PECB ISO-IEC-42001 Lead Auditor 시험

Question No : 1

Scenario 5 (continued):
Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by using advanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS based on ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.
Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leader despite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team of seven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.
Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whether physical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition had been defined, the certification body provided the audit team leader with extensive information, including the audit objectives and documented details on the scope, processes, methods, and team compositions.
Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the audit activities to be conducted. The team leader also received information needed for evaluating and addressing identified risks and opportunities for the achievement of the audit objectives.
Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initial contact. The initial contact aimed to confirm the communication channels, establish the audit team's authority to conduct the audit, and summarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robert emphasized the need for access to essential information that would help to conduct the audit.
Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides or interpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issues and finalizing any matters related to the audit team composition.
As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-related data governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management, proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governance practices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the audit based on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.
Based on the scenario above, answer the following question:
Based on Scenario 5, were all the recommended aspects covered during the initial contact with Aizoia?

• A.No, the negotiation of the final audit fee and payment schedule was not covered
• B.No, the agreement with the auditee regarding the extent of the disclosure and the treatment of confidential information was not confirmed
• C.Yes, all the required aspects were covered during the initial contact

답을 확인하기

정답:
Explanation:
The scenario does not mention addressing confidentiality agreements, which is mandatory during the initial contact.
ISO/IEC 17021-1:2015 Clause 9.2.3.1 and ISO 19011:2018 Clause 6.4.3 both require that agreements about confidentiality, access rights, and data protection must be confirmed before starting the audit.
The Lead Auditor Manual highlights: “Initial contact meetings must establish the treatment of confidential information and audit-related disclosure agreements.”
Reference: ISO/IEC 17021-1:2015 Clause 9.2.3.1; ISO 19011:2018 Clause 6.4.3.

Question No : 2

Scenario 5 (continued):
Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by using advanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS based on ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.
Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leader despite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team of seven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.
Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whether physical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition had been defined, the certification body provided the audit team leader with extensive information, including the audit objectives and documented details on the scope, processes, methods, and team compositions.
Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the audit activities to be conducted. The team leader also received information needed for evaluating and addressing identified risks and opportunities for the achievement of the audit objectives.
Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initial contact. The initial contact aimed to confirm the communication channels, establish the audit team's authority to conduct the audit, and summarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robert emphasized the need for access to essential information that would help to conduct the audit.
Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides or interpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issues and finalizing any matters related to the audit team composition.
As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-related data governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management, proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governance practices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the audit based on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.
Based on the scenario above, answer the following question:
According to Scenario 5, was Robert's decision to proceed with the audit without changing its scope appropriate?

• A.Yes, because no agreement was reached to change the scope, and he documented the decision accordingly
• B.No, Robert must have withdrawn from the audit and informed the interested parties
• C.No, Robert should have opted to conduct a follow-up audit

답을 확인하기

정답:
Explanation:
Robert acted correctly by proceeding without changing the scope, because no official agreement was made to modify it, and he documented the conversation properly.
ISO/IEC 17021-1:2015 Clause 9.2.3.1 specifies that "Audit scope can only be changed if formally agreed by both the auditee and the certification body."
The Lead Auditor Guide says: “If the auditee and auditor cannot agree to modify the audit scope, the original scope must remain valid, and deviations should be documented.”
Reference: ISO/IEC 17021-1:2015 Clause 9.2.3.1; ISO/IEC 42001:2023 Clause 9.2.

Question No : 3

Scenario 5 (continued):
Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by using advanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS based on ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.
Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leader despite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team of seven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.
Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whether physical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition had been defined, the certification body provided the audit team leader with extensive information, including the audit objectives and documented details on the scope, processes, methods, and team compositions.
Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the audit activities to be conducted. The team leader also received information needed for evaluating and addressing identified risks and opportunities for the achievement of the audit objectives.
Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initial contact. The initial contact aimed to confirm the communication channels, establish the audit team's authority to conduct the audit, and summarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robert emphasized the need for access to essential information that would help to conduct the audit.
Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides or interpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issues and finalizing any matters related to the audit team composition.
As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-related data governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management, proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governance practices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the audit based on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.
Based on the scenario above, answer the following question:
Based on Scenario 5, did the certification body provide all the necessary information to conduct the audit to the audit team leader?

• A.No, information on the resources necessary to conduct the audit was not provided
• B.Yes, all the necessary information was provided to the audit team leader
• C.No, the audit team leader did not receive details on the audit team's training requirements

답을 확인하기

정답:
Explanation:
The certification body provided all the necessary information, including scope, objectives, methods, contact information, and risks.
ISO/IEC 17021-1:2015 Clause 9.2.3.1 and ISO/IEC 42001:2023 Clause 9.2 state that the certification body must equip the audit team leader with sufficient information for audit planning and execution.
The Lead Auditor Study Material confirms: “Audit planning must be supported by complete and verified information provided by the certification body.”
Reference: ISO/IEC 17021-1:2015 Clause 9.2.3.1; ISO/IEC 42001:2023 Clause 9.2.

Question No : 4

Scenario 5:
Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by using advanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure
that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS based on ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS’s effectiveness and compliance with ISO/IEC 42001.
Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leader despite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team of seven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.
Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whether physical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition had been defined, the certification body provided the audit team leader with extensive information, including the audit objectives and documented details on the scope, processes, methods, and team compositions.
Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the audit activities to be conducted. The team leader also received information needed for evaluating and addressing identified risks and opportunities for the achievement of the audit objectives.
Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initial contact. The initial contact aimed to confirm the communication channels, establish the audit team's authority to conduct the audit, and summarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robert emphasized the need for access to essential information that would help to conduct the audit.
Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides or interpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issues and finalizing any matters related to the audit team composition.
As the audit progressed, Robert recognized the complexity of Aizoia’s operations, leading him to conclude that a review of its Al-related data governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management, proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governance practices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the audit based on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.
Based on the scenario above, answer the following question:
Robert did not receive an offer from the certification body prior to accepting the mandate. Is this acceptable?

• A.Yes, since Robert is a full-time employee of the certification body, he may accept audit mandates without receiving a formal offer
• B.No, the audit team leader must receive an official offer before accepting the audit mandate
• C.Yes, if the auditor has extensive experience, a formal offer is not necessary

답을 확인하기

정답:
Explanation:
The audit team leader must receive a formal appointment before accepting the audit responsibility. ISO/IEC 17021-1:2015 Clause 9.2.3.1 requires that the audit team leader must be formally appointed by the certification body to ensure clarity and avoid conflicts.
The Lead Auditor Guide states: “Formal acceptance of an audit assignment is critical to ensure that audit roles, responsibilities, and impartiality expectations are clearly communicated.”
Reference: ISO/IEC 17021-1:2015 Clause 9.2.3.1; ISO/IEC 42001 Lead Auditor Manual Section 5 ("Audit Team Leader Requirements").

Question No : 5

What type of audit is conducted when a customer audits suppliers to make purchasing decisions?

• A.First-party audit
• B.Second-party audit
• C.Third-party audit

답을 확인하기

정답:
Explanation:
A Second-party audit is conducted by customers on their suppliers to verify whether the supplier's processes or products meet the purchasing requirements.
ISO 19011:2018 Clause 3.11 defines second-party audits as: “Audits conducted by a customer on their suppliers or by organizations on others with whom they have a contractual interest.”
This is referenced by ISO/IEC 42001:2023 when explaining supply chain risk management in AI systems (Clause 8.1).
Reference: ISO 19011:2018 Clause 3.11; ISO/IEC 42001:2023 Clause 8.1.

Question No : 6

DenSolutions, a financial institution, is seeking to certify its AIMS. The certification body appointed Sarah as the audit team leader, who previously provided consultancy services regarding the AIMS.
Can Sarah audit the AIMS of DenSolutions?

• A.Yes, if the auditor does not directly audit any component of the AIMS they consulted on and only oversees the audit process
• B.Yes, if a minimum of two years have passed following the end of the consultancy
• C.No - auditors who contribute to the design, implementation, and maintenance of the AIMS cannot participate in AIMS audits
• D.Yes, with approval from the auditee

답을 확인하기

정답:
Explanation:
Sarah cannot audit because auditors who have contributed to the design, implementation, or maintenance of a management system must not audit that same system to avoid conflict of interest.
ISO/IEC 17021-1:2015 Clause 5.2.5 clearly states: “Personnel who have provided management system consultancy, including those acting in a managerial capacity, shall not be used to conduct audits.”
The Lead Auditor Guide explains: “Maintaining impartiality requires that individuals with consultancy roles be excluded from auditing the systems they helped create.”
Reference: ISO/IEC 17021-1:2015 Clause 5.2.5; ISO/IEC 42001 Lead Auditor Training Material, Conflict of Interest Management.

Question No : 7

During the annual ISO/IEC 42001 audit at a financial company, the auditor selected and analyzed a sample of 5 out of 25 follow-up nonconformity reports to assess whether the company adheres to its follow-up process.
What type of evidence did the auditor gather?

• A.Qualitative
• B.Semi-quantitative
• C.Quantitative
• D.Observational

답을 확인하기

정답:
Explanation:
The auditor gathered Quantitative evidence.
Quantitative evidence is defined as evidence that is measurable and based on numbers or statistical sampling.
ISO 19011:2018 Clause 6.5.5 states: “Quantitative audit evidence is numerical or measurable and collected through sampling, measurements, or observations.”
Sampling nonconformity reports to check process adherence clearly falls under quantitative evidence.
Reference: ISO 19011:2018 Clause 6.5.5; ISO/IEC 42001:2023 Clause 9.2.2.

Question No : 8

Which of the following describes a joint audit?

• A.When two or more auditing organizations cooperate to audit a single auditee
• B.When two or more management systems are audited together at a single auditee
• C.When an internal audit and a third-party audit are conducted simultaneously
• D.When audits are conducted back-to-back for efficiency

답을 확인하기

정답:
Explanation:
A Joint Audit is when two or more audit organizations cooperate to audit the same auditee.
ISO 19011:2018 Clause 3.9 defines joint audit as: “An audit carried out by two or more auditing organizations cooperating to audit a single auditee.”
This is further echoed in ISO/IEC 42001:2023, which supports joint audits especially in multi-country and consortium environments (Clause 9.2.1 reference to audit scope management).
Reference: ISO 19011:2018 Clause 3.9; ISO/IEC 42001:2023 Clause 9.2.1.

Question No : 9

An auditor has been assigned to perform a certification audit for an organization. However, the auditor discovers that their close relative holds a key management position within the organization being audited.
What kind of threat to impartiality does this situation represent?

• A.Self-interest
• B.Familiarity
• C.Intimidation
• D.Advocacy

답을 확인하기

정답:
Explanation:
This situation represents a Familiarity Threat.
ISO/IEC 17021-1:2015 Clause 5.2.7 identifies familiarity as a risk when an auditor develops a relationship with a client that could impair objectivity.
The ISO/IEC 42001 Lead Auditor Guide states: “Familiarity threat occurs when an auditor becomes too sympathetic to the auditee’s interests, due to close relationships or repeated interactions.”
A relative in management would heavily impair the auditor’s independence.
Reference: ISO/IEC 17021-1:2015 Clause 5.2.7; ISO/IEC 42001 Lead Auditor Study Manual Section 4 ("Threats to Auditor Impartiality").

Question No : 10

During an audit, the auditor employed data analytic technology to identify anomalies and unusual patterns in the decision-making processes of an AI system used by a financial institution to approve or reject loan applications.
Which data analytic technology did the auditor use?

• A.Predictive analytics
• B.Text analytics
• C.Data mining
• D.Visual analytics

답을 확인하기

정답:
Explanation:
The auditor used Data Mining.
Data mining involves exploring large datasets to identify patterns, anomalies, or relationships.
ISO/IEC 20546:2019 Clause 3.5 defines data mining as: “The process of discovering patterns, correlations, anomalies, and associations within large datasets.”
In ISO/IEC 42001:2023, auditors are encouraged in Clause 9.2.2 to use appropriate technological tools to analyze AI system behavior, including using big data technologies for pattern recognition during audits.
Reference: ISO/IEC 20546:2019 Clause 3.5; ISO/IEC 42001:2023 Clause 9.2.2.

Question No : 11

Scenario 4 (continued):
BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potential drug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted a certification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.
Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plan corresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizing those with the highest risk.
Once the stage 1 audit began, the audit team started reviewing the auditee's documented information. To assess whether BioNovaPharm complies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided by the company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, which mandates that providers of high-risk Al systems report serious incidents to relevant authorities.
Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including the observations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, who was overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency in the Al decision-making processes of BioNovaPharm. Considering that Emma observed John's lack of competence in undertaking some audit activities, a disciplinary note was recorded for John.
What level of negligence did Emma observe regarding John’s audit documentation failures?

• A.Ordinary negligence
• B.Gross negligence
• C.Fraud
• D.Minor error

답을 확인하기

정답:
Explanation:
Ordinary negligence refers to a failure to apply the level of care that a reasonable auditor would exercise, without intentional misconduct.
ISO/IEC 17021-1:2015 Clause 7.2.5 requires auditors to document audit findings properly and completely.
The Lead Auditor Study Guide defines ordinary negligence as: “An auditor’s unintentional oversight or failure to perform duties to expected professional standards, without evidence of deliberate wrongdoing.”
Reference: ISO/IEC 17021-1:2015 Clause 7.2.5; Lead Auditor Manual Chapter 6 ("Audit Team Behavior and Ethics").

Question No : 12

Scenario 4 (continued):
BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potential drug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted a certification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.
Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plan corresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizing those with the highest risk.
Once the stage 1 audit began, the audit team started reviewing the auditee's documented information. To assess whether BioNovaPharm complies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided by the company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, which mandates that providers of high-risk Al systems report serious incidents to relevant authorities.
Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including the observations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, who was overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency in the Al decision-making processes of BioNovaPharm. Considering that Emma observed John's lack of competence in undertaking some audit activities, a disciplinary note was recorded for John.
Based on Scenario 4, does the level of detail in the audit plan adequately reflect all aspects recommended for a comprehensive risk-based approach to planning?

• A.Yes, the amount of detail provided in the audit plan reflects all the necessary aspects
• B.No, detailed audit procedures should have been prioritized based on the level of risk, from lowest to highest
• C.No, the audit plan should have included sufficient detail correlating with the risk of not achieving the audit objectives
• D.No, the audit plan should have focused on nonconformities only

답을 확인하기

정답:
Explanation:
The audit plan should correlate directly with the risk of not achieving the audit objectives, meaning higher-risk areas need more scrutiny.
ISO/IEC 17021-1:2015 Clause 9.2.3.1 and ISO/IEC 42001 Clause 9.2.1 emphasize that audit planning must be risk-based, addressing critical risk areas sufficiently to meet audit objectives.
Lead Auditor Training Module 3 highlights: “An audit plan must be sufficiently detailed based on risks to ensure critical activities receive proportionate audit attention.”
Reference: ISO/IEC 42001:2023 Clause 9.2.1; ISO/IEC 17021-1:2015 Clause 9.2.3.1.

Question No : 13

Scenario 4 (continued):
BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potential drug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted a certification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.
Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plan corresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizing those with the highest risk.
Once the stage 1 audit began, the audit team started reviewing the auditee's documented information. To assess whether BioNovaPharm complies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided by the company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, which mandates that providers of high-risk Al systems report serious incidents to relevant authorities.
Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including the observations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, who was overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency in the Al decision-making processes of BioNovaPharm. Considering that Emma observed John's lack of competence in undertaking some audit activities, a disciplinary note was recorded for John.
Which of the following AI applications for auditing did the audit team employ?

• A.Augmented audit interviews
• B.Automated data validation
• C.Augmented analysis
• D.Automated planning

답을 확인하기

정답:
Explanation:
The audit team used Automated Data Validation by using AI to gather and validate external digital data (e.g., drug development information).
ISO/IEC 42001 Clause 9.2.2 allows the use of automated methods to collect and validate information, provided that the reliability and integrity of such systems are ensured.
The Lead Auditor Course Guide explains: “Automated data validation tools help auditors improve evidence collection efficiency by cross-referencing multiple datasets with minimal manual intervention.”
Reference: ISO/IEC 42001:2023 Clause 9.2.2; Lead Auditor Guide Module 5 ("Use of Automated Tools in Audits").

Question No : 14

Scenario 4 (continued):
BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potential drug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted a certification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.
Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plan corresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizing those with the highest risk.
Once the stage 1 audit began, the audit team started reviewing the auditee's documented information. To assess whether BioNovaPharm complies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided by the company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, which mandates that providers of high-risk Al systems report serious incidents to relevant authorities.
Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including the observations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, who was overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency in the Al decision-making processes of BioNovaPharm. Considering that Emma observed John's lack of competence in undertaking some audit activities, a disciplinary note was recorded for John.
Based on Scenario 4, is the decision of the top management representative not to provide the additional evidence requested by the audit team justifiable?

• A.Yes, because the top management representative determined that the answers from the interviews could be corroborated by interviewing different employees
• B.No, because verbal evidence is less reliable than the other types of evidence and requires additional supporting evidence
• C.No, because it is not recommended to conduct interviews with different employees to verify segregation of roles and responsibilities within the organization
• D.Yes, because audits are based purely on interview evidence

답을 확인하기

정답:
Explanation:
Verbal evidence alone is considered less reliable.
ISO/IEC 42001 Clause 9.2.2 states that “auditors shall corroborate interviews with documented information or other tangible evidence whenever possible.”
The ISO 19011:2018 Guidelines for Auditing Management Systems (adopted for auditing principles) Clause 6.5.6 also clearly specifies: “Interview results should be verified with other forms of evidence because interviews alone are insufficient.”
Reference: ISO/IEC 42001:2023 Clause 9.2.2; ISO 19011:2018 Clause 6.5.6.

Question No : 15

Scenario 4:
BioNovaPharm, a German biopharmaceutical company, has implemented an artificial intelligence management system AIMS based on ISO/IEC 42001 to optimize various aspects of drug discovery, including analyzing extensive biological data, identifying potential drug candidates, and streamlining clinical trial processes. After having the AIMS in place for over a year, the company contracted a certification body and is now undergoing an AIMS audit to obtain certification against ISO/IEC 42001.
Adopting a risk-based approach, the audit team focused on risk throughout their activities. The level of detail outlined in the audit plan corresponded to the scope and complexity of the audit. The team employed a ranking system for detailed audit procedures, prioritizing those with the highest risk.
Once the stage 1 audit began, the audit team started reviewing the auditee's documented information. To assess whether BioNovaPharm complies with the legal and regulatory requirements related to incident communication, the audit team examined evidence provided by the company’s external legal office. The evidence confirmed that BioNovaPharm applies the requirements of the EU Al Act, which mandates that providers of high-risk Al systems report serious incidents to relevant authorities.
Following the completion of the stage 1 audit, John, an audit team member, documented the stage 1 audit outputs, including the observations of the audit team that could result in nonconformities during the on-site audit. However, the audit team leader, Emma, who was overseeing the audit activities, observed that John failed to document significant observations related to the lack of transparency in the Al decision-making processes of BioNovaPharm. Considering that Emma observed John's lack of competence in undertaking some
audit activities, a disciplinary note was recorded for John.
What type of evidence did the audit team obtain to assess BioNovaPharm's compliance with legal and regulatory incident reporting requirements?

• A.Confirmative
• B.Technical
• C.Analytical
• D.Observational

답을 확인하기

정답:
Explanation:
The audit team obtained Confirmative evidence.
ISO/IEC 42001:2023 Clause 9.2.2 specifies that during audits, objective evidence such as certifications, legal opinions, or official documentation that confirms compliance must be collected.
Confirmative evidence specifically refers to validated information from independent sources (in this case, external legal advice).
The Lead Auditor Training Manual also defines Confirmative Evidence as: “Evidence that provides verification of conformance through reliable independent sources.”
Reference: ISO/IEC 42001:2023 Clause 9.2.2; Lead Auditor Study Guide Chapter 7 ("Evidence Gathering Techniques").