Unit 1 of 4

6.1 — The AI Audit Lifecycle

An AI audit follows a structured lifecycle from initial planning through remediation follow-up. Understanding each phase and its deliverables is critical for effective auditing.

8-Phase AI Audit Lifecycle

Planning

Scope & objectives

→

Evidence

Collect data

→

Analysis

Test & evaluate

→

Findings

Classify issues

→

Report

Draft report

→

Response

Mgmt review

→

Remediation

Fix issues

→

Follow-up

Verify fixes

Planning phase: Define audit objectives, scope (which AI systems, which controls), criteria (against which framework — NIST, ISO 42001, EU AI Act), timeline, and resource requirements. Engage stakeholders early — AI audits require cooperation from data science, engineering, legal, and business teams.

Risk-Based Scoping Criteria

High Impact

Systems affecting individuals' rights, safety, or financial outcomes receive the deepest audit scrutiny.

High Autonomy

Automated decision-making without human oversight requires more extensive testing and control evaluation.

High Exposure

Large user base, sensitive data, or public-facing applications increase the scope requirements.

Regulatory Sensitivity

Systems subject to specific regulations (EU AI Act high-risk, RBI guidelines) need compliance-focused scoping.

★AUDITOR INDEPENDENCE

Auditors must NOT have development responsibilities for the system being audited. An effective audit team includes: technical auditors (ML expertise), governance/compliance auditors, domain experts, and legal advisors. Independence is a fundamental audit principle — expect exam questions on this.

Key Points

Eight-phase audit lifecycle from planning to follow-up

Risk-based scoping prioritizes high-impact systems

Multi-disciplinary teams: technical + governance + domain + legal

Auditor independence is essential

Stakeholder engagement from the planning phase

← Module overview Next unit →