Question:
While auditing a company’s AIMS, the audit team reviewed policies, objectives, and communications to evaluate the involvement of top management. They also conducted interviews with staff to assess the engagement of leaders at various levels in ensuring the system’s effectiveness.
Based on this approach, what level of management should the auditors prioritize when assessing leadership and commitment?
Question:
During a combined audit, if an auditor identifies a finding linked to one criterion, should they consider its potential impact on corresponding or related criteria of other management systems?
A healthcare provider wants to develop a system that can analyze medical images, such as X-rays and MRIs, to assist doctors in diagnosing diseases. Which AI concept is most relevant for this application?
Question:
During which phase of the certification process is confirmation of registration performed?
Question:
Which of the following should be considered when determining the feasibility of the audit?
A financial institution uses an AI system to approve loan applications. Recently, there have been complaints that the system disproportionately denies loans to applicants from certain minority groups. Which core element should the institution prioritize to address these complaints?
Which among the following core concepts of Artificial Intelligence uses artificial neural networks inspired by the human brain to process complex data like images, text, and speech?
Scenario 2 (continued):
Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries.Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyzevast amounts of data for insights, improve recruitment and talent management strategies, and personalize employee experiences, thecompany has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.
Initially, the top management established an Al policy that was aligned with the company's objectives. The Al policy provided a frameworkfor defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it
did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented thepolicy, communicated it internally, and made it accessible to interested parties.
The top management designated specific individuals to ensure that the AIMS meets the standard's requirements. Additionally, theyensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, andfacilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel
were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Alperformance.
The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria andimplemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement.Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure theintegrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using aversioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to makechanges was restricted to authorized personnel, and any proposed modifications required approval from the designated managementteam before being implemented.
Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established acomprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it isnecessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance onimplementing controls and, ultimately, produced a Statement of Applicability SoA. The SoA contained the necessary controls, including allthe controls of Annex A and justifications for their inclusion or exclusion.
Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company'srequirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensuredobjectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top
management of the company.
Question:
According to Scenario 2, were the risks addressed in accordance with the ISO/IEC 42001 requirements?
Question:
While preparing for an AIMS audit, a technology company faced an issue: the auditor lacked a required security clearance for accessing sensitive information related to government contracts.
The company requested a replacement auditor. Is this acceptable?
Scenario 5 (continued):
Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by usingadvanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure
that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS basedon ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.
Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leaderdespite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills
and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team ofseven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.
Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whetherphysical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition hadbeen defined, thecertification body provided the audit team leader with extensive information, including the audit objectives anddocumented details on the scope, processes, methods, and team compositions.
Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the auditactivities to be conducted. The team leader also received information needed for evaluating and addressing identified risks andopportunities for the achievement of the audit objectives.
Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initialcontact. The initial contact aimed to confirm thecommunication channels, establish the audit team's authority to conduct the audit, andsummarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robertemphasized the need for access to essential information that would help to conduct the audit.
Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides orinterpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issuesand finalizing any matters related to the audit team composition.
As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-relateddata governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management,proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governancepractices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the auditbased on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.
Based on the scenario above, answer the following question:
Question:
According to Scenario 5, was Robert's decision to proceed with the audit without changing its scope appropriate?
TESTED 30 Apr 2025
