Overview & scope

This policy defines the methodology and structure for auditing and evidence management across all AI governance domains. It applies to every department, supplier, and AI system covered by Zen AI Governance’s AIMS and ensures compliance with ISO/IEC 42001, EU AI Act Annex IV, and NIST AI RMF “Govern” functions.

Objectives & purpose

• Ensure all AIMS processes are functioning effectively and producing required outputs.
• Verify conformity with ISO/IEC 42001, internal policies, and applicable legal obligations.
• Assess adequacy of controls for risk management, data governance, and oversight.
• Provide evidence for certification and regulatory inspections.

Internal audit program

• Audits scheduled at least annually, covering all AIMS processes and high-risk AI systems.
• Each audit documented in the Annual Audit Plan with defined scope, criteria, and methods.
• Sampling methods used to verify AI data, models, documentation, and incident records.
• Auditors remain independent from the audited function and are trained to ISO 19011.
• Audit reports graded as: Conformity ✅ | Minor NC ⚠️ | Major NC ❌ | Opportunity for Improvement 💡.

Evidence management framework

• Evidence indexed by process and control ID (AIMS-EV###) and stored in secure repository.
• Metadata recorded: Source, Owner, Version, Date, Verification status, and Retention period.
• Evidence types include: audit reports, risk registers, CAPA logs, incident summaries, training records, model documentation, supplier audits, and PMM results.
• Evidence reviewed during Management Review and certification audits.

Roles & responsibilities

• Audit Coordinator: Plans and schedules audits, manages records, and ensures independence.
• Auditors: Conduct process and technical audits following ISO 19011 guidelines.
• Process Owners: Provide access, explanations, and corrective actions.
• Compliance Lead: Approves reports and monitors CAPA implementation.
• AI Governance Board: Reviews audit results quarterly and decides on escalation.

Audit process workflow

1. Define audit scope, objectives, and criteria.
2. Prepare Audit Plan and notification to auditees.
3. Collect and review evidence (documents, logs, system outputs).
4. Conduct interviews and process walkthroughs.
5. Record findings, classify NCs, and draft audit report.
6. Issue CAPA for each NC and monitor closure within 30–60 days.
7. Submit summary to AI Governance Board and store in AIMS evidence library.

Findings, CAPA & follow-up

• Each finding linked to root cause, corrective action, responsible owner, and closure date.
• Effectiveness of CAPA verified before closure; verification evidence attached.
• Recurring NCs trigger re-audit or process redesign.
• KPIs tracked: closure rate, overdue CAPAs, audit coverage %, and evidence completeness.

Integration with ISO/NIST/EU AI Act

• ISO/IEC 42001 §9.2: Core internal audit requirements.
• NIST AI RMF (Govern / Manage): Oversight and documentation traceability.
• EU AI Act Annex IV: Technical documentation and evidence to demonstrate conformity.
• All audit results feed into Management Review (§9.3) and continual improvement (§10).

Common pitfalls & good practice

• Missing linkage: Always tie evidence to control IDs and processes.
• Outdated documents: Review evidence quarterly for version validity.
• Incomplete CAPA tracking: Automate reminders and escalate overdue actions.
• Insufficient independence: Rotate auditors or use cross-functional reviews.

Implementation checklist

• Audit & Evidence Management Policy approved by Leadership.
• Annual Audit Plan published and communicated.
• Audit log and CAPA tracker operational.
• Evidence indexed, versioned, and validated quarterly.
• Audit outcomes reviewed by AI Governance Board.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 10 Nov 2025 • This page is general guidance, not legal advice.