Integrated Audit & Evidence Management System — ISO 42001 + NIST RMF + EU AI Act

Integrated Audit & Evidence Management System — ISO 42001 + NIST RMF + EU AI Act

Zen AI Governance — Knowledge Base ISO/NIST Integration Updated 18 Nov 2025 www.zenaigovernance.com ↗

Integrated Audit & Evidence Management System

ISO / NIST Integration Playbook Audit & Evidence System
+ On this page
Key takeaways
  • Centralises internal audits, evidence records and CAPA follow-ups across ISO 42001, NIST RMF and EU AI Act.
  • Uses EV-IDs (Evidence Identifiers) for traceability between policies, risks, and audit findings.
  • Integrates Zoho Desk, Firebase and Google Drive for audit storage, notifications and dashboards.

Purpose & Objectives

The Integrated Audit & Evidence Management System (IAEMS) ensures all AI governance processes are measurable, auditable and improvable. It aligns ISO 42001 internal audit cycles with NIST AI RMF evaluation controls and EU AI Act Annex IV documentation requirements.

System Architecture Overview

  • Audit Planning Module: Schedules Stage 1/2 internal audits and links scope to ISO clauses and NIST functions.
  • Evidence Repository: Stores EV-tagged files (e.g., EV-RMS-004 for risk log). Syncs with Google Drive or SharePoint.
  • CAPA Tracker: Monitors corrective & preventive actions, with status and due dates.
  • Dashboard Layer: Visualises audit status, open NCs, and evidence coverage per framework.

Audit Workflow Lifecycle

  1. Plan: Define audit objectives, criteria, scope and team (ISO 42001 §9.2).
  2. Execute: Collect evidence through interviews, logs, and system exports.
  3. Report: Issue findings (NC, Observation, Improvement Opportunity).
  4. CAPA: Implement actions and link to EV-IDs for traceability.
  5. Verify: Audit Manager validates closure before marking as complete.

Evidence Linkage & EV-IDs

  • Each document or record is tagged with a unique EV-ID (e.g., EV-POL-001, EV-AUD-023).
  • EV-IDs include metadata: Framework (ISO/NIST/EU), Owner, Version, and Retention Period.
  • Evidence Matrix links EV-IDs to controls, policies and risks for cross-framework audits.

Automation & Dashboards

  • Zoho Desk tickets auto-generate CAPA entries when non-conformities are raised.
  • Firebase Cloud Functions update audit status and notify reviewers via email and Slack.
  • Compliance Heatmap integrates ISO clause coverage with NIST function status (Green/Amber/Red).

Templates & Registers

A) Audit Schedule Register (CSV Headers)
Audit_ID,Scope,Framework,Start_Date,End_Date,Auditor,Status,Findings_Count,Next_Audit,EV_ID
B) Non-Conformity Log (Excerpt)
IDDescriptionSeverityActionStatus
NC-2025-04Missing evidence for data bias reviewMajorSubmit bias testing reportClosed

Framework Alignment

FrameworkReferenceRelevance
ISO/IEC 42001§9.2 & §10.2Internal audit & non-conformity management.
NIST AI RMFManage & MeasureEvidence record & performance tracking.
EU AI ActAnnex IV & Art 16Audit documentation & conformity records.
UK DSIT FrameworkPrinciple 6Accountability & audit assurance.

Implementation Checklist

  • Audit Schedule Register maintained and approved by Compliance Board.
  • Evidence Repository versioned and indexed with EV-IDs.
  • CAPA Tracker integrated with Desk and PMM systems.
  • Quarterly management review evaluates audit outcomes.
  • External auditors granted read-only portal access to IAEMS evidence library.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 18 Nov 2025 • This page is general guidance, not legal advice.