The following list attempts to summarise the responsibilities in an ML project that can be relevant in an audit. It is provided to help auditors identify contacts within the auditee’s organisation.
Comparatively small auditee organisations might combine several of the roles below into a single person or team.
Some roles can furthermore be taken on by external consultants; however, in the case of the audit happening after the consultants’ assignment is finished, internal personnel should have acquired the knowledge of the respective roles. It is thus the responsibility of the auditee to ensure sufficient documentation of any work done by external consultants.

Budgetary commissioner

This person is responsible for the budget of the auditee organisation and thus for any spending on ML algorithm software development projects or consulting. They are the authority on whether the development and operation of such an algorithm is a worthwhile use of the auditee organisation’s budget and should be able to provide all budgetary information on the ML algorithm’s development and operation.

Chief information officer (CIO)

The CIO of the auditeeo organisation is responsible for all its IT and thus should be informed about all ML algorithms already in operation and all projects that are developing such algorithms.

Commissioner for data protection and privacy

This is the chief data protection official of the auditee organisation. They must be informed of any concerns about the use of personal data by the ML algorithm. Their role is to ensure that the algorithm adheres to data privacy laws and regulations, such as the EU’s GDPR.


The person who audits projects and checks for adherence to governance principles.

Data analyst

The person who analyses and works with the data that is to be fed to the ML algorithm. They are responsible for data understanding and should be closely involved with the development process. They assist the product owner, by translating their demands into specifications and requirements for the developers.

Data engineer

The person responsible for technical aspects the raw data (data warehousing, data quality, access control) as well as understanding of the raw data and sources. They are also responsible for data provision and data management.


The person/people who produce the ML model according to the specifications and requirements that were agreed upon with the product owner (and train the model, for models that require a training phase). The are responsible for transformations of the raw data to the final variables used by the model (‘feature engineering’), and they are closely involved with the data analysts and engineers, the project leader and the product owners.

IT security officer

This the chief IT security official of the auditee organisation. They must be informed about any and all IT security aspects of the development and operation of the ML algorithm.

Process hotline/user helpdesk

The team that is tasked with providing support for users/processing officials. They should be able to answer all questions that arise during the routine operation of the software.

Project leader

The person responsible for all project management/project governance topics. They hould be able to provide any required project management documents.

Project owner/product owner

The team or unit within the auditee organisation that is responsible for the task that now should be supported or automated with an ML algorithm. They decide on which performance measures are required from the ML algorithm and the acceptance of the deliverables at the end of an ML development project

User/processing official

The person or unit that is supposed to use the results of the ML algorithm for their job. They are a deciding factor for the success of ML projects as they have to understand the suggestions or results from the ML algorithm and apply them to their (routine) tasks.

Subject matter expert

This is a generic term for someone with expert knowledge in a specific domain.