MODULE 06

Audit Documentation & Governance

Master the end-to-end AI audit process: planning, evidence collection, findings classification, report writing, and remediation tracking. Covers audit documentation standards, governance structures, and practical audit checklists.

Units

~3 hrs

Duration

~45 min

Per unit

Practice Qs

Learning objectives

After completing this module, you will be able to:

Eight-phase audit lifecycle from planning to follow-up

Four evidence types: documentation, testing, interviews, observation

Four severity levels: Critical, High, Medium, Low

Board-level AI oversight is essential

0 of 4 units completed0%

Start learning

In this module

6.1 — The AI Audit Lifecycle

→

6.2 — Evidence Collection

→

6.3 — Findings Classification and Reporting

→

6.4 — AI Governance Structures

→

Practice questions

Q1: What is the 5C structure for audit findings?

Show Answer

Criteria (what was expected), Condition (what was found), Cause (why the gap exists), Consequence (what is the risk/impact), and Recommendation (what should be done).

Q2: Describe the three lines of defense model for AI governance.

Show Answer

First line: AI development and operations teams own and manage risks. Second line: AI risk and compliance function oversees and challenges. Third line: Internal audit provides independent assurance.

Q3: What four types of evidence should an AI auditor collect?

Show Answer

Documentation review (model cards, risk assessments, etc.), technical testing (independent evaluation, fairness testing, red-teaming), interviews (structured interviews with key personnel), and process observation (verifying procedures match practice).

Q4: How are audit findings classified by severity?

Show Answer

Critical (immediate risk, immediate action required), High (significant weakness, action within 30 days), Medium (improvement needed, 90 days), Low (best practice recommendation, advisory).

Q5: What are the essential AI governance artifacts an auditor should verify?

Show Answer

AI Policy, AI Risk Appetite Statement, AI System Register/Inventory, Model Risk Management Framework, Data Governance Framework, Incident Response Plan, and Responsible AI Principles. These should be reviewed and updated annually.

Q6: Why is auditor independence important in AI audits?

Show Answer

Auditors must not have development responsibilities for the system being audited. Independence ensures objective evaluation free from conflicts of interest. An auditor who developed the system cannot objectively assess their own work. This is a fundamental professional audit principle.

Q7: What is shadow AI and why is it a governance concern?

Show Answer

Shadow AI is unauthorized use of AI tools by employees (e.g., uploading confidential data to public AI services). It's a governance concern because it creates data leakage risks, compliance violations, and uncontrolled AI usage outside the organization's risk management framework.

Q8: What should an audit report contain, and who is the primary audience?

Show Answer

Structure: Executive summary, scope/methodology, system description, findings by severity, management response, and appendices. The primary audience is non-technical executives and board members, so reports must translate technical findings into business risk language.

← 05. Model Cards & Red-Teaming 07. Exam Preparation & Practice →