Scenario 5:
Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by using advanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure
that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS based on ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.
Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leader despite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills
and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team of seven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.
Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whether physical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition had been defined, the certification body provided the audit team leader with extensive information, including the audit objectives and documented details on the scope, processes, methods, and team compositions.
Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the audit activities to be conducted. The team leader also received information needed for evaluating and addressing identified risks and opportunities for the achievement of the audit objectives.
Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initial contact. The initial contact aimed to confirm the communication channels, establish the audit team's authority to conduct the audit, and summarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robert emphasized the need for access to essential information that would help to conduct the audit.
Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides or interpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issues and finalizing any matters related to the audit team composition.
As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-related data governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management, proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governance practices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the audit based on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.
Based on the scenario above, answer the following question:
Question:
Robert did not receive an offer from the certification body prior to accepting the mandate. Is this acceptable?
What is the purpose of conducting an opening meeting in the audit process?
Did the audit team leader appropriately schedule the follow-up after the initial audit? Refer to scenario 9.
Scenario 9: ImoAl, headquartered in California. USA, provides Al solutions for various industries such as finance, healthcare, retail, and manufacturing. Its clients
include major financial institutions seeking Al powered fraud detection systems, healthcare providers leveraging Al for diagnostics and patient care, retailers
optimizing supply chain management with Al forecasting, and manufacturers enhancing production efficiency through Al-driven automation.
ImoAl has recently undergone a certification audit to ensure that its artificial intelligence management system AIMS is in compliance with ISO/IEC 42001. During the
audit, a major nonconformity related to data security protocols was identified, requiring urgent resolution. ImoAl swiftly initiated corrective actions to address the
major nonconformity. The audit follow-up, in agreement with the auditee, was scheduled six weeks after the initial audit. As part of exploring alternatives to audit
follow-up, the audit team leader chose to verify the effectiveness of the actions taken by the auditee by scheduling a specific visit to ImoAI's premises.
The follow-up audit involved a thorough evaluation of the effectiveness of these actions. The audit team leader thoroughly examined the corrections, corrective actions,
and root cause analysis conducted by ImoAl to assess whether they adequately addressed the nonconformity identified during the initial audit.
In conjunction with the external audit follow-up, ImoAl engaged its internal auditing team to oversee the progress of corrective actions. The AIMS manager of ImoAl
updated Ms. Rebecca Hayes, the internal auditor, on the status of corrections and corrective actions prompted by the nonconformity identified during the external
audit. Subsequently, Ms. Hayes thoroughly reviewed these measures, analyzing the corrections, root causes, and effectiveness of the implemented actions.
Upon satisfactory validation of the action plans, ImoAl was recommended for certification.
UrDesign, an interior design company, has recently decided to use machine learning for classification, regression tasks, and more complex tasks related to structured prediction. What category of machine learning did UrDesign decide to use?
An auditor is reviewing an AI system used for hiring processes at a tech company and discovers that the system disproportionately rejects candidates from certain ethnic backgrounds. The auditor previously consulted for this company on diversity strategies. Which management system auditing principle (as per ISO 19011) is at risk of being compromised in this scenario?
Scenario 5 (continued):
Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by using advanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure
that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS based on ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.
Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leader despite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills
and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team of seven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.
Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whether physical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition had been defined, the certification body provided the audit team leader with extensive information, including the audit objectives and documented details on the scope, processes, methods, and team compositions.
Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the audit activities to be conducted. The team leader also received information needed for evaluating and addressing identified risks and opportunities for the achievement of the audit objectives.
Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initial contact. The initial contact aimed to confirm the communication channels, establish the audit team's authority to conduct the audit, and summarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robert emphasized the need for access to essential information that would help to conduct the audit.
Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides or interpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issues and finalizing any matters related to the audit team composition.
As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-related data governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management, proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governance practices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the audit based on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.
Based on the scenario above, answer the following question:
Question:
Based on Scenario 5, were all the recommended aspects covered during the initial contact with Aizoia?
Which statement best reflects the principle of professional skepticism?
Scenario 3 (continued):
ArBank is a financial institution located in Brussels, Belgium, which offers a diverse range of banking and investment services to its clients. To ensure the continual improvement of its operations, ArBank has implemented a quality management system QMS based
on ISO 9001 and an artificial intelligence management system AIMS based on the requirements of ISO/IEC 42001.
Audrey, an experienced auditor, led an internal audit focused on the AIMS within ArBank. She assessed the chatbots integrated into the bank's website and mobile app, analyzing communications using big data technology to identify potential noncompliance, fraud, or unethical conduct. Instead of relying solely on the information provided by the chatbots, Audrey sought out evidence that would either confirm or challenge the validity of the data, ensuring her conclusions were based on reliable and accurate information. Her review of selected chatbot interactions confirmed they met their intended purpose.
For the specific context of ArBank's operations, Audrey utilized an Al system to assess the efficiency of the bank's digital infrastructure, focusing on tasks critical to the Finance Department. This Al system was able to analyze the functionality of chatbots integrated into ArBank's website and mobile app to determine if it adheres to ISO/IEC 42001 requirements and internal policies governing customer service in the banking sector.
In addition, Audrey conducted a deeper assessment of the bank’s AIMS. Her evaluation included observing different stages of the AIMS life cycle, from development to deployment, to ensure that roles and responsibilities were clearly defined and aligned with ArBank’s operational goals. She also evaluated the tools used to monitor and measure the performance of the AIMS.
Audrey continued the audit process by auditing ArBank's outsourced operations. Upon checking the contractual agreements between the two parties, Audrey decided that there was no need to gather audit evidence regarding the contractual agreement. She reviewed the company's processes for monitoring the quality of outsourced operations, determined whether appropriate governance processes are in place with regard to the engagement of outsourced persons or organizations, and reviewed and evaluated the company's plans in case of expected or unexpected termination of the outsourcing agreement.
Based on the scenario above, answer the following question:
Question:
Based on Scenario 3, which of the following AI technologies did Audrey employ to assess the efficiency of the bank's digital infrastructure?
Scenario 1 (continued):
To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.
Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.
After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s own requirements and that the system is being maintained effectively.
Question:
Based on Scenario 1, what category of AI systems did Future Horizon Academy utilize?
Was the arrangement for assigning guides during the audit process appropriate?
