Audit scope & objectives

• End-to-end model lifecycle; governance forums; data lineage; evaluations; incidents; user transparency.

Criteria & standards

• EU AI Act requirements; UK ICO guidance; ISO/IEC 42001 alignment; internal policies; risk appetite.

Approach & sampling

• Interviews; document review; control tests; sample releases and incidents; walkthrough of PMM dashboards.

Evidence & traceability

• Trace requirement→control→evidence; verify timestamps; ensure artefact integrity; reproduce checks.

Findings & severity

• Severity matrix; root cause; business impact; remediation plan; owner and due dates; follow-up cycle.

Follow-up & CAPA

• Verification of fixes; effectiveness tests; closure criteria; escalation to Governance Board if late.

Independence & ethics

• Auditor independence; conflict checks; confidentiality; secure handling of evidence and PII.

Assurance opinions

• Reasonable vs. limited assurance; scope limitations; emphasis of matter; management assertions.

Reporting & comms

• Draft report with factual accuracy check; final report; board digest; public summary where appropriate.

Regulator engagement

• Maintain contact list; pre-brief on significant changes/incidents; share evidence packs on request.

Annual audit calendar

• Quarterly internal audits; annual external assurance; ad-hoc deep dives after major releases/incidents.

Audit checklist

• Scope agreed; criteria mapped; sampling plan; evidence index; findings tracked; CAPA verified.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 05 Nov 2025 • This page is general guidance, not legal advice.