A clear and agreed-upon audit scope is fundamental to the success of any management system audit, including one for ISO/IEC 42001. The scope defines the extent and boundaries of the audit, such as the organizational units, processes, activities, and the physical or virtual locations to be covered. This ensures that the audit is focused, and that all relevant and agreed-upon aspects of the AI Management System (AIMS) are systematically examined against the audit criteria. It provides a clear basis for planning, resource allocation, and execution, preventing both "scope creep" and the omission of critical areas, thereby ensuring the audit objectives are met effectively.

A. While a clear scope contributes to efficiency and may reduce time, its primary purpose is to ensure the audit's effectiveness and completeness within its defined boundaries.

B. A well-conducted audit can help identify compliance gaps that may have legal implications, but preventing legal liabilities is not the primary purpose of defining the audit scope.

C. Confidentiality is a fundamental principle of auditing that applies to the entire audit process, regardless of the scope's definition.

1. ISO 19011:2018, Guidelines for auditing management systems, Clause 5.3, "Establishing the audit scope". This section specifies that the scope should be consistent with the audit programme and audit objectives and describes the extent and boundaries of the audit.

2. ISO 19011:2018, Guidelines for auditing management systems, Clause 6.2.2, "Establishing audit objectives, scope and criteria". This clause details that the audit scope defines what is to be audited to meet the audit objectives.

3. ISO/IEC 42001:2023, Information technology — Artificial intelligence — Management system, Clause 9.2, "Internal audit". This clause requires the organization to conduct internal audits, which must be performed according to the principles outlined in ISO 19011, including the establishment of a clear scope.

The scenario explicitly states that Securisai "decided to transfer its ISO/IEC 42001 certification registration from one certification body to another." The company is actively compiling the necessary documentation, such as the formal request, recent audit reports, and current certification, to submit to the new body. This process is a standard procedure for transferring an existing, valid certification between accredited bodies, allowing the organization to maintain its certified status without interruption. The actions described do not meet the criteria for suspension or withdrawal, which are typically punitive measures for non-compliance.

A. Suspension is a temporary invalidation of certification due to unresolved nonconformities or failure to meet certification requirements, which is not the situation described.

B. Withdrawal, or cancellation, of a certification occurs when an organization fails to resolve issues leading to suspension or voluntarily terminates its certification, which is not Securisai's intent.

1. International Accreditation Forum (IAF). (2020). IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems (IAF MD 2:2020). Section 2.1 describes the process and conditions for transferring certification, which align with Securisai's actions.

2. ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements. Clause 9.5.3 discusses transferring certification, outlining the review process the accepting certification body must undertake.

Judgment-based (or non-statistical) sampling relies on the auditor's knowledge and experience to select a sample, rather than a random, probabilistic method. The primary drawback of this approach is that the results cannot be statistically projected to the entire population of data. Therefore, it is not possible to calculate a confidence level or a margin of error (sampling risk) for the conclusions drawn from the sample. The findings apply only to the items examined.

A: This is incorrect; statistical sampling requires extensive statistical training, whereas judgment-based sampling relies on auditor experience and expertise.

C: Relying on identified risks is a common and often effective strategy for judgment-based sampling, making it a feature, not a drawback.

ISO 19011:2018, Guidelines for auditing management systems, Annex A.6.2 Non-statistical sampling: "With non-statistical sampling, there is no statistical estimation of the uncertainty. Audit sampling is non-statistical when the sample selection is based on judgement."

The Institute of Internal Auditors (IIA). (2011). Practice Advisory 2320-3: Audit Sampling. "When using nonstatistical sampling, the internal auditor should consider the sampling risk but will not be able to measure it." (While an IIA document, it reflects universal auditing principles applicable here).

The evidence obtained is confirmative. Confirmative evidence is information received directly from an independent third party that corroborates information provided by the auditee. In this scenario, the audit team examined evidence from BioNovaPharm's external legal office, an independent entity, which confirmed the company's compliance with the EU AI Act's incident reporting requirements. This external validation serves to confirm the auditee's claims regarding their legal and regulatory compliance processes. The evidence is not based on technical system outputs, auditor's calculations, or direct observation of an activity.

B. Technical evidence would be data or logs from the AI system itself, not a legal opinion on compliance with a regulation.

C. Analytical evidence involves auditors performing their own analysis or comparisons of data, which was not done here.

D. Observational evidence would require the auditors to witness the incident reporting process in action, which is not described in the scenario.

1. ISO 19011:2018, "Guidelines for auditing management systems", Clause 6.4.5, "Collecting and verifying information". This clause outlines various sources of information, including interviews, documents, and records. Obtaining information from an external source (legal office) is a method of verification.

2. Sayana, S. A. (2003). "Risk-based IS Auditing". Information Systems Control Journal, 1, 23-26. This article discusses different types of audit evidence, where confirmation is described as obtaining evidence from third parties to corroborate management's assertions.

3. Arens, A. A., Elder, R. J., & Beasley, M. S. (2016). Auditing and Assurance Services: An Integrated Approach (16th ed.). Pearson Education. Chapter 7, "Audit Evidence," categorizes confirmation as a highly reliable type of evidence obtained from a third party.

Following the identification of a major nonconformity during a certification or surveillance audit, the standard process requires the auditee to implement corrections and corrective actions. The certification body must then verify the effectiveness of these actions. This is done through a follow-up activity, which could be a review of submitted evidence or a limited on-site audit. A positive certification decision cannot be made until this verification is successfully completed. This step ensures the integrity of the management system has been restored before certification is granted or continued.

A: A full re-audit of the entire AIMS is excessive and not cost-effective for a single, albeit major, nonconformity unless it indicates a systemic failure.

B: Prompt revocation is a punitive measure reserved for cases where the auditee fails to address major nonconformities or there is a severe breach of certification requirements.

1. ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements, Clause 9.4.10.2. This clause specifies the need to verify the effectiveness of corrections and corrective actions for nonconformities.

2. ISO/IEC 17021-1:2015, Clause 9.5.2, details the information required for granting initial certification, which presupposes the resolution of any major nonconformities.

Roger developed a general plan, more accurately described as an audit program. The scenario states he "developed a long term strategy, highlighting key AIMS processes for triennial audits." This describes a high-level, strategic approach that sets the direction and frequency for audits over a multi-year period. It is not a detailed plan, which would include specifics for a single audit, such as objectives, scope, criteria, dates, and team assignments. The focus on a "long term strategy" and a "triennial" cycle for "key processes" confirms its nature as a general audit program.

A. The plan is for triennial (every three years) audits, not annual audits, and it only "highlights" processes, indicating it is not detailed.

C. While it covers key AIMS processes, its long-term and strategic nature, without specific audit details, makes it a general plan or program, not a detailed one.

1. ISO 19011:2018, Guidelines for auditing management systems. Clause 5, "Managing an audit programme," describes establishing the objectives and extent of the programme, which aligns with Roger's long-term strategy.

2. ISO 19011:2018, Guidelines for auditing management systems. Clause 6.3, "Preparing audit activities," describes the contents of a detailed audit plan for a specific audit, which is distinct from the overall programme Roger developed.

A familiarity threat to impartiality arises when an auditor, due to a close or long-standing relationship with the client, becomes too sympathetic to their interests or too accepting of their work. A close relative holding a key management position in the audited organization is a textbook example of a situation that creates a familiarity threat. The personal relationship could compromise the auditor's professional skepticism and objectivity, which are fundamental to a credible audit.

A. A self-interest threat involves a financial or other interest that could influence the auditor's judgment, which is not the primary threat here.

C. An intimidation threat occurs when an auditor is deterred from acting objectively by perceived or actual threats from the client.

D. An advocacy threat arises when an auditor promotes the client's position to the point where their objectivity is compromised, such as acting as their legal representative.

1. ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of management systems, Section 5.2.3. This section explicitly lists threats to impartiality, stating: "Threats to impartiality may include... b) Familiarity threats: threats that arise from a person or body being too familiar or trusting of another person or body instead of seeking audit evidence."

2. International Federation of Accountants (IFAC). (2018). International Code of Ethics for Professional Accountants. Section 290.143. This code identifies a "familiarity threat" as occurring "when, because of a long or close relationship with a client..., a professional accountant will be too sympathetic to their interests or too accepting of their work." It specifically cites a close family member in a senior position at the client as an example.

Conducting an internal audit and a management review before a certification audit is a mandatory requirement of ISO/IEC 42001. These activities are part of the "Check" phase in the Plan-Do-Check-Act (PDCA) cycle. They serve to verify the effectiveness of the Artificial Intelligence Management System (AIMS) and its conformity to the standard's requirements and the organization's own objectives. The results of these activities provide crucial evidence to the external auditor that the AIMS is implemented, maintained, and continually improved, forming a basis for the certification decision.

A. Management review (Clause 9.3) is a distinct and equally critical requirement to the internal audit (Clause 9.2) that must be completed before certification.

C. The internal audit is a prerequisite for the certification audit, used to confirm readiness. Conducting it after would defeat its primary purpose.

D. Internal audits are required at planned intervals to ensure the ongoing effectiveness of the AIMS, not just for recertification audits.

1. ISO/IEC 42001:2023, Information technology — Artificial intelligence — Management system, Clause 9.2 "Internal audit" and Clause 9.3 "Management review". These clauses mandate that the organization shall conduct internal audits and management reviews at planned intervals.

2. ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements, Clause 9.2.3.1.1. This standard, which governs certification bodies, implies that evidence of a functioning system, including internal audits and management reviews, is necessary for a Stage 2 audit.

Sampling error is the inherent discrepancy between the characteristics observed in a sample and the actual characteristics of the entire population from which that sample was drawn. In an audit, this means that the conclusions an auditor draws from a sample of records (e.g., AI system logs) might differ from the conclusion they would have reached if they had examined every single record. This is a statistical risk that exists even with perfectly random sampling and is managed by using appropriate sampling methods and sizes.

A. This describes selection bias, which is a cause of non-sampling error, not the definition of sampling error itself.

C. This describes a specific biased sampling method, which can lead to error, but it is not the definition of the error.

1. ISO 19011:2018, "Guidelines for auditing management systems," Annex A, Clause A.6, "Audit sampling," implicitly addresses this by discussing the risk that "samples may not be representative of the population from which they are selected." This potential for non-representativeness is the source of sampling error.

2. Groves, R. M., et al. (2009). Survey methodology (2nd ed.). Wiley. Chapter 2, "Inference and Error in Surveys," provides a formal definition of sampling error as a component of total survey error. (This is a standard university-level text on the subject).

The audit process, as defined by standards like ISO 19011 (Guidelines for auditing management systems), consists of several distinct stages. The step that specifically involves examining an organization's policies, procedures, work instructions, and records to determine conformity with audit criteria is the document review. This is often conducted as part of the Stage 1 audit or in preparation for on-site audit activities (Stage 2). It allows the auditor to understand the design of the management system before verifying its implementation.

A. Closing meeting: This is the final step of the on-site audit, where the audit team presents its findings and conclusions to the auditee's management.

B. Audit reporting: This is the process of formally documenting the audit findings, conclusions, and recommendations in a final report after the audit activities are complete.

C. Audit follow-up: This involves verifying the effectiveness of corrective actions taken by the auditee to address nonconformities found during the audit.

1. ISO 19011:2018, Guidelines for auditing management systems, Clause 6.4.5, "Reviewing documented information." This section explicitly describes the activity of reviewing the auditee's relevant documented information as part of conducting the audit.

2. ISO/IEC 42001:2023, Information technology — Artificial intelligence — Management system, Clause 9.2, "Internal audit." This clause requires the organization to conduct internal audits, which would follow the standard process outlined in ISO 19011, including a document review phase.

3. International Accreditation Forum (IAF). (2015). IAF Mandatory Document for the Certification of Management Systems (IAF MD 5:2015). Section 2.2 describes the Stage 1 audit, a primary purpose of which is "to review the client's management system documented information."