Scenario 6 (continued):
Scenario 6: HappilyAI is a pioneering enterprise dedicated to developing and deploying artificial intelligence Al solutions tailored toenhance customer service experiences across various industries. The company offers innovative products like virtual assistants,predictive analytics tools, and personalized customer interaction platforms. As part of its commitment to operational excellence andinnovation, HappilyAI has implemented a robust Al management system AIMS to oversee its Al operations effectively. Currently.HappilyAI is undergoing a comprehensive audit process of its AIMS to evaluate its compliance with ISO/IEC 42001.
Under the leadership of Jess, the audit team began the audit process with meticulous planning and coordination, setting the groundworkfor the extensive on-site activities of the stage 1 audit. This initial phase was marked by a comprehensive documentation review. Theaudit scope encompassed a critical review of HappilyAI's core departments, including Research and Development (R&D), CustomerService, and Data Security, aiming to assess the conformity of HappilyAI's AIMS to the requirements of ISO/IEC 42001.
Afterward, Jess and the team conducted a formal opening meeting with HappilyAI to introduce the audit team and outline the auditactivities. The meeting set a collaborative tone for the subsequent phases, where the team engaged in information collection, executedaudit tests, identified findings, and prepared draft nonconformity reports while maintaining a strict quality review process.
In gathering evidence, the audit team employed a sampling method, which involved dividing thepopulation into homogeneous groups toensure a comprehensive and representative data collection by drawing samples from each segment. Furthermore, the team employedobservation to deepen their understanding of the Al management processes. They verified the availability of essential documentation,including Al-related policies, and evaluated the communication channels established for reporting incidents.
Additionally, they scrutinized specific monitoring tools designed to track the performance of data acquisition processes, ensuring thesetools effectively identify and respond to errors or anomalies. However, a notable challenge emerged as the team encountered a lack ofaccess to documented information that describes how tasks about AIMS are executed. In addition to this, the team identified a potentialnonconformity within the Sales Department. They decided not to record this as a nonconformity in the audit report but onlycommunicated it to the HappilyAI's representatives.
During the stage 2 audit, the certification body, in collaboration with HappilyAI, assigned the roles of technical experts within the auditteam. Recognized for their specialized knowledge and expertise in artificial intelligence and its applications, these technical experts aretasked with the thorough assessment of the AIMS framework to ensure its alignment with industry standards and best practices,focusing on areas such as data ethics, algorithmic transparency, and Al system security.
Question:
According to Scenario 6, which sampling method did the audit team use?
Question:
Which of the following statements regarding the organization's requirement to address risks and opportunities based on ISO/IEC 42001 is correct?
Scenario 7:
Scenario 7: ICure, headquartered in Bratislava, is a medical institution known for its use of the latest technologies in medical practices. Ithas introduced groundbreaking Al-driven diagnostics and treatment planning tools that have fundamentally transformed patient care.
ICure has integrated a robust artificial intelligence management system AIMS to manage its Al systems effectively. This holisticmanagement framework ensures that ICure's Al applications are not only developed but also deployed and maintained to adhere to the
highest industry standards, thereby enhancing efficiency and reliability.
ICure has initiated a comprehensive auditing process to validate its AIMS's effectiveness in alignment with ISO/IEC 42001. The stage 1audit involved an on-site evaluation by the audit team. The team evaluated the site-specific conditions, interacted with ICure's personnel,
observed the deployed technologies, and reviewed the operations that support the AIMS. Followingthese observations, the findings weredocumented and communicated to ICure. setting the stage for subsequent actions.
Unforeseen delays and resource allocation issues introduced a significant gap between the completion of stage 1 and the onset of stage2 audits. This interval, while unplanned, provided an opportunity for reflection and preparation for upcoming challenges.
After four months, the audit team initiated the stage 2 audit. They evaluated AIMS's compliance with ISO/IEC 42001 requirements, payingspecial attention to the complexity of processes and their documentation. It was during this phase that a critical observation was made:
ICure had not fully considered the complexity of its processes and their interactions when determining the extent of documentedinformation. Essential processes related to Al model training, validation, and deployment were not documented accurately, hinderingeffective control and management of these critical activities. This issue was recorded as a minor nonconformity, signaling a need forenhanced control and management of these vital activities.
Simultaneously, the auditor evaluated the appropriateness and effectiveness of the "AIMS Insight Strategy," a procedure developed by
ICure to determine the AIMS internal and external challenges. This examination identified specific areas for improvement, particularly in
the way stakeholder input was integrated into the system. It highlighted how this could significantly enhance the contribution of relevant
parties in strengthening the system's resilience and effectiveness.
The audit team determined the audit findings by taking into consideration the requirements of ICure, the previous audit records and
conclusions, the accuracy, sufficiency, and appropriateness of evidence, the extent to which planned audit activities are realized and
planned results achieved, the sample size, and the categorization of the audit findings. The audit team decided to first record all the
requirements met; then they proceeded to record the nonconformities.
Based on the scenario above, answer the following question:
Question:
Which phase of the Stage 1 audit was NOT conducted by the audit team?
A financial institution needs to develop a system that can understand and process large volumes of unstructured text data from financial reports to extract key information and insights. Which AI concept would be best suited for this task?
Scenario 6 (continued):
Scenario 6: HappilyAI is a pioneering enterprise dedicated to developing and deploying artificial intelligence Al solutions tailored toenhance customer service experiences across various industries. The company offers innovative products like virtual assistants,predictive analytics tools, and personalized customer interaction platforms. As part of its commitment to operational excellence andinnovation, HappilyAI has implemented a robust Al management system AIMS to oversee its Al operations effectively. Currently.HappilyAI is undergoing a comprehensive audit process of its AIMS to evaluate its compliance with ISO/IEC 42001.
Under the leadership of Jess, the audit team began the audit process with meticulous planning and coordination, setting the groundworkfor the extensive on-site activities of the stage 1 audit. This initial phase was marked by a comprehensive documentation review. Theaudit scope encompassed a critical review of HappilyAI's core departments, including Research and Development (R&D), CustomerService, and Data Security, aiming to assess the conformity of HappilyAI's AIMS to the requirements of ISO/IEC 42001.
Afterward, Jess and the team conducted a formal opening meeting with HappilyAI to introduce the audit team and outline the auditactivities. The meeting set a collaborative tone for the subsequentphases, where the team engaged in information collection, executedaudit tests, identified findings, and prepared draft nonconformity reports while maintaining a strict quality review process.
In gathering evidence, the audit team employed a sampling method, which involved dividing the population into homogeneous groups toensure a comprehensive and representative data collection by drawing samples from each segment. Furthermore, the team employedobservation to deepen their understanding of the Al management processes. They verified the availability of essential documentation,including Al-related policies, and evaluated the communication channels established for reporting incidents.
Additionally, they scrutinized specific monitoring tools designed to track the performance of data acquisition processes, ensuring thesetools effectively identify and respond to errors or anomalies. However, a notable challenge emerged as the team encountered a lack ofaccess to documented information that describes how tasks about AIMS are executed. In addition to this, the team identified a potentialnonconformity within the Sales Department. They decided not to record this as a nonconformity in the audit report but onlycommunicated it to the HappilyAI's representatives.
During the stage 2 audit, the certification body, in collaboration with HappilyAI, assigned the roles of technical experts within the auditteam. Recognized for their specialized knowledge and expertise in artificial intelligence and its applications, these technical experts aretasked with the thorough assessment of the AIMS framework to ensure its alignment with industry standards and best practices,focusing on areas such as data ethics, algorithmic transparency, and Al system security.
Question:
Which observation types did the audit team use to enhance their understanding of the AI management processes?
Scenario 8 (continued):
Scenario 8:
Scenario 8: InnovateSoft, headquartered in Berlin, Germany, is a software development company known for its innovative solutions andcommitment to excellence. It specializes in custom software solutions, development, design, testing, maintenance, and consulting,covering both mobile apps and web development. Recently, the company underwent an audit to evaluate the effectiveness and
compliance of its artificial intelligence management system AIMS against ISO/IEC 42001.
The audit team engaged with the auditee to discuss their findings and observations during the audit's final phases. After evaluating theevidence, the audit team presented their audit findings to InnovateSoft, highlighting the identified nonconformities.
Upon receiving the audit findings, InnovateSoft accepted the conclusions but expressed concerns about some findings inaccuratelyreflecting the efficiency of their software development processes. In response, the company provided new evidence and additionalinformation to alter the audit conclusions for a couple of minor nonconformities identified. After thorough consideration, the audit teamleader clarified that the new evidence did not significantly alter the core conclusions drawn for the nonconformities. Therefore, thecertification body issued a certification recommendation conditional upon the filing of corrective action plans without a prior visit.
InnovateSoft accepted the decision of the certification body. The top management of the company also sought suggestions from theaudit team on resolving the identified nonconformities. The audit team leader offered solutions to address the issues, fostering acollaborative effort between the auditors and InnovateSoft.During the closing meeting, the audit team covered key topics to enhance transparency. They clarified to InnovateSoft that the auditevidence was based on a sample, acknowledging the inherent uncertainty. The method and time frame of reporting and grading findingswere discussed to provide a structured overview of nonconformities. The certification body's process for handling nonconformities,including potential consequences, guided InnovateSoft on corrective actions. The time frame for presenting a plan for correction was
communicated, emphasizing urgency. Insights into the certification body’s post-audit activities were provided, ensuring ongoing support.
Lastly, the audit team briefed InnovateSoft on complaint and appeal handling.
InnovateSoft submitted the action plans for each nonconformity separately, describing only the detected issues and the correctiveactions planned to address the detected nonconformities. However, the submission slightly exceeded the specified period of 45 days setby the certification body, arriving three days later. InnovateSoft explained this by attributing the delay to unexpected challengesencountered during the compilation of the action plans.
InnovateSoft received minor nonconformities. After the closing meeting, the audit team leader suggested solutions for resolving the nonconformities, at the request of the auditee.
Question:
Was the audit team leader’s decision to suggest solutions for the identified nonconformities acceptable?
Question:
During which phase of the certification process is confirmation of registration performed?
Question:
Which of the following standards emphasizes the importance of conducting AI system impact assessments to evaluate the potential effects on individuals and societies affected by the AI system?
A financial institution uses an AI system to approve loan applications. Recently, there have been complaints that the system disproportionately denies loans to applicants from certain minority groups. Which core element should the institution prioritize to address these complaints?
Question:
While preparing for an AIMS audit, a technology company faced an issue: the auditor lacked a required security clearance for accessing sensitive information related to government contracts.
The company requested a replacement auditor. Is this acceptable?
In which step are the audit findings, including nonconformities, documented and reviewed?
Scenario 1:
To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.
Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.
After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s own requirements and that the system is being maintained effectively.
Question:
Which of the following AI principles has Future Horizon Academy applied?
Question:
During an audit, the auditor employed data analytic technology to identify anomalies and unusualpatterns in the decision-making processes of an AI system used by a financial institution to approve or reject loan applications. Which data analytic technology did the auditor use?
Scenario 1 (continued):
To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.
Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.
After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s ownrequirements and that the system is being maintained effectively.
Question:
Based on functionality, what type of AI system did Future Horizon Academy establish?
Scenario 8 (continued):
Scenario 8:
Scenario 8: InnovateSoft, headquartered in Berlin, Germany, is a software development company known for its innovative solutions andcommitment to excellence. It specializes in custom software solutions, development, design, testing, maintenance, and consulting,covering both mobile apps and web development. Recently, the company underwent an audit to evaluate the effectiveness and
compliance of its artificial intelligence management system AIMS against ISO/IEC 42001.
The audit team engaged with the auditee to discuss their findings and observations during the audit's final phases. After evaluating theevidence, the audit team presented their audit findings to InnovateSoft, highlighting the identified nonconformities.
Upon receiving the audit findings, InnovateSoft accepted the conclusions but expressed concerns about some findings inaccuratelyreflecting the efficiency of their software development processes. In response, the company provided new evidence and additionalinformation to alter the audit conclusions for a couple of minor nonconformities identified. After thorough consideration, the audit teamleader clarified that the new evidence did not significantly alter the core conclusions drawn for the nonconformities. Therefore, thecertification body issued a certification recommendation conditional upon the filing of corrective action plans without a prior visit.
InnovateSoft accepted the decision of the certification body. The top management of the company also sought suggestions from theaudit team on resolving the identified nonconformities. The audit team leader offered solutions to address the issues, fostering acollaborative effort between the auditors and InnovateSoft.During the closing meeting, the audit team covered key topics to enhance transparency. They clarified to InnovateSoft that the auditevidence was based on a sample, acknowledging the inherent uncertainty. The method and time frame of reporting and grading findingswere discussed to provide a structured overview of nonconformities. The certification body's process for handling nonconformities,including potential consequences, guided InnovateSoft on corrective actions. The time frame for presenting a plan for correction was
communicated, emphasizing urgency. Insights into the certification body’s post-audit activities were provided, ensuring ongoing support.
Lastly, the audit team briefed InnovateSoft on complaint and appeal handling.
InnovateSoft submitted the action plans for each nonconformity separately, describing only the detected issues and the correctiveactions planned to address the detected nonconformities. However, the submission slightly exceeded the specified period of 45 days setby the certification body, arriving three days later. InnovateSoft explained this by attributing the delay to unexpected challengesencountered during the compilation of the action plans.
InnovateSoft’s corrective action plans described the detected issues and intended corrections but did not include the root causes.
Question:
Were InnovateSoft’s action plans drafted appropriately?
Scenario 3 (continued):
ArBank is a financial institution located in Brussels, Belgium, which offers a diverse range of banking and investment servicesto its clients. To ensure the continual improvement of its operations, ArBank has implemented a quality management system QMS based
on ISO 9001 and an artificial intelligence management system AIMS based on the requirements of ISO/IEC 42001.
Audrey, an experienced auditor, led an internal audit focused on the AIMS within ArBank. She assessed the chatbots integrated into thebank's website and mobile app, analyzing communications using big data technology to identify potential noncompliance, fraud, orunethical conduct. Instead of relying solely on the information provided by the chatbots, Audrey sought out evidence that would eitherconfirm or challenge the validity of the data, ensuring her conclusions were based on reliable and accurate information. Her review ofselected chatbot interactions confirmed they met their intended purpose.
For the specific context of ArBank's operations, Audrey utilized an Al system to assess the efficiency of the bank's digital infrastructure,focusing on tasks critical to the Finance Department. This Al system was able to analyze the functionality of chatbots integrated intoArBank's website and mobile app to determine if it adheres to ISO/IEC 42001 requirements and internal policies governing customerservice in the banking sector.
In addition, Audrey conducted a deeper assessment of the bank’s AIMS. Her evaluation included observing different stages of the AIMSlife cycle, from development to deployment, to ensure that roles and responsibilities were clearly defined and aligned with ArBank’soperational goals. She also evaluated the tools used to monitor and measure the performance of the AIMS.
Audrey continued the audit process by auditing ArBank's outsourced operations. Upon checking the contractual agreements between thetwo parties, Audrey decided that there was no need to gather audit evidence regarding the contractual agreement. She reviewed thecompany's processes for monitoring the quality of outsourced operations, determined whether appropriate governance processes are inplace with regard to the engagement of outsourced persons or organizations, and reviewed and evaluated the company's plans in case ofexpected or unexpected termination of theoutsourcing agreement.
Based on the scenario above, answer the following question:
Question:
What big data technology did Audrey utilize? Refer to Scenario 3.
Scenario 9 (continued):
Scenario 9: Securisai, located in Tallinn.Estonia, specializes in the development of automated cybersecurity solutions that utilize AIsystems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. Indoing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently andethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certificationaudit to demonstrate compliance with ISO/IEC 42001.
The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, andprocedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation
of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation,ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.
After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during thecertification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a
key role in advancing Securisai's goals by employing a systematic and disciplined method to assessand boost the efficiency of risk
management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.
Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.
Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despitebeing initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partnerwith a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.
To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation forsubmission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence toISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current validcertification registration.
A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The
purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team
concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.
Question:
In the context of Roger’s action plan at Securisai, was the plan he developed a general plan or a detailed plan?
Scenario 9:
Scenario 9: Securisai, located in Tallinn.Estonia, specializes in the development of automated cybersecurity solutions that utilize AIsystems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. Indoing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently andethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certificationaudit to demonstrate compliance with ISO/IEC 42001.
The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, andprocedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation
of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation,ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.
After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during thecertification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a
key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk
management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.
Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.
Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despitebeing initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partnerwith a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.
To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation forsubmission to the new certification body. This includes a formal request, the most recent audit report underscoring its adherence toISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current validcertification registration.
A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The
purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team
concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.
During an AIMS audit at a cybersecurity company, the team found a major nonconformity — ineffective access controls for sensitive data.
Question:
Given this situation, what is the appropriate next step?
Scenario 4:
BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMSbased on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potentialdrug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted acertification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.
Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plancorresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizingthose with the highest risk.
Once the stage 1 audit began, the audit team started reviewing the auditee's documented information. To assess whether BioNovaPharmcomplies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided bythe company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, whichmandates that providers of high-risk Al systems report serious incidents to relevant authorities.
Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including theobservations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, whowas overseeing the audit activities, observed that John failed to document significant observations related to the lack oftransparency inthe Al decision-making processes of BioNovaPharm. Considering that Emma observed John's lack of competence in undertaking some
audit activities, a disciplinary note was recorded for John.
Question:
What type of evidence did the audit team obtain to assess BioNovaPharm's compliance with legal and regulatory incident reporting requirements?
According to the core element of 'Privacy and Security,’ what is essential when developing AI systems?
A social media platform wants to automatically detect and remove inappropriate content from images and videos uploaded by users. Which AI concept is most appropriate for this task?
A global bank is currently evaluating the effectiveness of its AI management system controls through an AIMS audit. Which role is being played by this company?
A few months after an audit, the auditor returns to the company to verify that corrective actions have been effectively implemented and that the issues identified have been resolved. Which step of the management system audit process does this activity correspond to?
Scenario 4 (continued):
BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMSbased on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potentialdrug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted acertification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.
Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plancorresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizingthose with the highest risk.
Once the stage 1 audit began, the audit team started reviewing the auditee's documented information. To assess whether BioNovaPharmcomplies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided bythe company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, whichmandates that providers of high-risk Al systems report serious incidents to relevant authorities.
Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including theobservations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, whowas overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency inthe Al decision-making processes of BioNovaPharm. Considering that Emma observed John's lack of competence in undertaking some
audit activities, a disciplinary note was recorded for John.
Question:
Which of the following AI applications for auditing did the audit team employ?
Question:
During the annual ISO/IEC 42001 audit at a financial company, the auditor selected and analyzed a sample of 5 out of 25 follow-up nonconformity reports to assess whether the company adheres to its follow-up process. What type of evidence did the auditor gather?
How does ISO 19011 recommend auditors select audit criteria?
Scenario 4 (continued):
BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMSbased on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potentialdrug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted acertification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.
Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plancorresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizingthose with the highest risk.
Once the stage 1 audit began, the audit team started reviewing the auditee's documented information. To assess whether BioNovaPharmcomplies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided bythe company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, whichmandates that providers of high-risk Al systems report serious incidents to relevant authorities.
Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including theobservations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, whowas overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency inthe Al decision-making processes of BioNovaPharm. Considering that Emma observed John's lack of competence in undertaking some
audit activities, a disciplinary note was recorded for John.
Question:
Based on Scenario 4, does the level of detail in the audit plan adequately reflect all aspects recommended for a comprehensive risk-based approach to planning?
How are auditors expected to handle conflicts of interest during an audit?
Scenario 1 (continued):
To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.
Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.
After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s own requirements and that the system is being maintained effectively.
Question:
Based on Scenario 1, which of the following processes regarding data did Future Horizon Academy NOT conduct?
What does the 'Human-Centered Design' core element prioritize in AI development?
Question:
What does sampling error refer to in the context of the audit?
What type of evidence is an external audit report?
Which control in Annex A of ISO 42001:2023 focuses on the need for stakeholder engagement in AI system development?
Question:
Which statement most accurately characterizes semantic computing?
During the audit planning phase, what is the primary activity an auditor should focus on?
Scenario 9 (continued):
Scenario 9: Securisai, located in Tallinn.Estonia, specializes in the development of automated cybersecurity solutions that utilize AIsystems. The company recently implemented an artificial intelligence management system AIMS in accordance with ISO/IEC 42001. Indoing so, the company aimed to manage its Al-driven systems’ capabilities to detect and mitigate cyber threats more efficiently andethically. As part of its commitment to upholding the highest standards of Al use and management, Securisai underwent a certificationaudit to demonstrate compliance with ISO/IEC 42001.
The audit process comprised two main stages: the initial or stage 1 audit focused on reviewing Securisai's documentation, policies, andprocedures related to its AIMS. This review laid the groundwork for the stage 2 audit, which involved a comprehensive, on-site evaluation
of the actual implementation and effectiveness of the AIMS within Securisai's operations. The goal was to observe the AIMS in operation,ensuring that it not only existed on paper but was effectively integrated into the company's daily activities and cybersecurity strategies.
After the audit, Roger, Securisai's internal auditor, addressed the action plans devised to rectify nonconformities identified during thecertification audit. He developed a long term strategy, highlighting key AIMS processes for triennial audits. Roger's internal audits play a
key role in advancing Securisai's goals by employing a systematic and disciplined method to assess and boost the efficiency of risk
management, governance processes, and strategic decision-making. Roger reported his findings directly to Securisai's top management.
Following the successful rectification of nonconformities, Securisai was officially certified against ISO/IEC 42001.
Recently, the company decided to transfer its ISO/IEC 42001 certification registration from one certification body to another despitebeing initially bound by a long-term agreement with the current certification body. This decision was motivated by the desire to partnerwith a certification body that offers deeper insights and expertise in the rapidly evolving field of artificial intelligence in cybersecurity.
To ensure a smooth transition and uphold its certification status, Securisai is diligently compiling the required documentation forsubmission to the new certification body. This includes a formalrequest, the most recent audit report underscoring its adherence toISO/IEC 42001, the latest corrective action plan that highlights its continuous efforts toward improvement, and a copy of its current validcertification registration.
A year following Securisai's initial certification audit, a subsequent audit was carried out by the certification body on its AIMS. The
purpose of this audit was to assess compliance with ISO/IEC 42001 and verify the ongoing improvement of the AIMS. The audit team
concluded that Securisai's AIMS consistently meets the requirements set by ISO/IEC 42001.
Question:
Based on Scenario 9, what should Securisai’s certification be?