Statement 4: Enable AI Auditing

This week I tackle Auditing. Another dry, dull topic, but there is a reason to get excited. If you audit your own systems, you are way less likely to be untangling a complicated AI breach or worse, avoid sitting across the table with the auditor from a regulator. 

Statement 4: "Enable AI Auditing" sits within the "whole of lifecycle" requirements, meaning it applies from the moment an AI system is conceived right through to when it is turned off.

So take a deep breath, let's dig in deep, Auditing is a top priority and mustn't be avoided.

What Does It Mean for your AI system to Be Auditable?

In plain terms, auditability means being able to look under the hood to see how everything hangs together.  You need to know if our systems are working as intended and who perform the checks to confirm this?

So I'll deal with the ownership structure right now. The system owner is responsible for governing the outputs of their AI system. So in Finance, it would be a CFO governing the generated content, decisions and recommendations made by their Finance AI agent. In the same way they are already responsible for the work of their Finance team. BUT, if something goes wrong they can't avoid consequences by blaming a rogue machine.

The "process of governance", which includes auditing, must be separated from the system owner. Auditing could be handled by someone in the Risk and Compliance team or your Internal Audit team if you have one.

If your AI system makes a decision that affects a customer (e.g. assessing an application for a job or flagging a tax return) being auditable means demonstrating a clear record of how that decision was reached, what data was used, and whether the system was operating correctly at the time. For a system to be auditable, think of it like a paper trail.

End-to-end AI auditability refers to the ability to trace and inspect the decisions and processes involved in the AI system lifecycle, enabling both internal and external scrutiny. Publishing audit results enables accountability, transparency, and trust.

Much ado about everything

You must ensure your AI systems are auditable throughout their lifecycle — this is Criterion 9 of the standard, driven by legislation, regulation, policy, and ethics principles, which you must satisfy.

 In practice, this means keeping thorough documentation at every stage of an AI system's life. This includes establishing documentation across design, data, training, evaluating (testing), integrating, deploying and monitoring stages as agreed with the system owner, demonstrating conformance with the AI technical standard.

It also means making information and documentation during the lifecycle fully accessible to assist an auditor. This may include establishing documentation and traceability of decisions, requirements changes and ensuring explainability of both technical and non-technical information.

Who cares?

Auditability isn't just a bureaucratic checkbox, it's foundational to building trust. Auditability enables external scrutiny, supporting transparency and accountability, which is especially important when AI systems are making or informing decisions that affect people's lives.

Without proper audit trails, it becomes extremely difficult to identify when something goes wrong, who is responsible, or how to fix it. Auditability also acts as a deterrent against misuse. If everything is documented and reviewable, there is built-in accountability in every step of the process.

What is Your AI Vendor on the hook for?

Many companies don't build their own AI systems, they procure them from commercial vendors. Statement 4 reaches into those relationships too. Remember, for a system to fall under the AI definition it means the system makes predictions, content, recommendations, or decisions.

Where you procure third-party AI solutions from suppliers, contractual arrangements should reflect the requirements of the Technical Standard, particularly as they relate to transparency, audit, and risk management. You should also ensure comprehensive documentation and audit trails are maintained by your software vendor.

Many traditional systems will now fall under this umbrella. Many companies may have already contracted with what is now an "AI software vendor" who is currently unable to satisfy the Standard's transparency, audit and explainability requirements. This arrangement is high risk. You will need significant monitoring and incident management processes, along with scheduling a re-contracting meeting or sourcing an alternative compliant solution.

The Bigger Picture

Your AI outputs cannot be generated from a black box. Statement 4 is ultimately about making sure that when a company uses AI, it can always answer the question: Show me how this decision was made?

ABOUT ME

I believe the AI era will be an exciting, once-in-a-generation transformative opportunity. What role will AI governance play? Far more than just compliance, it helps organisations confidently adopt AI and turns governance into an operational capability. I partner with businesses to implement Australia's AI Governance Standard, enabling confident AI adoption while reducing the risk of high-profile failures.

I write all my own content, you can tell by the odd typo and occasional missing word. I use AI for my research.

To learn about my upcoming public AI Governance workshops visit: Public workshops

To learn more about AI Governance, check out my Hitchhikers Guide to AI Governance Podcast here: Hitchhikers Guide to AI Governance Podcast