Appendix 1: Classic IT audit components in AI context
AI systems share many features with traditional software, so established audit standards like the Cross-Industry Standard Process for Data Mining (CRISP-DM) can guide reviews.67
It reflects a standard development process of AI systems, even if it is not explicitly employed by the developer. IT auditors can, therefore, perform a high level review without expert knowledge of AI. It is broken down into seven phases:
- Business understanding
- Data understanding
- Data preparation
- Modelling and development
- Evaluation of the model before deployment
- Deployment and the accompanying change management processes
- Operation of the model and performance in production.
Some phases, such as business understanding, can be audited in much the same way as traditional software projects. Others, such as data preparation and modelling, may require specialist knowledge. It is good practice to form audit teams with a mix of skills. A balanced team might include specialist auditors, IT auditors, and data scientists. If a team lacks experience in data science, they should seek input from colleagues with that expertise. Similarly, teams less familiar with IT audits should involve experienced IT auditors. This approach helps ensure that all aspects of the system are properly reviewed.
The German Supreme Audit Institution (Bundesrechnungshof) used this approach in its first audit of an AI system. The audit team included a specialist auditor with knowledge of the auditee organisation and two technical auditors: one with an IT background and one with a background in natural sciences. These auditors were brought together from different units to form a dedicated AI audit team.
The audit helper tool that is included with this paper is structured in line with the AI lifecycle, and provides audit questions suitable for specialist auditors, IT auditors, and data scientists.