Skip to main content

AI Governance Audit Evidence Checklist

Comprehensive Evidence Guide for Internal & External Audits

Document Control

FieldDetails
Document TypeAudit Preparation Checklist
Applies ToAll AI governance audits
OwnerAI Governance / Internal Audit
Version1.0
Audit Types CoveredInternal, ISO 42001, SOC 2+AI, EU AI Act, Customer Due Diligence

1. Evidence Repository Structure

/AI-Governance-Evidence/
├── 01-Governance/
│   ├── Charter/
│   ├── Meeting-Minutes/
│   ├── Policies/
│   └── Org-Charts/
├── 02-Risk-Management/
│   ├── Risk-Assessments/
│   ├── Classification-Records/
│   └── Risk-Register/
├── 03-Documentation/
│   ├── System-Cards/
│   ├── AI-BOMs/
│   ├── AIAs/
│   └── Technical-Docs/
├── 04-Operations/
│   ├── Intake-Forms/
│   ├── Approval-Records/
│   ├── Change-Requests/
│   └── Decommission-Records/
├── 05-Monitoring/
│   ├── Dashboards/
│   ├── Drift-Reports/
│   ├── Performance-Reports/
│   └── Incident-Records/
├── 06-Training/
│   ├── Completion-Records/
│   ├── Materials/
│   └── Assessments/
├── 07-Vendor-Management/
│   ├── Assessments/
│   ├── Contracts/
│   └── Reviews/
└── 08-Compliance/
    ├── Gap-Assessments/
    ├── Regulatory-Mapping/
    └── Certification-Records/

2. Governance Evidence

2.1 Policy & Charter Evidence

Evidence ItemDescriptionLocationStatus
AI Governance CharterApproved charter document/01-Governance/Charter/
Charter approval recordBoard/exec approval evidence/01-Governance/Charter/
Enterprise AI PolicyCurrent approved policy/01-Governance/Policies/
Policy approval recordApproval evidence with date/01-Governance/Policies/
Policy version historyChange log/01-Governance/Policies/
Policy communicationDistribution evidence/01-Governance/Policies/
GenAI AddendumSupplemental GenAI policy/01-Governance/Policies/

2.2 Governance Structure Evidence

Evidence ItemDescriptionLocationStatus
AI Executive Board rosterMember list with roles/01-Governance/Org-Charts/
AI Risk Review Board rosterMember list with roles/01-Governance/Org-Charts/
Domain Steward assignmentsSteward-to-domain mapping/01-Governance/Org-Charts/
AI Risk Officer appointmentAppointment letter/record/01-Governance/Org-Charts/
RACI matrixResponsibility assignments/01-Governance/Org-Charts/
Org chartAI governance org structure/01-Governance/Org-Charts/

2.3 Meeting Evidence

Evidence ItemDescriptionFrequencyLocationStatus
AI Executive Board minutesMeeting minutesQuarterly/01-Governance/Meeting-Minutes/
AI Risk Review Board minutesMeeting minutesWeekly/01-Governance/Meeting-Minutes/
Domain Steward Forum minutesMeeting minutesBi-weekly/01-Governance/Meeting-Minutes/
Ethics Committee recordsReview recordsAd-hoc/01-Governance/Meeting-Minutes/
Attendance recordsMeeting participationPer meeting/01-Governance/Meeting-Minutes/
Decision logsKey decisions recordPer meeting/01-Governance/Meeting-Minutes/

3. Risk Management Evidence

3.1 AI Inventory Evidence

Evidence ItemDescriptionLocationStatus
Complete AI inventoryAll registered AI systems/02-Risk-Management/
Inventory update logChange history/02-Risk-Management/
Ownership assignmentsOwner for each system/02-Risk-Management/
Risk tier assignmentsClassification for each system/02-Risk-Management/
Shadow AI detection reportDiscovery findings/02-Risk-Management/

3.2 Risk Classification Evidence

Evidence ItemDescriptionLocationStatus
Risk Classification MatrixCurrent scoring matrix/02-Risk-Management/
Classification worksheetsPer-system scoring/02-Risk-Management/Classification-Records/
Tier assignment approvalsApproval records/02-Risk-Management/Classification-Records/
EU AI Act categorizationHigh-risk identification/02-Risk-Management/
Prohibited use screeningScreening records/02-Risk-Management/

3.3 Risk Assessment Evidence

Evidence ItemDescriptionLocationStatus
Algorithmic Impact AssessmentsCompleted AIAs/02-Risk-Management/Risk-Assessments/
Risk registerActive risk tracking/02-Risk-Management/Risk-Register/
Mitigation plansRisk treatment plans/02-Risk-Management/Risk-Register/
Residual risk acceptanceAcceptance records/02-Risk-Management/Risk-Register/
Risk review recordsPeriodic risk reviews/02-Risk-Management/Risk-Assessments/

4. Documentation Evidence

4.1 System Documentation

Evidence ItemDescriptionLocationStatus
System CardsPer-system documentation/03-Documentation/System-Cards/
AI-BOMsBill of materials/03-Documentation/AI-BOMs/
Technical specificationsArchitecture docs/03-Documentation/Technical-Docs/
Training data documentationData lineage records/03-Documentation/Technical-Docs/
Model provenance recordsModel origin tracking/03-Documentation/AI-BOMs/
Evaluation resultsPerformance testing/03-Documentation/Technical-Docs/

4.2 GPAI Documentation (EU AI Act)

Evidence ItemDescriptionLocationStatus
GPAI classification recordsCompute threshold analysis/03-Documentation/
Technical documentationPer Article 53 requirements/03-Documentation/
Training data summaryPublished summary/03-Documentation/
Copyright compliance policyDocumented policy/03-Documentation/
Downstream provider infoDocumentation provided/03-Documentation/
Systemic risk assessmentIf applicable/03-Documentation/

5. Operational Evidence

5.1 Lifecycle Management

Evidence ItemDescriptionLocationStatus
Intake formsSubmitted registration forms/04-Operations/Intake-Forms/
Approval workflowsApproval chain records/04-Operations/Approval-Records/
Pre-production gate recordsGate passage evidence/04-Operations/Approval-Records/
Change request recordsChange management/04-Operations/Change-Requests/
Decommission recordsRetirement documentation/04-Operations/Decommission-Records/

5.2 Human Oversight Evidence

Evidence ItemDescriptionLocationStatus
Human oversight plansPer High/Critical system/04-Operations/
Override capability documentationOverride mechanisms/04-Operations/
Human review recordsReview logs/04-Operations/
Escalation recordsEscalation instances/04-Operations/

5.3 Agentic AI Controls Evidence

Evidence ItemDescriptionLocationStatus
Action boundary definitionsPer agentic system/04-Operations/
Kill switch test recordsMonthly test evidence/04-Operations/
Tool whitelist documentationApproved tools per agent/04-Operations/
Multi-agent coordination rulesOrchestration controls/04-Operations/
Rate limit configurationsBudget settings/04-Operations/

6. Monitoring Evidence

6.1 Continuous Monitoring

Evidence ItemDescriptionFrequencyLocationStatus
Performance dashboardsReal-time monitoringContinuous/05-Monitoring/Dashboards/
Drift detection reportsModel drift analysisWeekly/05-Monitoring/Drift-Reports/
Bias monitoring reportsFairness metricsMonthly/05-Monitoring/Performance-Reports/
Accuracy reportsPerformance metricsWeekly/05-Monitoring/Performance-Reports/
Alert logsTriggered alertsContinuous/05-Monitoring/

6.2 Incident Management

Evidence ItemDescriptionLocationStatus
Incident recordsAll AI incidents/05-Monitoring/Incident-Records/
Incident response proceduresResponse playbooks/05-Monitoring/
Post-incident reviewsRoot cause analyses/05-Monitoring/Incident-Records/
Corrective actionsCAPA records/05-Monitoring/Incident-Records/
Regulatory reportsIf applicable/05-Monitoring/Incident-Records/

7. Training Evidence

7.1 Training Program

Evidence ItemDescriptionLocationStatus
Training curriculumCourse content/06-Training/Materials/
Training matrixRole-based requirements/06-Training/
Completion recordsPer-employee completion/06-Training/Completion-Records/
Assessment resultsKnowledge verification/06-Training/Assessments/
Acknowledgment recordsPolicy acknowledgments/06-Training/Completion-Records/
Refresh training recordsAnnual refresh evidence/06-Training/Completion-Records/

7.2 Training Metrics

MetricTargetActualEvidence
Overall completion rate>90%___%Completion report
Builder training completion100%___%Role-specific report
Leader training completion100%___%Role-specific report
Assessment pass rate>85%___%Assessment results

8. Vendor Management Evidence

8.1 Third-Party AI Assessment

Evidence ItemDescriptionLocationStatus
Vendor AI inventoryAll AI vendors/07-Vendor-Management/
Risk assessmentsPer-vendor assessments/07-Vendor-Management/Assessments/
Due diligence questionnairesCompleted questionnaires/07-Vendor-Management/Assessments/
Security certificationsSOC 2, ISO 27001, etc./07-Vendor-Management/Assessments/
AI governance attestationsVendor attestations/07-Vendor-Management/Assessments/

8.2 Contractual Evidence

Evidence ItemDescriptionLocationStatus
AI contract clausesAI-specific terms/07-Vendor-Management/Contracts/
Data usage restrictionsTraining data terms/07-Vendor-Management/Contracts/
IP indemnificationGenAI vendors/07-Vendor-Management/Contracts/
Audit rightsContractual audit provisions/07-Vendor-Management/Contracts/
SLA documentationPerformance requirements/07-Vendor-Management/Contracts/

8.3 Ongoing Vendor Monitoring

Evidence ItemDescriptionFrequencyLocationStatus
Vendor performance reviewsPerformance assessmentQuarterly/07-Vendor-Management/Reviews/
Subprocessor notificationsChange notificationsAs received/07-Vendor-Management/
Vendor incident reportsIncident notificationsAs received/07-Vendor-Management/
Contract renewalsRenewal reviewsAnnual/07-Vendor-Management/Contracts/

9. Compliance Evidence

9.1 Regulatory Alignment

Evidence ItemDescriptionLocationStatus
NIST AI RMF mappingFunction-by-function mapping/08-Compliance/Regulatory-Mapping/
EU AI Act gap assessmentCompliance gap analysis/08-Compliance/Gap-Assessments/
ISO 42001 alignment matrixControl-by-control mapping/08-Compliance/Regulatory-Mapping/
Regulatory monitoring logUpdate tracking/08-Compliance/

9.2 Audit Records

Evidence ItemDescriptionLocationStatus
Internal audit reportsAI governance audits/08-Compliance/
External audit reportsThird-party audits/08-Compliance/Certification-Records/
Audit findings trackingFinding remediation/08-Compliance/
Management responsesResponse to findings/08-Compliance/
Corrective action recordsRemediation evidence/08-Compliance/

10. Audit-Specific Checklists

10.1 ISO/IEC 42001 Certification Audit

ClauseEvidence RequiredLocationStatus
4.1 ContextContext analysis document/08-Compliance/
4.2 Interested partiesStakeholder analysis/08-Compliance/
4.3 ScopeAIMS scope statement/01-Governance/
5.1 LeadershipManagement commitment evidence/01-Governance/
5.2 AI PolicyApproved AI policy/01-Governance/Policies/
5.3 RolesResponsibility assignments/01-Governance/Org-Charts/
6.1 Risk actionsRisk treatment plans/02-Risk-Management/
6.2 AI objectivesObjectives and plans/01-Governance/
7.1-7.4 SupportResources, competence, awareness, communication/06-Training/
7.5 Documented infoDocument control procedures/01-Governance/
8.1 Operational planningAI lifecycle procedures/04-Operations/
8.2 AI risk assessmentRisk assessment records/02-Risk-Management/
8.3 AI risk treatmentTreatment records/02-Risk-Management/
8.4 AI system impact assessmentImpact assessments/03-Documentation/
9.1 MonitoringMonitoring records/05-Monitoring/
9.2 Internal auditInternal audit reports/08-Compliance/
9.3 Management reviewManagement review minutes/01-Governance/Meeting-Minutes/
10.1 NonconformityNC and CAPA records/08-Compliance/
10.2 Continual improvementImprovement records/08-Compliance/

10.2 EU AI Act Compliance Audit

RequirementEvidence RequiredLocationStatus
Article 5 - ProhibitedProhibition screening records/02-Risk-Management/
Article 6 - ClassificationHigh-risk classification/02-Risk-Management/
Article 9 - Risk managementRisk management system/02-Risk-Management/
Article 10 - Data governanceData governance documentation/03-Documentation/
Article 11 - Technical docsTechnical documentation/03-Documentation/
Article 12 - Record keepingLogging and records/05-Monitoring/
Article 13 - TransparencyUser information/03-Documentation/
Article 14 - Human oversightOversight documentation/04-Operations/
Article 15 - AccuracyPerformance testing/03-Documentation/
Article 50 - Transparency (GPAI)AI disclosure records/03-Documentation/
Article 53 - GPAI providerGPAI compliance documentation/03-Documentation/
Article 55 - Systemic riskSystemic risk assessment/03-Documentation/

10.3 SOC 2 + AI Trust Services

Trust PrincipleAI-Specific EvidenceLocationStatus
SecurityAI security controls/03-Documentation/
AvailabilityAI system availability metrics/05-Monitoring/
Processing IntegrityAI accuracy and reliability/05-Monitoring/
ConfidentialityAI data protection/03-Documentation/
PrivacyAI privacy controls/03-Documentation/
AI-specificAI governance program/01-Governance/

10.4 Customer Due Diligence

Common RequestEvidence to ProvideLocationStatus
AI governance programExecutive summary + Charter/01-Governance/
AI risk managementRisk framework + sample AIA/02-Risk-Management/
AI securitySecurity controls documentation/03-Documentation/
Data handlingData governance documentation/03-Documentation/
Vendor managementThird-party AI assessment process/07-Vendor-Management/
Incident responseIncident response procedures/05-Monitoring/
Training programTraining curriculum + completion rates/06-Training/
CertificationsSOC 2, ISO 27001, ISO 42001/08-Compliance/

11. Evidence Quality Standards

11.1 Evidence Requirements

AttributeStandard
CompletenessAll required elements present
AccuracyReflects actual state
CurrencyWithin validity period
AuthorizationProperly approved
TraceabilityLinkable to controls
IntegrityTamper-evident

11.2 Document Control Requirements

RequirementStandard
Version controlClear version numbering
Approval recordsApprover name, date, signature
Review datesCurrent review within policy period
Change historyDocumented changes
Access controlAppropriate permissions
RetentionPer retention schedule

12. Pre-Audit Preparation Checklist

12.1 30 Days Before Audit

TaskOwnerStatus
Confirm audit scope and scheduleAI Risk Officer
Identify evidence ownersAI Risk Officer
Review previous audit findingsAI Risk Officer
Update evidence repositoryEvidence owners
Verify document currencyEvidence owners

12.2 14 Days Before Audit

TaskOwnerStatus
Complete evidence gap assessmentAI Risk Officer
Address identified gapsEvidence owners
Brief key stakeholdersAI Risk Officer
Prepare interview participantsAI Risk Officer
Test evidence accessEvidence owners

12.3 Day Before Audit

TaskOwnerStatus
Final evidence verificationAI Risk Officer
Confirm logisticsAI Risk Officer
Prepare opening presentationAI Risk Officer
Brief executive sponsorAI Risk Officer

13. Sample Evidence Index

13.1 Evidence Cross-Reference

Control IDControl NamePrimary EvidenceSupporting Evidence
GOV-001AI Policy establishedPolicy documentApproval record, communication
GOV-002Governance bodies formedOrg chart, rostersMeeting minutes
RISK-001AI inventory maintainedInventory databaseUpdate logs
RISK-002Risk classification appliedClassification matrixTier assignments
DOC-001System Cards completedSystem Card repositoryReview records
OPS-001Intake process followedIntake formsApproval workflows
MON-001Continuous monitoringDashboards, reportsAlert logs
TRN-001Training completedCompletion recordsAssessment results
VND-001Vendors assessedAssessment recordsQuestionnaires

Document Version: 1.0
Owner: AI Governance / Internal Audit
Next Review: [Date + 1 year]

Preparation Certification

RoleNameDateSignature
AI Risk Officer
Internal Audit
Legal/Compliance

CODITECT AI Risk Management Framework

Document ID: AI-RMF-23 | Version: 2.0.0 | Status: Active

AZ1.AI Inc. | CODITECT Platform

Framework Alignment: NIST AI RMF 2.0 | EU AI Act | ISO/IEC 42001

This document is part of the CODITECT AI Risk Management Framework. For questions or updates, contact the AI Governance Office.

Repository: coditect-ai-risk-management-framework Last Updated: 2026-01-15 Owner: AZ1.AI Inc. | Lead: Hal Casteel