External Audit Standards and Regulations

Auditing is proposed in laws, regulations, and industry guidelines to mitigate AI risks, but there's a lack of established norms and standardized practices for compliance and assurance audits. Despite varied approaches like adversarial pressure testing and quantitative assessments, consensus on norms and practices is still evolving. The term 'audit' is used broadly to encompass diverse evaluations of algorithmic tools, including pressure-testing by external entities, internal pre-deployment assessments, collaborative audits, and external audits ensuring compliance with legislative or standardized framework requirements. External audits differ from risk or impact assessments in two main aspects. Firstly, algorithmic impact or risk assessments primarily focus on internal evaluations. Secondly, external audits require a conclusive outcome for stakeholders to act upon, while risk or impact assessments usually provide open-ended outputs, such as prioritized lists of risks or impacts. This paper below specifically focuses on 'external audits,' also known as 'compliance audits,' which aim to ensure adherence to specified requirements. This paper introduces the 'criterion audit' as a practical way to do external audits, inspired by how financial audits work. It is defined as: "A criteria-based independent external evaluation E of an algorithmic system S conducted by an auditor A to determine whether the given system S meets the requirements set by a normative framework." The criterion audit is characterized by 4 key features: 1. Standardized Criteria: Transparent evaluation against publicly accessible criteria. 2. Normative Framework: Measuring compliance against a specific normative framework. 3. Auditor Training: Standardized training and accreditation for auditors. 4. Public Disclosure: Results disclosed, ensuring transparency while addressing security concerns. The standard process for a criterion audit includes target scoping, documentation submission, evidence verification, publication of the audit report, and certification of the audited algorithmic system based on the evaluation against normative framework requirements. The paper demonstrates the application of the proposed approach to comply with NYC Local Law 144. The paper stresses that auditors for the criterion audit, like financial auditors, need professional values, subject matter expertise, and rigorous audit processes. It advocates for standardized audit training and suggests combining this with responsible AI education for a comprehensive understanding of complex considerations in algorithm audits. Title: "A Framework for Assurance Audits of Algorithmic Systems": Authors: BABL AI research team, led by Khoa Lam, Dr. Benjamin Lange, and Borhane Blili-Hamelin, PhD. Contributions from Shea Brown, Jovana Davidovic, and Ali Hasan.

⛔ISO19011 Is Changing: What You Need to Know⛔ #ISO19011, the global standard for auditing management systems, is getting a significant update. The Draft International Standard (DIS) 19011:2025 introduces changes that will impact governance, risk, and compliance (GRC) professionals, particularly those overseeing audit functions. ➡️ What’s Changing in ISO19011? 1. Remote Auditing Is No Longer an Exception, It’s the Norm 🔷What’s new? 🔸The 2025 draft expands guidance on remote auditing, aligning with ISO/IEC TS 17012 (conformity assessment for remote audits). 🔸Organizations conducting virtual audits, hybrid audits, or remote compliance reviews will have clearer best practices. 🔷What this means for You: 🔸If your audit programs still treat remote auditing as a workaround, it’s time to formalize it. 🔸New policies and controls for virtual audits will be necessary to maintain audit credibility. 2. Stronger Risk-Based Approach to Auditing 🔷What’s new? 🔸The 2025 draft elevates risk assessment in audit planning and execution. 🔸Auditors will need to assess risks and opportunities within an audit program before conducting assessments. 🔷What this means for You: 🔸Risk-based auditing is becoming a requirement, not a best practice. 🔸Audit teams should prioritize high-risk areas, integrating audits with enterprise risk management (ERM). 3. Virtual Organizations & Digital Evidence Get Formal Recognition 🔷What’s new? 🔸The draft standard acknowledges “virtual locations”, organizations that operate without a physical footprint. 🔸New guidance covers auditing digital processes, AI-driven decisions, and cloud-based compliance programs. 🔷What this means for You: 🔸Compliance audits must adapt to digital businesses, especially in cloud security, AI governance, and fintech. 🔸Organizations will need new controls for validating digital records and automated compliance tools. 4. Auditor Competency Requirements Are Expanding 🔷What’s new? 🔸The 2025 revision strengthens competency requirements for auditors, including skills in cybersecurity, AI oversight, and remote auditing tools (Shea Brown). 🔸Training and evaluation criteria for audit teams will become more structured. 🔷What this means for You: 🔸Expect more rigorous requirements for internal and external auditors. 🔸Consider upskilling your audit teams now in digital auditing, cybersecurity compliance, and AI governance. ➡️How Should You Prepare? ◽Review Your Remote Auditing Policies – If virtual audits aren’t fully integrated into your audit program, now is the time to refine procedures. ◽Strengthen Risk-Based Audit Planning – Compliance is shifting from a checklist approach to a risk-prioritized strategy. Audit programs should align with enterprise risk frameworks. ◽Update Auditor Competency Requirements – The skills required to audit AI, cybersecurity, and remote environments will be increasingly scrutinized. Ensure your teams are trained and ready. A-LIGN #TheBusinessofCompliance

Explainer: New US Audit Quality Management Standards. US accounting firms must act… Four new standards are here which impact the culture and oversight of a firm, as well as the performance of audit services: 1. SQMS No. 1 - A Firm's System of Quality Management This supersedes the previous quality control standard. It requires firms to design and implement an integrated quality management system at the firm level. This system must address eight key components including leadership, ethical requirements, acceptance/continuance decisions, engagement performance, and monitoring/remediation. 2. SQMS No. 2 - Engagement Quality Reviews Brand new to the US standards, this sets requirements around engagement quality reviews and reviewers. It covers the documentation, roles/responsibilities, and appointment of these crucial quality gatekeepers. 3. SAS No. 146 - Quality Management for Audit Engagements  Updating previous auditing standards, this focuses on the engagement team and engagement partner’s quality responsibilities when conducting audits under US GAAS. It aligns audit-level quality policies with the new quality management system requirements. 4. SSARS No. 26 - Quality Management for Review Engagements This standard amends SSARS No 21 and like the SAS above, this new standard harmonizes the quality management responsibilities for review engagements with the overarching firm-level requirements. So, what do firm leaders need to do? 1. The engagement-level impact of these standards will (should…) be addressed by your audit methodology provider. So, ask them when their content was / will be updated for the new quality management standards. Inflo’s Digital Audit content packs already include these changes. 2. The standards also require implementation of a new Quality Management System (QMS) at a firm level. This QMS should not just help you initially comply with the standards, but also support the required monitoring and maintenance of the QMS going forward. Lessons learnt outside the US… Many firms used cheap resources to implement these standards overseas. And many US firms will do the same, using resources from AICPA and defaulting to trusty Microsoft Excel to build their “system”. That is OK. But firms in the UK and other countries who have already rolled-out these standards found this tricky to implement, and even more difficult to maintain. As this is more complex than you think. There is technology out there to help – Grant Thornton built a tool (QM.X) and are licensing it to other firms. CaseWare SQM is another option. And Inflo QMS is available too. If you want to learn more about these new standards, check out our free guide! #AuditQuality #SQMS