Scenario 1 (continued):

To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.

Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.

After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s own requirements and that the system is being maintained effectively.

Question:

Based on functionality, what type of AI system did Future Horizon Academy establish?

Scenario 2: OptiFlow is a logistics company located in New Delhi, India. The company has enhanced its operational efficiency and customer service by integrating AI across various domains, including route optimization, inventory management, and customer support. Recognizing the importance of AI in its operations, OptiFlow decided to implement an Artificial Intelligence Management System (AIMS) based on ISO/IEC 42001 to oversee and optimize the use of AI technologies.

To address Clauses 4.1 and 4.2 of the standard, OptiFlow identified and analyzed internal and external issues and needs and expectations of interested parties. During this phase, it identified specific risks and opportunities related to AI deployment, considering the system ' s domain, application context, intended use, and internal and external environments. Central to this initiative was the establishment and maintenance of AI risk criteria, a foundational step that facilitated comprehensive AI risk assessments, effective risk treatment strategies, and precise evaluations of risk impacts. This implementation aimed to meet AIMS’s objectives, minimize adverse effects, and promote continuous improvement. OptiFlow also planned and integrated strategies to address risks and opportunities into AIMS’s processes and assessed their effectiveness.

OptiFlow set measurable AI objectives aligned with its AI policy across all organizational levels, ensuring they met applicable requirements and matched the company’s vision. The company placed strong emphasis on the monitoring and communication of these objectives, ensuring they were updated annually or as needed to reflect changes in technology, market demands, or internal processes. It also documented the objectives, making them accessible across the company.

To guarantee a structured and consistent AI risk assessment process, OptiFlow emphasized alignment with its AI policy and objectives. The process included ensuring consistency and comparability, identifying, analyzing, and evaluating AI risks.

OptiFlow prioritizes its AIMS by allocating the necessary resources for its comprehensive development and continuous enhancement. The company carefully defines the competencies needed for personnel affecting AI performance, ensuring a high level of expertise and innovation.

OptiFlow also manages effective internal and external communications about its AIMS, aligning with ISO/IEC 42001 requirements by maintaining and controlling all required documented information. This documentation is meticulously identified, described, and updated to ensure its relevance and accessibility. Through these strategic efforts, OptiFlow upholds a commitment to excellence and leadership in AI management practices.

To comply with Clause 9 of ISO/IEC 42001, the company determined what needs to be monitored and measured in the AIMS. It planned, established, implemented, and maintained an audit program, reviewed the AIMS at planned intervals, documented review results, and initiated a continuous feedback mechanism from all interested parties to identify areas of improvement and innovation within the AIMS

Which of OptiFlow’s implemented requirements is NOT included in Clause 9 (Performance Evaluation) of ISO/IEC 42001? Refer to Scenario 2.

A financial institution has integrated AI systems into its operations and has adopted risk management principles from an internationally recognized standard to specifically mitigate AI-related risks effectively. Which standard has the institution applied in this case?

Question:

While preparing for an AIMS audit, a technology company faced an issue: the auditor lacked a required security clearance for accessing sensitive information related to government contracts.

The company requested a replacement auditor. Is this acceptable?

What type of audit evidence did Augustine gather when he collected management review records? Refer to scenario 3.

Scenario 3: Heala specializes in developing Al-driven solutions for the healthcare sector. With a keen focus on leveraging Al to revolutionize patient care, diagnostics,

and treatment planning, the company has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001. After a year of having the AIMS in

place, the company decided to apply for a certification audit.

It contracted a local certification body, who established the audit team and assigned the audit team leader. Augustine, the designated audit team leader, has a wide

range of skills relevant to various auditing domains. His proficiency encompasses audit principles, processes, and methods, as well as standards for management

systems and additional references. Furthermore, he is knowledgeable about the Heala’s context and relevant statutory and regulatory requirements.

Augustine first gathered management review records, interested party feedback logs, and revision histories for Heala ' s AIMS. This crucial step laid the groundwork for

a deeper investigation, which included conducting comprehensive interviews with key personnel to understand how feedback from interested parties directly

influenced updates to the AIMS and its strategic direction. Augustine ' s thorough evaluation process aimed to verify Heala ' s commitment to integrating the needs and

expectations of interested parties, a critical requirement of ISO/IEC 42001.

Augustine also integrated a sophisticated Al tool to analyze large datasets for patterns and anomalies, and thus have a more informed and data driven audit process.

This Al solution, known for its ability to sift through vast amounts of data with unparalleled speed and accuracy, enabled Augustine to identify irregularities and trends

that would have been nearly impossible to detect through manual methods. The tool was also helpful in preparing hypotheses based on data.

During the audit. Augustine failed to fully consider Heala’s critical processes, expectations, the complexity of audit tasks, and necessary resources beforehand. This

oversight compromised the audit integrity and reliability, reflecting a significant deviation from the diligence and informed judgment expected of auditors.

Question:

What does sampling error refer to in the context of the audit?

What is the purpose of conducting an opening meeting in the audit process?

What is one of the key objectives of conducting an audit according to ISO 19011?

Scenario 1 (continued):

To ensure the integrity of the AI system, Future Horizon Academy has implemented measures to ensure that training data remain isolated from data that could lead to harmful or undesirable outcomes. The institution adds significant data elements as metadata, transforms the data into a format usable by the AI system, and uses data from one or more trusted sources.

Committed to standardization and continual improvement, Future Horizon Academy decided to implement an artificial intelligence management system (AIMS) based on ISO/IEC 42001 that would help the institution increase operational efficiency, resulting in improved processes.

After having the AIMS in place for a year, the institution decided to apply for a certification audit to get certified against ISO/IEC 42001. Prior to the certification audit, the institution conducted an internal audit and management review to ensure that the AIMS aligns with the institution’s own requirements and that the system is being maintained effectively.

Question:

Prior to the certification audit, the institution conducted an internal audit and management review. Is this acceptable?

Scenario 4 (continued):

BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potential drug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted a certification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.

Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plan corresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizing those with the highest risk.

Once the stage 1 audit began, the audit team started reviewing the auditee ' s documented information. To assess whether BioNovaPharm complies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided by the company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, which mandates that providers of high-risk Al systems report serious incidents to relevant authorities.

Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including the observations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, who was overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency in the Al decision-making processes of BioNovaPharm. Considering that Emma observed John ' s lack of competence in undertaking some

audit activities, a disciplinary note was recorded for John.

Question:

What level of negligence did Emma observe regarding John’s audit documentation failures?