The ISO/IEC 42001:2023 Artificial Intelligence Management System Lead Auditor Exam (ISO-IEC-42001-Lead-Auditor)

Scenario 5 (continued):

Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by using advanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure

that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS based on ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.

Robert, one of the certification body ' s full-time employees with extensive experience in auditing, was appointed as the audit team leader despite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills

and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team of seven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.

Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whether physical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition had been defined, the certification body provided the audit team leader with extensive information, including the audit objectives and documented details on the scope, processes, methods, and team compositions.

Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the audit activities to be conducted. The team leader also received information needed for evaluating and addressing identified risks and opportunities for the achievement of the audit objectives.

Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initial contact. The initial contact aimed to confirm the communication channels, establish the audit team ' s authority to conduct the audit, and summarize the audit ' s key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robert emphasized the need for access to essential information that would help to conduct the audit.

Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides or interpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issues and finalizing any matters related to the audit team composition.

As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-related data governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia ' s management, proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governance practices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the audit based on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.

Based on the scenario above, answer the following question:

Question:

Based on Scenario 5, did the certification body provide all the necessary information to conduct the audit to the audit team leader?

A financial institution needs to develop a system that can understand and process large volumes of unstructured text data from financial reports to extract key information and insights. Which AI concept would be best suited for this task?

Scenario 2 (continued):

Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries. Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyze vast amounts of data for insights, improve recruitment and talent management strategies, and personalize employee experiences, the company has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.

Initially, the top management established an Al policy that was aligned with the company ' s objectives. The Al policy provided a framework for defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it

did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented the policy, communicated it internally, and made it accessible to interested parties.

The top management designated specific individuals to ensure that the AIMS meets the standard ' s requirements. Additionally, they ensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, and facilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel

were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Al performance.

The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria and implemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement. Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure the integrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using a versioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to make changes was restricted to authorized personnel, and any proposed modifications required approval from the designated management team before being implemented.

Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established a comprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it is necessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance on implementing controls and, ultimately, produced a Statement of Applicability So A. The SoA contained the necessary controls, including all the controls of Annex A and justifications for their inclusion or exclusion.

Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company ' s requirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensured objectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top

management of the company.

Question:

Based on Scenario 2, has Empsy HR Solutions established a suitable internal audit program?

After an AIMS audit, the auditee made the required corrections and implemented corrective actions. However, it did not notify the auditor that led the audit regarding the completion status of the corrections and corrective actions since the auditee had been recommended for certification under the condition that corrective actions be submitted without a prior visit. Is this acceptable?

Based on scenario 3, which of the following AI technologies did Augustine utilize to analyze large datasets? Refer to the fourth paragraph.

Scenario 3: Heala specializes in developing Al-driven solutions for the healthcare sector. With a keen focus on leveraging Al to revolutionize patient care, diagnostics,

and treatment planning, the company has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001. After a year of having the AIMS in

place, the company decided to apply for a certification audit.

It contracted a local certification body, who established the audit team and assigned the audit team leader. Augustine, the designated audit team leader, has a wide

range of skills relevant to various auditing domains. His proficiency encompasses audit principles, processes, and methods, as well as standards for management

systems and additional references. Furthermore, he is knowledgeable about the Heala’s context and relevant statutory and regulatory requirements.

Augustine first gathered management review records, interested party feedback logs, and revision histories for Heala ' s AIMS. This crucial step laid the groundwork for

a deeper investigation, which included conducting comprehensive interviews with key personnel to understand how feedback from interested parties directly

influenced updates to the AIMS and its strategic direction. Augustine ' s thorough evaluation process aimed to verify Heala ' s commitment to integrating the needs and

expectations of interested parties, a critical requirement of ISO/IEC 42001.

Augustine also integrated a sophisticated Al tool to analyze large datasets for patterns and anomalies, and thus have a more informed and data driven audit process.

This Al solution, known for its ability to sift through vast amounts of data with unparalleled speed and accuracy, enabled Augustine to identify irregularities and trends

that would have been nearly impossible to detect through manual methods. The tool was also helpful in preparing hypotheses based on data.

During the audit. Augustine failed to fully consider Heala’s critical processes, expectations, the complexity of audit tasks, and necessary resources beforehand. This

oversight compromised the audit integrity and reliability, reflecting a significant deviation from the diligence and informed judgment expected of auditors.

A retail company wants to implement a system that can predict customer buying behavior based on their browsing history and past purchases. Which AI concept would be most suitable for developing this predictive system?

Based on Scenario 5, Alterhealth determined the audit time. Is this acceptable?

Scenario 5: Alterhealth is a mid-sized technology firm based in Toronto. Canada. It develops Al systems for healthcare providers, focusing on improving patient care,

optimizing hospital workflows, and analyzing healthcare data for insights that can improve health outcomes. To ensure responsible and effective use of Al in its

operations, Alterhealth has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001. After a year of having the AIMS in place, the

company decided to apply for a certification audit to obtain certification against ISO/IEC 42001.

The company contracted a certification body to conduct the audit, who assembled the audit team and appointed the audit team leader. The audit team leader had

conducted a certification audit at Alterhealth in the past. The top management of Alterhealth decided to reject the appointment of this auditor because they believed

that they would not receive added value from the audit. In response, the certification body appointed Jonathan, an independent auditor with no prior engagements with

Alterhealth, as the new audit team leader. Jonathan ' s introduction marked the beginning of a collaborative process aimed at evaluating the conformity of the AIMS to

ISO/IEC 42001 requirements.

The certification body determined the audit scope, which included only specific departments essential to the integration and application of Al, such as the Al Research,

Machine Learning Applications, and Al Ethics and Compliance Departments, and did not cover all of the departments covered by the AIMS scope. Meanwhile,

Alterhealth determined the audit time, setting the necessary time frame for planning and conducting a thorough and effective review to ensure all aspects of the AIMS

within the selected departments were meticulously reviewed.

Afterward, Jonathan received a detailed offer from the certification body, outlining his role and including information related to the audit, such as the audit ' s duration,

team members, their responsibilities, the limits to the audit engagement, and their salary compensation. With a clear mandate, Jonathan was tasked with a multitude

of responsibilities: defining the audit objectives and criteria, planning the audit process, identifying and addressing audit risks, managing communication with

Alterhealth, overseeing the audit team, and ensuring a smooth and conflict free execution.

With Jonathan ' s leadership and a well-defined audit framework in place, the certification audit proceeded with a structured and objective evaluation of Alterhealth ' s

AIMS.

Scenario 4 (continued):

BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potential drug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted a certification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.

Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plan corresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizing those with the highest risk.

Once the stage 1 audit began, the audit team started reviewing the auditee ' s documented information. To assess whether BioNovaPharm complies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided by the company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, which mandates that providers of high-risk Al systems report serious incidents to relevant authorities.

Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including the observations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, who was overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency in the Al decision-making processes of BioNovaPharm. Considering that Emma observed John ' s lack of competence in undertaking some

audit activities, a disciplinary note was recorded for John.

Question:

Which of the following AI applications for auditing did the audit team employ?

Scenario:

UrDesign, an interior design company, has recently decided to use machine learning for classification, regression tasks, and more complex tasks related to structured prediction.

Question:

What category of machine learning did UrDesign decide to use?