finding that up to 81% of AI responses regarding news and facts contain serious errors ranging from poor sourcing to entirely fabricated stories.


    Here is the reality on the ground. The key misconception about AI is not that it is intelligent. It is the dangerous belief that it is reliably correct.


    In Part One of this series, we established that generative AI is essentially advanced predictive text. It does not actually think or verify the truth, and because of that, it creates four predictable points of failure that every compliance team needs to watch out for.


    First, hallucinations with confidence. AI doesn't need to be malicious to create massive organizational risk; it just needs to be convincing. It frequently produces completely fabricated information with the exact same authority it uses for facts.


    Second, hidden bias. Bias in AI is rarely intentional, but our systems are only as unbiased as we are. By reflecting historical training data, AI can instantly replicate structural biases in hiring, medical treatments, or evaluations. This creates uneven outcomes that are incredibly difficult to detect without a structured review.


    Third, the risk of incomplete context. A technically correct answer can still be practically wrong for your specific organization. If you deploy a model straight out of the box without providing it with regulatory nuance or internal boundaries it needs, the output is essentially unusable for real decision-making.


    And fourth, the trap of automation bias. We often think human review is the ultimate control. But if your team is reviewing massive amounts of highly confident AI output under tight deadlines, that human review quickly becomes performative. We start trusting the machine instead of validating the work.


    AI introduces the exact same garbage in, garbage out risks we have always faced in audit just at a massive scale and blinding speed.


    The organizations that will benefit the most from AI are the ones building thoughtful controls around it.


    Stay tuned for our next installment, where we’ll explore exactly what governance looks like in practice.


    Thanks for joining The Bottom Line.


The Reality of Generative AI

5/27/2026  ●  2 min 57 sec

The Reality of Generative AI [Part 1]

Is your executive team confused about what AI actually is? Join Andrea St. Pierre on The Bottom Line as she breaks down why generative AI is just advanced predictive text, not a reasoning tool. Discover the two critical checkpoints you need to operationalize to protect your organization from the illusion of accuracy. Read the full insight, AI Is Great But Stupid (Part 1): Understanding What AI Actually Is.

  • Read Full Transcript

    I'm Andrea St. Pierre from AdviseUp Consulting, and this is The Bottom Line.


    Right now, companies are pouring an exceptional amount of time and capital into new AI strategies, hoping for long term cost savings. But here is the reality on the ground. There is still a surprising amount of confusion at the executive level about what AI actually is, and more importantly, what it isn't.


    So, ask yourself, are you deploying a strategic risk tool, or are you inadvertently building a process around a highly confident algorithm?


    Modern generative AI systems don't reason or understand information in the human sense. Instead, they identify patterns in massive datasets and generate responses based on probabilities. Simply put, AI is an extremely advanced predictive text.


    It’s a lot like taking a toddler to the zoo. If they see a wolf, they're likely to call it a "doggie" because statistically, that's the animal they know best. AI does the exact same thing at scale. It produces outputs that look incredibly thoughtful because it mimics human language, but it doesn’t actually understand meaning, intent, or the truth.


    To protect your organization and use AI safely, you need to operationalize these two checkpoints.


    First, shift to verification. Because AI mimics human language so well, it creates a dangerous illusion of accuracy. Don't just trust the output. Establish an evidence based process to validate that every response is grounded in fact, not just a probability.


    Second, recognize the mimicry. Stop assuming the tool "understands" the policies or regulations it summarizes. It does not. It predicts, structures, and mimics based purely on probability and patterns.


    Understanding what AI actually is lays the foundation for how it can be governed effectively. A tool cannot replace a culture of diligence. Focus on improving your risk processes from the inside out before handing the wheel over to the tech.


    Stay tuned, because this is just part one of our series. In our next installment, we will be walking through exactly where things go off the rails.


    Thank you for listening to the Bottom Line, and have a great day.


Nontraditional Majors in Audit

5/12/2026  ●  1 min 33 sec

Nontraditional Majors in Audit

Looking for a career with a front row seat to how organizations really work? Join Allyson Edwards as she breaks down why internal audit needs diverse thinkers and how your nontraditional degree could be your greatest asset. Discover why your perspective is exactly what the profession needs right now. Read the full breakdown on finding your fit in audit on our blog.

  • Read Full Transcript

    Hi, I’m Allyson Edwards, and this is The Bottom Line.


    If you haven’t thought about a career in internal audit, you’re not alone. Years ago, when I first got started as a political science major, I thought Internal Audit was the realm of accounting and business majors. But now, several years later? I’ve never looked back.


    Internal audit gives you a front-row seat to how organizations really work. It’s easily one of the best first jobs out there because you get to learn about every single part of the business—from operations to finance to the C-suite.


    And here is the thing: the field is changing. It needs people who think differently. So, if you’re a recent grad or early in your career, this is for you. Your major isn't just a degree—it’s a massive advantage.


    Take my background, for instance. As a political science major, I was trained to understand systems, incentives, and governance. I can use that to look at how one small decision can ripple through an entire organization.


    Or look at English and Communications majors—they are the ones who can take complex, messy data and turn those findings into clear, impactful stories that leadership can actually understand and use.


    Whether you studied Psychology, History, or Philosophy, if you come from a "non-traditional" major, your perspective is exactly what this profession needs right now to stay ahead of risk.


    Ready to see where your background fits? Read the full breakdown in our post on how your major could make you a great auditor.


    Thank you for listening to the Bottom Line, and have a great day.


The GRC Tool Reality Check

5/6/2026  ●  1 min 31 sec

The GRC Tool Reality Check

Is your GRC platform a strategic asset or just expensive "shelfware"? Join Allyson Edwards for a brief overview of why 50% of implementations fail and how to fix your internal processes and data integrity to ensure your technology investment delivers value on day one. Read the full breakdown on how to choose the right GRC tool on our blog.

  • Read Full Transcript

    Hi, I’m Allyson Edwards from AdviseUp Consulting, and this is The Bottom Line.


    Did you know that roughly 50% of GRC software implementations fail to meet their original objectives within the first two years? Here’s why: most organizations buy the "Ferrari" of tools when they are still learning how to drive.


    We’re seeing a shift where GRC tools are becoming expensive "shelfware" that creates more technical chores than strategic value. Think of a GRC tool like a high-end GPS. It’s a powerful guide, but it’s useless; if you haven’t mapped out your destination or if your internal processes are still under construction. You don't need a tool to tell you that you're lost; you need it to help you move faster once you know where you’re going.


    To ensure your investment delivers value on day one, follow this pre-implementation checklist:


    First, fix the process before the automation. A broken process in the cloud is just an expensive rescue mission waiting to happen.


    Second, clean the data before the import. You need transparent numbers for board-ready reporting.


    And finally, prioritize the risks before the rollout. Start with your top five critical risks. Solve those first and then scale.


    A GRC tool is a megaphone for your existing culture. Focus on improving the business from the inside out by fixing the process before you buy the platform. You can find the full breakdown about GRC Tool Selection on our website.


What Georgia's $25 Million Dollar Fine Means for Payers

4/27/2026  ●  1 min 50 sec

Payer Lessons from Georgia's $25M Parity Penalty

Is your mental health parity strategy a real-world shield or just a paper policy? Join Allyson Edwards for a brief overview of the fallout from Georgia’s $25M Parity Penalty and how to validate NQTLs to ensure your organization survives the new era of intense regulatory scrutiny.

  • Read Full Transcript

    Hi, I'm Allyson Edwards from AdviseUp Consulting, and welcome to The Bottom Line.


    There’s been a major shift in healthcare regulation that every payer needs to have on their radar. On January 13th, Georgia’s Insurance Commissioner issued nearly $25 million in fines against health insurers for violations of the Mental Health Parity Act. If you’ve been treating parity as a compliance checkbox, this is your wake-up call.


    That era is over. Parity is no longer a paperwork exercise. We are seeing a hard shift from simple policy reviews toward deep, operational audits.


    Look at Georgia. They went beyond the written word and analyzed millions of data points—from claims processing to medical necessity standards—to see how benefits were actually being applied. 


    What they found was a systemic gap. Even with identical policies on paper, mental health benefits were being applied far more restrictively than medical or surgical care.


    For payers, this means your risk environment has fundamentally changed. There are three pressure points you need to address immediately:


    The first is data preparedness. You must have the analytics to prove comparative parity in real-time.


    The second is NQTL documentation. Non-quantitative treatment limitations are the new focus. Your clinical logic must be documented and it must be evidence-based.


    Finally, there’s governance. Parity has to move from a legal requirement to a core enterprise risk managed at the leadership level.


    Georgia isn't an outlier; it’s a blueprint. This is the moment for a 90-day action plan to assess your risk and validate your practices before the next audit cycle begins.


    You can find a full breakdown of Georgia’s $25 Million Parity Penalty on our website.


Understanding Internal Audit Outsourcing vs. Co-Sourcing

4/16/2026  ●  1min 48 sec

Understanding Internal Audit Outsourcing vs. Co-sourcing

Is your internal audit function just a list of "extra hands," or is it a strategic investment? Join Allyson Edwards as she breaks down the critical differences between internal audit outsourcing and co-sourcing. Learn how to choose the model that best protects your organization while building a robust structure that stands up to modern compliance scrutiny.

  • Read Full Transcript

    Hi, I'm Allyson Edwards from AdviseUp Consulting, and welcome to The Bottom Line.


    Did you know that roughly 60% of internal audit functions are now leveraging outside help due to recruiting challenges?


    Building an internal audit team from scratch is expensive and difficult to accomplish, which means more and more companies are looking to external support to help. So, when you look externally, which model is right for your organization: Outsourcing, or Co-sourcing?


    Let’s break it down.


    Outsourcing is a fantastic "starter kit" for smaller companies or organizations just beginning their Internal Audit journey. You outsource the administration to an external provider and gain immediate access to specialized tech skills. The downside? It can be the most expensive option, and external teams sometimes face resistance from your internal staff.


    Co-sourcing, on the other hand, blends your existing internal resources with a third-party provider. It offers incredible flexibility and scalability. It allows you to augment your team with niche technical expertise exactly when you need it, providing fresh, independent insights directly to your audit committee.


    When you are ready to select a partner, you have choices. Large, Big 4 firms have strong reputations, but they can be pricey, have high turnover, and often staff your project with junior associates.


    Smaller, specialized firms offer a great alternative. They are agile, provide direct partnership with senior staff, and make you a true priority without the huge margins.


    Whichever route you choose, the golden rule is this: Look for experienced internal auditors, not external ones.The internal audit mindset is what will help you improve your business from the inside out.


The Bottom Line.

4/7/2026  ●  1min 26 sec

The "Unified Front" Board Report

Are you giving your Board three different stories or one unified map? Join Dorina Hamzo, Founder and CEO of AdviseUp, as she explains how to align Audit, Security, and Compliance into a "strategic shield" that moves beyond activity reporting to provide a clear picture of organizational safety.

  • Read Full Transcript

    Hi, my name is Dorina Hamzo, and I'm the Founder and CEO of AdviseUp Consulting.


    If your Audit, Security, and Compliance plans look like three different storybooks, your Audit Committee is likely overwhelmed and under-informed. They want a single, unified map showing how 'High Risk' vulnerabilities are being addressed. 


    Here is how to structure that alignment. 


    Step 1: Start with the 3 to 5 risks threatening your goals. So, if the goal is 'Rapid AI Integration,' the risk isn't just 'privacy'—it’s the risk of unvetted models. 


    Step 2: Show how the three lines of defense are addressing that specific risk. For example, Security is hardening the environment; Compliance is drafting the Acceptable Use Policy; and Audit is testing the execution of both. When these three move together, you aren't just reporting activity—you're reporting coordinated protection."


    This alignment is not just an exercise to please the Audit Committee.It is about becoming a 'strategic shield" for the company. 


The Bottom Line.

3/31/2026  ●  1min 9 sec

Standardizing Risk Rating Language

When Audit and Enterprise Risk teams use the same labels to mean different things, it stalls decision-making. Join Andrea St. Pierre, VP of Service Delivery, as she breaks down how to align your rating systems by defining their true purpose—moving your team away from debating severity and toward taking action.

  • Read Full Transcript

    Andrea St. Pierre, VP of Service Delivery:


    How do you fix misaligned risk ratings?


    It starts with being clear about why each rating exists in the first place.

    Audit ratings are meant to drive remediation.

    Enterprise risk ratings are to inform strategy.

    They serve very different purposes, and they should not be used interchangeably.


    Next, get specific about what “high” actually means in each case.

    Not just the label, but the impact, the urgency, and the kind of decision it is meant to prompt.


    Then make sure those definitions are shared and used consistently across teams.


    When everyone understands what a rating is supposed to signal, leaders spend less time debating severity and more time deciding what to do next.


    Alignment is not about adding to your process.

    It is about using the same language so risk conversations move faster and lead somewhere.