ISO-IEC-42001-Lead-Auditor ISO/IEC 42001:2023 Artificial Intelligence Management System Lead Auditor Exam Question and Answers

In which step are the audit findings, including nonconformities, documented and reviewed?

Scenario 9 (continued):

Scenario 9: Securisai, located in Tallinn. Estonia, specializes in the development of automated cybersecurity solutions that utilize AI systems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. In doing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently and ethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certification audit to demonstrate compliance with ISO/IEC 42001.

The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, and procedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation

of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation, ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.

After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during the certification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a

key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk

management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.

Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.

Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despite being initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partner with a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.

To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation for submission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence to ISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current valid certification registration.

A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The

purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team

concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.

Question:

Based on Scenario 9, what should Securisai’s certification be?

While preparing for an AIMS audit, a technology company faced an issue with the auditor assigned by the certification body. The auditor lacked a security clearance, which is mandatory for accessing certain sensitive information involved in the audit due to the company's government contracts and proprietary technology. The company requested to replace the auditor with someone who meets the security requirements to ensure the audit can proceed without compromising sensitive information or violating government regulations. Is this acceptable?

Based on Scenario 5, Alterhealth determined the audit time. Is this acceptable?

Scenario 5: Alterhealth is a mid-sized technology firm based in Toronto. Canada. It develops Al systems for healthcare providers, focusing on improving patient care,

optimizing hospital workflows, and analyzing healthcare data for insights that can improve health outcomes. To ensure responsible and effective use of Al in its

operations, Alterhealth has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001. After a year of having the AIMS in place, the

company decided to apply for a certification audit to obtain certification against ISO/IEC 42001.

The company contracted a certification body to conduct the audit, who assembled the audit team and appointed the audit team leader. The audit team leader had

conducted a certification audit at Alterhealth in the past. The top management of Alterhealth decided to reject the appointment of this auditor because they believed

that they would not receive added value from the audit. In response, the certification body appointed Jonathan, an independent auditor with no prior engagements with

Alterhealth, as the new audit team leader. Jonathan's introduction marked the beginning of a collaborative process aimed at evaluating the conformity of the AIMS to

ISO/IEC 42001 requirements.

The certification body determined the audit scope, which included only specific departments essential to the integration and application of Al, such as the Al Research,

Machine Learning Applications, and Al Ethics and Compliance Departments, and did not cover all of the departments covered by the AIMS scope. Meanwhile,

Alterhealth determined the audit time, setting the necessary time frame for planning and conducting a thorough and effective review to ensure all aspects of the AIMS

within the selected departments were meticulously reviewed.

Afterward, Jonathan received a detailed offer from the certification body, outlining his role and including information related to the audit, such as the audit's duration,

team members, their responsibilities, the limits to the audit engagement, and their salary compensation. With a clear mandate, Jonathan was tasked with a multitude

of responsibilities: defining the audit objectives and criteria, planning the audit process, identifying and addressing audit risks, managing communication with

Alterhealth, overseeing the audit team, and ensuring a smooth and conflict free execution.

With Jonathan's leadership and a well-defined audit framework in place, the certification audit proceeded with a structured and objective evaluation of Alterhealth's

AIMS.

Scenario 2 (continued):

Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries. Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyze vast amounts of data for insights, improve recruitment and talent management strategies, and personalize employee experiences, the company has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.

Initially, the top management established an Al policy that was aligned with the company's objectives. The Al policy provided a framework for defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it

did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented the policy, communicated it internally, and made it accessible to interested parties.

The top management designated specific individuals to ensure that the AIMS meets the standard's requirements. Additionally, they ensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, and facilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel

were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Al performance.

The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria and implemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement. Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure the integrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using a versioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to make changes was restricted to authorized personnel, and any proposed modifications required approval from the designated management team before being implemented.

Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established a comprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it is necessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance on implementing controls and, ultimately, produced a Statement of Applicability So A. The SoA contained the necessary controls, including all the controls of Annex A and justifications for their inclusion or exclusion.

Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company's requirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensured objectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top

management of the company.

Question:

According to Scenario 2, were the risks addressed in accordance with the ISO/IEC 42001 requirements?

A certification body is conducting surveillance audits for a company that manages multiple sites, including a temporary construction site with a limited duration. The audit team is considering whether the presence of this temporary site should influence the frequency of surveillance audits. Can this factor necessitate an adjustment in the audit schedule?

An AI system is being developed to assist elderly people in their daily activities. The system needs to be intuitive and align with the needs and values of its users. Which core element of AI should guide the design and development of this AI system?

Scenario 4 (continued):

BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potential drug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted a certification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.

Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plan corresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizing those with the highest risk.

Once the stage 1 audit began, the audit team started reviewing the auditee's documented information. To assess whether BioNovaPharm complies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided by the company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, which mandates that providers of high-risk Al systems report serious incidents to relevant authorities.

Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including the observations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, who was overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency in the Al decision-making processes of BioNovaPharm. Considering that Emma observed John's lack of competence in undertaking some

audit activities, a disciplinary note was recorded for John.

Question:

Which of the following AI applications for auditing did the audit team employ?

An AI-driven recommendation system for online shopping has been accused of promoting products from certain vendors over others without clear reasoning. The company wants to address these concerns effectively. Which core element is most relevant to resolving this issue?

Question:

Which of the following standards emphasizes the importance of conducting AI system impact assessments to evaluate the potential effects on individuals and societies affected by the AI system?

Scenario 2: OptiFlow is a logistics company located in New Delhi, India. The company has enhanced its operational efficiency and customer service by integrating AI across various domains, including route optimization, inventory management, and customer support. Recognizing the importance of AI in its operations, OptiFlow decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 to oversee and optimize the use of AI technologies.

To address clauses 4.1 and 4.2 of the standard, OptiFlow identified and analyzed internal and external issues and the needs and expectations of interested parties. During this phase, it identified specific risks and opportunities related to AI deployment, considering the system's domain, application context, intended use, and internal and external environments. Central to this initiative was the establishment and maintenance of AI risk criteria, a foundational step that facilitated comprehensive AI risk assessments, effective risk treatment strategies, and precise evaluations of risk impacts. This implementation aimed to meet AIMS objectives, minimize adverse effects, and promote continuous improvement. OptiFlow also planned and integrated strategies to address risks and opportunities into AIMS's processes and assessed their effectiveness.

OptiFlow set measurable AI objectives aligned with its AI policy across all organizational levels, ensuring they met applicable requirements and matched the company’s vision. The company placed strong emphasis on the monitoring and communication of these objectives, ensuring they were updated annually or as needed to reflect changes in technology, market demands, or internal processes. It also documented the objectives, making them accessible across the company.

To guarantee a structured and consistent AI risk assessment process, OptiFlow emphasized alignment with its AI policy and objectives. The process included ensuring consistency and comparability, identifying, analyzing, and evaluating AI risks.

OptiFlow prioritizes its AIMS by allocating the necessary resources for its comprehensive development and continuous enhancement. The company carefully defines the competencies needed for personnel affecting AI performance, ensuring a high level of expertise and innovation.

OptiFlow also manages effective internal and external communications about its AIMS, aligning with ISO/IEC 42001 requirements by maintaining and controlling all required documented information. This documentation is meticulously identified, described, and updated to ensure its relevance and accessibility. Through these strategic efforts, OptiFlow upholds a commitment to excellence and leadership in AI management practices.

To comply with clause 9 of ISO/IEC 42001, the company determined what needs to be monitored and measured in the AIMS. It planned, established, implemented, and maintained an audit program, reviewed the AIMS at planned intervals, documented review results, and initiated a continuous feedback mechanism from all interested parties to identify areas of improvement and innovation within the AIMS.

Based on the scenario above, answer the following question:

Did OptiFlow implement all the requirements of Clause 6.1.1 Actions to address risks and opportunities?

Scenario 9:

Scenario 9: Securisai, located in Tallinn. Estonia, specializes in the development of automated cybersecurity solutions that utilize AI systems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. In doing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently and ethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certification audit to demonstrate compliance with ISO/IEC 42001.

The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, and procedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation

of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation, ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.

After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during the certification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a

key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk

management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.

Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.

Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despite being initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partner with a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.

To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation for submission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence to ISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current valid certification registration.

A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The

purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team

concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.

Question:

Roger followed up on action plans resulting from external audits. Is this acceptable?

Which of the following is NOT a guide’s responsibility?

What could require a stage 1 audit during a recertification audit?

Scenario 3 (continued):

ArBank is a financial institution located in Brussels, Belgium, which offers a diverse range of banking and investment services to its clients. To ensure the continual improvement of its operations, ArBank has implemented a quality management system QMS based

on ISO 9001 and an artificial intelligence management system AIMS based on the requirements of ISO/IEC 42001.

Audrey, an experienced auditor, led an internal audit focused on the AIMS within ArBank. She assessed the chatbots integrated into the bank's website and mobile app, analyzing communications using big data technology to identify potential noncompliance, fraud, or unethical conduct. Instead of relying solely on the information provided by the chatbots, Audrey sought out evidence that would either confirm or challenge the validity of the data, ensuring her conclusions were based on reliable and accurate information. Her review of selected chatbot interactions confirmed they met their intended purpose.

For the specific context of ArBank's operations, Audrey utilized an Al system to assess the efficiency of the bank's digital infrastructure, focusing on tasks critical to the Finance Department. This Al system was able to analyze the functionality of chatbots integrated into ArBank's website and mobile app to determine if it adheres to ISO/IEC 42001 requirements and internal policies governing customer service in the banking sector.

In addition, Audrey conducted a deeper assessment of the bank’s AIMS. Her evaluation included observing different stages of the AIMS life cycle, from development to deployment, to ensure that roles and responsibilities were clearly defined and aligned with ArBank’s operational goals. She also evaluated the tools used to monitor and measure the performance of the AIMS.

Audrey continued the audit process by auditing ArBank's outsourced operations. Upon checking the contractual agreements between the two parties, Audrey decided that there was no need to gather audit evidence regarding the contractual agreement. She reviewed the company's processes for monitoring the quality of outsourced operations, determined whether appropriate governance processes are in place with regard to the engagement of outsourced persons or organizations, and reviewed and evaluated the company's plans in case of expected or unexpected termination of the outsourcing agreement.

Based on the scenario above, answer the following question:

Question:

What big data technology did Audrey utilize? Refer to Scenario 3.

Based on Scenario 6, which aspect of assigning roles and responsibilities to the audit team is incorrect?

Scenario 6: AfrinovAl, based in Nairobi, Kenya, develops Al tools to improve agriculture in Africa. The company uses Al to address challenges faced by African farmers,

offering tools for analyzing satellite images to monitor crop health, predicting pest and disease outbreaks, and automating irrigation to use water more efficiently.

AfrinovAl has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001, reflecting its commitment to ethical and effective

management practices in its Al solutions.

AfrinovAl is undergoing a certification audit to obtain certification against ISO/IEC 42001. Samuel, an expert in Al technologies and management systems, is heading

the audit team. Before initiating the audit process, Samuel reviewed and approved the audit plan, which served as a basis for the agreement between the certification

body and the auditee.

During the stage 1 audit, the audit team focused on a detailed evaluation of AfrinovAI's documented information, critically assessing both their format and content.

Samuel held a meeting with his team to prepare for the stage 2 audit. During this meeting, responsibilities were allocated among team members, assigning specific

processes, functions, sites, areas, or activities based on each auditor's expertise and the audit requirements. He also assigned auditing roles to technical experts to

leverage their specialized knowledge in specific areas.

In the stage 2 audit, Samuel and his team held an opening meeting during which Samuel explained how the audit activities will be undertaken. AfrinovAI's also

participated in the meeting. Afterward, the audit team conducted on-site activities to closely inspect the physical locations of the audited processes. The interviewed

individuals from the auditee's personnel regarding the AIMS and observed some of the operations of the auditee. They also used sampling and technical verification to

assess the implementation of Al-related controls, verify compliance with established procedures, and identify any gaps in adherence to the AIMS requirements. They

skipped the review of documented information related to the AIMS since some documents had already been reviewed during the stage 1 audit. This comprehensive

approach ensured a thorough evaluation of AfrinovAI's AIMS against the ISO/IEC 42001.

During an audit, the auditor uncovers sensitive data regarding the AI system's algorithms and their decision-making processes. Which principle must the auditor adhere to when handling this information?

Scenario 7:

Scenario 7: ICure, headquartered in Bratislava, is a medical institution known for its use of the latest technologies in medical practices. It has introduced groundbreaking Al-driven diagnostics and treatment planning tools that have fundamentally transformed patient care.

ICure has integrated a robust artificial intelligence management system AIMS to manage its Al systems effectively. This holistic management framework ensures that ICure's Al applications are not only developed but also deployed and maintained to adhere to the

highest industry standards, thereby enhancing efficiency and reliability.

ICure has initiated a comprehensive auditing process to validate its AIMS's effectiveness in alignment with ISO/IEC 42001. The stage 1 audit involved an on-site evaluation by the audit team. The team evaluated the site-specific conditions, interacted with ICure's personnel,

observed the deployed technologies, and reviewed the operations that support the AIMS. Following these observations, the findings were documented and communicated to ICure. setting the stage for subsequent actions.

Unforeseen delays and resource allocation issues introduced a significant gap between the completion of stage 1 and the onset of stage 2 audits. This interval, while unplanned, provided an opportunity for reflection and preparation for upcoming challenges.

After four months, the audit team initiated the stage 2 audit. They evaluated AIMS's compliance with ISO/IEC 42001 requirements, paying special attention to the complexity of processes and their documentation. It was during this phase that a critical observation was made:

ICure had not fully considered the complexity of its processes and their interactions when determining the extent of documented information. Essential processes related to Al model training, validation, and deployment were not documented accurately, hindering effective control and management of these critical activities. This issue was recorded as a minor nonconformity, signaling a need for enhanced control and management of these vital activities.

Simultaneously, the auditor evaluated the appropriateness and effectiveness of the "AIMS Insight Strategy," a procedure developed by

ICure to determine the AIMS internal and external challenges. This examination identified specific areas for improvement, particularly in

the way stakeholder input was integrated into the system. It highlighted how this could significantly enhance the contribution of relevant

parties in strengthening the system's resilience and effectiveness.

The audit team determined the audit findings by taking into consideration the requirements of ICure, the previous audit records and

conclusions, the accuracy, sufficiency, and appropriateness of evidence, the extent to which planned audit activities are realized and

planned results achieved, the sample size, and the categorization of the audit findings. The audit team decided to first record all the

requirements met; then they proceeded to record the nonconformities.

Based on the scenario above, answer the following question:

Question:

Which phase of the Stage 1 audit was NOT conducted by the audit team?

Question:

Which of the following describes a joint audit?

Scenario 1 (continued):

To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.

Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.

After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s own requirements and that the system is being maintained effectively.

Question:

Prior to the certification audit, the institution conducted an internal audit and management review. Is this acceptable?

Question:

DenSolutions, a financial institution, is seeking to certify its AIMS. The certification body appointed Sarah as the audit team leader, who previously provided consultancy services regarding the AIMS. Can Sarah audit the AIMS of DenSolutions?

Based on ISO/IEC 42001, which of the following is NOT one of the factors that an organization must consider when determining the risks and opportunities related to an AI system?

Based on the last paragraph of scenario 3, which audit principle did Augustine violate? Refer to scenario 3.

Scenario 3: Heala specializes in developing Al-driven solutions for the healthcare sector. With a keen focus on leveraging Al to revolutionize patient care, diagnostics,

and treatment planning, the company has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001. After a year of having the AIMS in

place, the company decided to apply for a certification audit.

It contracted a local certification body, who established the audit team and assigned the audit team leader. Augustine, the designated audit team leader, has a wide

range of skills relevant to various auditing domains. His proficiency encompasses audit principles, processes, and methods, as well as standards for management

systems and additional references. Furthermore, he is knowledgeable about the Heala’s context and relevant statutory and regulatory requirements.

Augustine first gathered management review records, interested party feedback logs, and revision histories for Heala's AIMS. This crucial step laid the groundwork for

a deeper investigation, which included conducting comprehensive interviews with key personnel to understand how feedback from interested parties directly

influenced updates to the AIMS and its strategic direction. Augustine's thorough evaluation process aimed to verify Heala's commitment to integrating the needs and

expectations of interested parties, a critical requirement of ISO/IEC 42001.

Augustine also integrated a sophisticated Al tool to analyze large datasets for patterns and anomalies, and thus have a more informed and data driven audit process.

This Al solution, known for its ability to sift through vast amounts of data with unparalleled speed and accuracy, enabled Augustine to identify irregularities and trends

that would have been nearly impossible to detect through manual methods. The tool was also helpful in preparing hypotheses based on data.

During the audit. Augustine failed to fully consider Heala’s critical processes, expectations, the complexity of audit tasks, and necessary resources beforehand. This

oversight compromised the audit integrity and reliability, reflecting a significant deviation from the diligence and informed judgment expected of auditors.

Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by using advanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure

that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS based on ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.

Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leader despite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills

and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team of seven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.

Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whether physical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition had been defined, the certification body provided the audit team leader with extensive information, including the audit objectives and documented details on the scope, processes, methods, and team compositions.

Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the audit activities to be conducted. The team leader also received information needed for evaluating and addressing identified risks and opportunities for the achievement of the audit objectives.

Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initial contact. The initial contact aimed to confirm the communication channels, establish the audit team's authority to conduct the audit, and summarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robert emphasized the need for access to essential information that would help to conduct the audit.

Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides or interpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issues and finalizing any matters related to the audit team composition.

As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-related data governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management, proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governance practices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the audit based on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.

Based on the scenario above, answer the following question:

Question:

Based on Scenario 5, did the certification body take the necessary steps to assure the overall competence of the audit team?

An audit team member is tasked with evaluating a sophisticated AI system used for autonomous driving. They lack the necessary expertise but proceed without consulting a specialist. Which principle is being neglected in this scenario?

During a combined audit, if an auditor identifies a finding linked to one criterion, should they consider its potential impact on corresponding or related criteria of other management systems?

Which of the following does NOT constitute an appropriate technology requirement for virtual audits between the auditee and audit team?

Was the audit team leader’s decision regarding the handling of the technical expert's findings acceptable? Refer to Scenario 7.

Scenario 7: TastyMade. headquartered in Hamburg, Germany, is an established company in the food manufacturing industry that applies Al technologies in its

operations. It has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to further strengthen its Al management and ensure

compliance with international standards. As part of its commitment to excellence and continual improvement, TastyMade is undergoing an audit process to achieve

certification against ISO/IEC 42001.

In preparation for the audit, TastyMade collaborated closely with the audit team leader to develop a detailed audit plan. This plan encompassed objectives, criteria,

scope, and logistical arrangements for both on-site and remote audit activities. Recognizing the specialized nature of Al integration, a technical expert was brought in

to support the audit team and ensure comprehensive coverage of relevant aspects. Upon discussion with the audit team leader, it was mutually decided that not every

audit team member would need a guide throughout the audit process. At times, the TastyMade itself would assume the role of the guide, actively facilitating audit

activities.

A formal opening meeting was held with TastyMade's management to provide an overview of the audit process and set expectations. During this meeting, key

interested parties were briefed on the audit objectives and the methodologies that would be employed during the audit. Following the meeting, the audit team

proceeded with their work, collecting information and conducting tests to evaluate the effectiveness of TastyMade's AIMS.

Daily evening meetings were held to review progress, discuss encountered issues, and facilitate collaboration among audit team members. The audit team leader

adopted an open communication approach, encouraging all auditors to share their findings and challenges. The communication regarding the progress of the audit

was informal, allowing for a fluid exchange of information and updates among team members.

To verify adherence to some requirements of clause 4.1 Understanding the organization and its context, the audit team arbitrarily selected for analysis a representative

sample of Al management practices across different departments and functions within the company.

During the audit process, the technical expert uncovered certain technical and operational findings related to the integration and governance of Al systems.

Recognizing the significance of these findings, the expert promptly informed the audit team leader. Understanding the need for further clarification and direct

communication, the audit team leader authorized the technical expert to address the findings directly with the auditee. However, to ensure proper oversight, the expert

was supervised by one of the audit team members.

Throughout the audit, it became apparent that TastyMade promoted a culture of autonomy and decentralized decision-making in Al integration processes. Employees

were empowered to set goals, allocate responsibilities, and devise methodologies independently, with management providing guidance and support as needed. This

approach fostered innovation and agility within the company

What type of audit evidence did Augustine gather when he collected management review records? Refer to scenario 3.

Scenario 3: Heala specializes in developing Al-driven solutions for the healthcare sector. With a keen focus on leveraging Al to revolutionize patient care, diagnostics,

and treatment planning, the company has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001. After a year of having the AIMS in

place, the company decided to apply for a certification audit.

It contracted a local certification body, who established the audit team and assigned the audit team leader. Augustine, the designated audit team leader, has a wide

range of skills relevant to various auditing domains. His proficiency encompasses audit principles, processes, and methods, as well as standards for management

systems and additional references. Furthermore, he is knowledgeable about the Heala’s context and relevant statutory and regulatory requirements.

Augustine first gathered management review records, interested party feedback logs, and revision histories for Heala's AIMS. This crucial step laid the groundwork for

a deeper investigation, which included conducting comprehensive interviews with key personnel to understand how feedback from interested parties directly

influenced updates to the AIMS and its strategic direction. Augustine's thorough evaluation process aimed to verify Heala's commitment to integrating the needs and

expectations of interested parties, a critical requirement of ISO/IEC 42001.

Augustine also integrated a sophisticated Al tool to analyze large datasets for patterns and anomalies, and thus have a more informed and data driven audit process.

This Al solution, known for its ability to sift through vast amounts of data with unparalleled speed and accuracy, enabled Augustine to identify irregularities and trends

that would have been nearly impossible to detect through manual methods. The tool was also helpful in preparing hypotheses based on data.

During the audit. Augustine failed to fully consider Heala’s critical processes, expectations, the complexity of audit tasks, and necessary resources beforehand. This

oversight compromised the audit integrity and reliability, reflecting a significant deviation from the diligence and informed judgment expected of auditors.

Scenario 2 (continued):

Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries. Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyze vast amounts of data for insights, improve recruitment and talent management strategies, and personalize employee experiences, the company has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.

Initially, the top management established an Al policy that was aligned with the company's objectives. The Al policy provided a framework for defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it

did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented the policy, communicated it internally, and made it accessible to interested parties.

The top management designated specific individuals to ensure that the AIMS meets the standard's requirements. Additionally, they ensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, and facilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel

were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Al performance.

The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria and implemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement. Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure the integrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using a versioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to make changes was restricted to authorized personnel, and any proposed modifications required approval from the designated management team before being implemented.

Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established a comprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it is necessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance on implementing controls and, ultimately, produced a Statement of Applicability So A. The SoA contained the necessary controls, including all the controls of Annex A and justifications for their inclusion or exclusion.

Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company's requirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensured objectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top

management of the company.

Question:

Based on Scenario 2, was the awareness session conducted in accordance with the requirements of Clause 7.3 Awareness of ISO/IEC 42001?

What does ISO 19011 provide?

What type of audit risk is described in the last paragraph of Scenario 4?

Scenario 4: Finalogic leads the application of artificial intelligence in the financial services sector, which is used to improve risk assessment, fraud detection, and

customer service. The company has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to ensure operational quality, ethical Al

use, regulatory compliance, and transparency, allowing for consistent oversight and structured governance.

This month, Finalogic is undergoing an audit to obtain certification against ISO/IEC 42001, a critical step in demonstrating its commitment to responsible Al. To

evaluate Finalogic's conformity to the audit criteria, the audit team adopted a comprehensive, evidence-based approach. The gathered evidence ranged from analyses

of unquantifiable information to analyses of samples related to determining the audit criteria-including internal reports generated by Finalogic's own Al system-which

assert successful integration and compliance with the standard.

Additionally, presentations by the company’s Al team during the audit highlighted the system’s success in customer service enhancements and fraud detection,

emphasizing improved efficiency, decision making accuracy, and user trust. An evaluation report prepared by an independent third party firm specializing in Al systems

also provided an objective review of Finalogic's AIMS. It assessed the system's effectiveness, bias, and compliance through a thorough examination.

During the audit, the audit team applied the same level of effort and utilized the same techniques across all audit areas, regardless of their risk level. This strategy

ensured a consistent and thorough evaluation of the AIMS, uncovering any latent weaknesses or inefficiencies that might otherwise go unnoticed.

Despite Finalogic's advanced AIMS and adherence to ISO/IEC 42001 for ethical Al practices, there remains a risk of Al algorithms inadvertently perpetuating bias or

making inaccurate predictions due to unforeseen flaws in training data or algorithmic models. This could lead to unfair loan rejections or approvals, potentially causing

financial losses or damaging the company’s reputation for fairness and accuracy in its financial services. By acknowledging these risks. Finalogic remains committed

to refining its Al governance, implementing bias mitigation strategies, and enhancing transparency to uphold its reputation as a leader in Al driven financial services.

Question:

What is a significant drawback of using judgment-based sampling in audits?

Which international standard does the top management of NeuraGen apply to govern the effective use of AI? (Refer to Scenario 1)

Scenario: NeuraGen, founded by a team of AI experts and data scientists, has gained attention for its advanced use of artificial intelligence. It specializes in developing personalized learning platforms powered by AI algorithms. MindMeld, its innovative product, is an educational platform that uses machine learning and stands out by learning from both labeled and unlabeled data during its training process. This approach allows MindMeld to use a wide range of educational content and personalize learning experiences with exceptional accuracy. Furthermore, MindMeld employs an advanced AI system capable of handling a wide variety of tasks, consistently delivering a satisfactory level of performance. This approach improves the effectiveness of educational materials and adapts to different learners' needs.

NeuraGen skillfully handles data management and AI system development, particularly for MindMeld. Initially, NeuraGen sources data from a diverse array of origins, examining patterns, relationships, trends, and anomalies. This data is then refined and formatted for compatibility with MindMeld, ensuring that any irrelevant or extraneous information is systematically eliminated. Following this, values are adjusted to a unified scale to facilitate mathematical comparability. A crucial step in this process is the rigorous removal of all personally identifiable information (PII) to protect individual privacy. Finally, the data is subjected to quality checks to assess its completeness, identify any potential bias, and evaluate other factors that could impact the platform's efficacy and reliability.

NeuraGen has implemented an advanced artificial intelligence management system (AIMS) based on ISO/IEC 42001 to support its efforts in AI-driven education. This system provides a framework for managing the life cycle of AI projects, ensuring that development and deployment are guided by ethical standards and best practices.

NeuraGen's top management is key to running the AIMS effectively. Applying an international standard that specifically provides guidance for the highest level of company leadership on governing the effective use of AI, they embed ethical principles such as fairness, transparency, and accountability directly into their strategic operations and decision-making processes.

While the company excels in ensuring fairness, transparency, reliability, safety, and privacy in its AI applications, actively preventing bias, fostering a clear understanding of AI decisions, guaranteeing system dependability, and protecting user data, it struggles to clearly define who is responsible for the development, deployment, and outcomes of its AI systems. Consequently, it becomes difficult to determine responsibility when issues arise, which undermines trust and accountability, both critical for the integrity and success of AI initiatives.

Which among the following is NOT a level of AI?

Which of the following does NOT represent the purpose of managing and maintaining audit program records?

Scenario 5 (continued):

Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by using advanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure

that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS based on ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.

Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leader despite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills

and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team of seven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.

Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whether physical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition had been defined, the certification body provided the audit team leader with extensive information, including the audit objectives and documented details on the scope, processes, methods, and team compositions.

Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the audit activities to be conducted. The team leader also received information needed for evaluating and addressing identified risks and opportunities for the achievement of the audit objectives.

Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initial contact. The initial contact aimed to confirm the communication channels, establish the audit team's authority to conduct the audit, and summarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robert emphasized the need for access to essential information that would help to conduct the audit.

Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides or interpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issues and finalizing any matters related to the audit team composition.

As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-related data governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management, proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governance practices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the audit based on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.

Based on the scenario above, answer the following question:

Question:

Based on Scenario 5, were all the recommended aspects covered during the initial contact with Aizoia?

Question:

While auditing a company’s AIMS, the audit team reviewed policies, objectives, and communications to evaluate the involvement of top management. They also conducted interviews with staff to assess the engagement of leaders at various levels in ensuring the system’s effectiveness.

Based on this approach, what level of management should the auditors prioritize when assessing leadership and commitment?

Scenario 2 (continued):

Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries. Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyze vast amounts of data for insights, improve recruitment and talent management strategies, and personalize employee experiences, the company has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.

Initially, the top management established an Al policy that was aligned with the company's objectives. The Al policy provided a framework for defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it

did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented the policy, communicated it internally, and made it accessible to interested parties.

The top management designated specific individuals to ensure that the AIMS meets the standard's requirements. Additionally, they ensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, and facilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel

were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Al performance.

The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria and implemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement. Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure the integrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using a versioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to make changes was restricted to authorized personnel, and any proposed modifications required approval from the designated management team before being implemented.

Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established a comprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it is necessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance on implementing controls and, ultimately, produced a Statement of Applicability So A. The SoA contained the necessary controls, including all the controls of Annex A and justifications for their inclusion or exclusion.

Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company's requirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensured objectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top

management of the company.

Question:

Does the company's implementation of version control practices for documented information align with the requirements of ISO/IEC 42001?

Did Samuel consider all the necessary factors while reviewing documented information during the stage 1 audit? Refer to Scenario 6.

Scenario 6: AfrinovAl, based in Nairobi, Kenya, develops Al tools to improve agriculture in Africa. The company uses Al to address challenges faced by African farmers,

offering tools for analyzing satellite images to monitor crop health, predicting pest and disease outbreaks, and automating irrigation to use water more efficiently.

AfrinovAl has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001, reflecting its commitment to ethical and effective

management practices in its Al solutions.

AfrinovAl is undergoing a certification audit to obtain certification against ISO/IEC 42001. Samuel, an expert in Al technologies and management systems, is heading

the audit team. Before initiating the audit process, Samuel reviewed and approved the audit plan, which served as a basis for the agreement between the certification

body and the auditee.

During the stage 1 audit, the audit team focused on a detailed evaluation of AfrinovAI's documented information, critically assessing both their format and content.

Samuel held a meeting with his team to prepare for the stage 2 audit. During this meeting, responsibilities were allocated among team members, assigning specific

processes, functions, sites, areas, or activities based on each auditor's expertise and the audit requirements. He also assigned auditing roles to technical experts to

leverage their specialized knowledge in specific areas.

In the stage 2 audit, Samuel and his team held an opening meeting during which Samuel explained how the audit activities will be undertaken. AfrinovAI's also

participated in the meeting. Afterward, the audit team conducted on-site activities to closely inspect the physical locations of the audited processes. The interviewed

individuals from the auditee's personnel regarding the AIMS and observed some of the operations of the auditee. They also used sampling and technical verification to

assess the implementation of Al-related controls, verify compliance with established procedures, and identify any gaps in adherence to the AIMS requirements. They

skipped the review of documented information related to the AIMS since some documents had already been reviewed during the stage 1 audit. This comprehensive

approach ensured a thorough evaluation of AfrinovAI's AIMS against the ISO/IEC 42001.

How does the proposed EU AI Act plan to enforce AI regulations across Member States and support innovation?

Scenario 8:

Scenario 8: InnovateSoft, headquartered in Berlin, Germany, is a software development company known for its innovative solutions and commitment to excellence. It specializes in custom software solutions, development, design, testing, maintenance, and consulting, covering both mobile apps and web development. Recently, the company underwent an audit to evaluate the effectiveness and

compliance of its artificial intelligence management system AIMS against ISO/IEC 42001.

The audit team engaged with the auditee to discuss their findings and observations during the audit's final phases. After evaluating the evidence, the audit team presented their audit findings to InnovateSoft, highlighting the identified nonconformities.

Upon receiving the audit findings, InnovateSoft accepted the conclusions but expressed concerns about some findings inaccurately reflecting the efficiency of their software development processes. In response, the company provided new evidence and additional information to alter the audit conclusions for a couple of minor nonconformities identified. After thorough consideration, the audit team leader clarified that the new evidence did not significantly alter the core conclusions drawn for the nonconformities. Therefore, the certification body issued a certification recommendation conditional upon the filing of corrective action plans without a prior visit.

InnovateSoft accepted the decision of the certification body. The top management of the company also sought suggestions from the audit team on resolving the identified nonconformities. The audit team leader offered solutions to address the issues, fostering a collaborative effort between the auditors and InnovateSoft. During the closing meeting, the audit team covered key topics to enhance transparency. They clarified to InnovateSoft that the audit evidence was based on a sample, acknowledging the inherent uncertainty. The method and time frame of reporting and grading findings were discussed to provide a structured overview of nonconformities. The certification body's process for handling nonconformities, including potential consequences, guided InnovateSoft on corrective actions. The time frame for presenting a plan for correction was

communicated, emphasizing urgency. Insights into the certification body’s post-audit activities were provided, ensuring ongoing support.

Lastly, the audit team briefed InnovateSoft on complaint and appeal handling.

InnovateSoft submitted the action plans for each nonconformity separately, describing only the detected issues and the corrective actions planned to address the detected nonconformities. However, the submission slightly exceeded the specified period of 45 days set by the certification body, arriving three days later. InnovateSoft explained this by attributing the delay to unexpected challenges encountered during the compilation of the action plans.

Question:

Was the audit team leader’s attitude appropriate regarding the new evidence provided by the company?

Scenario 2 (continued):

Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries. Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyze vast amounts of data for insights, improve recruitment and talent management strategies, and personalize employee experiences, the company has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.

Initially, the top management established an Al policy that was aligned with the company's objectives. The Al policy provided a framework for defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it

did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented the policy, communicated it internally, and made it accessible to interested parties.

The top management designated specific individuals to ensure that the AIMS meets the standard's requirements. Additionally, they ensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, and facilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel

were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Al performance.

The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria and implemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement. Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure the integrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using a versioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to make changes was restricted to authorized personnel, and any proposed modifications required approval from the designated management team before being implemented.

Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established a comprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it is necessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance on implementing controls and, ultimately, produced a Statement of Applicability So A. The SoA contained the necessary controls, including all the controls of Annex A and justifications for their inclusion or exclusion.

Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company's requirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensured objectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top

management of the company.

Question:

Based on Scenario 2, has Empsy HR Solutions established a suitable internal audit program?

Which of the following statements best describes the evidence collection process carried out by the audit team at Finalogic? Refer to Scenario 4.

Scenario 4: Finalogic leads the application of artificial intelligence in the financial services sector, which is used to improve risk assessment, fraud detection, and

customer service. The company has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to ensure operational quality, ethical Al

use, regulatory compliance, and transparency, allowing for consistent oversight and structured governance.

This month, Finalogic is undergoing an audit to obtain certification against ISO/IEC 42001, a critical step in demonstrating its commitment to responsible Al. To

evaluate Finalogic's conformity to the audit criteria, the audit team adopted a comprehensive, evidence-based approach. The gathered evidence ranged from analyses

of unquantifiable information to analyses of samples related to determining the audit criteria-including internal reports generated by Finalogic's own Al system-which

assert successful integration and compliance with the standard.

Additionally, presentations by the company’s Al team during the audit highlighted the system’s success in customer service enhancements and fraud detection,

emphasizing improved efficiency, decision making accuracy, and user trust. An evaluation report prepared by an independent third party firm specializing in Al systems

also provided an objective review of Finalogic's AIMS. It assessed the system's effectiveness, bias, and compliance through a thorough examination.

During the audit, the audit team applied the same level of effort and utilized the same techniques across all audit areas, regardless of their risk level. This strategy

ensured a consistent and thorough evaluation of the AIMS, uncovering any latent weaknesses or inefficiencies that might otherwise go unnoticed.

Despite Finalogic's advanced AIMS and adherence to ISO/IEC 42001 for ethical Al practices, there remains a risk of Al algorithms inadvertently perpetuating bias or

making inaccurate predictions due to unforeseen flaws in training data or algorithmic models. This could lead to unfair loan rejections or approvals, potentially causing

financial losses or damaging the company’s reputation for fairness and accuracy in its financial services. By acknowledging these risks. Finalogic remains committed

to refining its Al governance, implementing bias mitigation strategies, and enhancing transparency to uphold its reputation as a leader in Al driven financial services.

Question:

Which of the following does NOT constitute an appropriate technology requirement for virtual audits between the auditee and audit team?

Based on scenario 3, which of the following AI technologies did Augustine utilize to analyze large datasets? Refer to the fourth paragraph.

Scenario 3: Heala specializes in developing Al-driven solutions for the healthcare sector. With a keen focus on leveraging Al to revolutionize patient care, diagnostics,

and treatment planning, the company has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001. After a year of having the AIMS in

place, the company decided to apply for a certification audit.

It contracted a local certification body, who established the audit team and assigned the audit team leader. Augustine, the designated audit team leader, has a wide

range of skills relevant to various auditing domains. His proficiency encompasses audit principles, processes, and methods, as well as standards for management

systems and additional references. Furthermore, he is knowledgeable about the Heala’s context and relevant statutory and regulatory requirements.

Augustine first gathered management review records, interested party feedback logs, and revision histories for Heala's AIMS. This crucial step laid the groundwork for

a deeper investigation, which included conducting comprehensive interviews with key personnel to understand how feedback from interested parties directly

influenced updates to the AIMS and its strategic direction. Augustine's thorough evaluation process aimed to verify Heala's commitment to integrating the needs and

expectations of interested parties, a critical requirement of ISO/IEC 42001.

Augustine also integrated a sophisticated Al tool to analyze large datasets for patterns and anomalies, and thus have a more informed and data driven audit process.

This Al solution, known for its ability to sift through vast amounts of data with unparalleled speed and accuracy, enabled Augustine to identify irregularities and trends

that would have been nearly impossible to detect through manual methods. The tool was also helpful in preparing hypotheses based on data.

During the audit. Augustine failed to fully consider Heala’s critical processes, expectations, the complexity of audit tasks, and necessary resources beforehand. This

oversight compromised the audit integrity and reliability, reflecting a significant deviation from the diligence and informed judgment expected of auditors.

Question:

Can the work assignments of audit team members be changed during the audit?

Scenario 9:

Scenario 9: Securisai, located in Tallinn. Estonia, specializes in the development of automated cybersecurity solutions that utilize AI systems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. In doing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently and ethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certification audit to demonstrate compliance with ISO/IEC 42001.

The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, and procedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation

of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation, ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.

After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during the certification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a

key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk

management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.

Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.

Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despite being initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partner with a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.

To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation for submission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence to ISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current valid certification registration.

A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The

purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team

concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.

During an AIMS audit at a cybersecurity company, the team found a major nonconformity — ineffective access controls for sensitive data.

Question:

Given this situation, what is the appropriate next step?

Scenario 4:

BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potential drug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted a certification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.

Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plan corresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizing those with the highest risk.

Once the stage 1 audit began, the audit team started reviewing the auditee's documented information. To assess whether BioNovaPharm complies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided by the company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, which mandates that providers of high-risk Al systems report serious incidents to relevant authorities.

Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including the observations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, who was overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency in the Al decision-making processes of BioNovaPharm. Considering that Emma observed John's lack of competence in undertaking some

audit activities, a disciplinary note was recorded for John.

Question:

What type of evidence did the audit team obtain to assess BioNovaPharm's compliance with legal and regulatory incident reporting requirements?

Which statement regarding the confidentiality of documented information related to or collected from the auditee is NOT accurate?

According to the core element of 'Privacy and Security,’ what is essential when developing AI systems?

Scenario:

UrDesign, an interior design company, has recently decided to use machine learning for classification, regression tasks, and more complex tasks related to structured prediction.

Question:

What category of machine learning did UrDesign decide to use?

Question:

During an audit, the auditor employed data analytic technology to identify anomalies and unusual patterns in the decision-making processes of an AI system used by a financial institution to approve or reject loan applications. Which data analytic technology did the auditor use?

A financial institution has integrated AI systems into its operations and has adopted risk management principles from an internationally recognized standard to specifically mitigate AI-related risks effectively. Which standard has the institution applied in this case?

At which stage of the audit process is materiality assessed and determined?

Question:

Which of the following does NOT represent the purpose of managing and maintaining audit program records?