Audit-related AI governance assessments & reviews
The use of AI is resilient if it is controllable, traceable and verifiable
I assess AI use cases and AI governance structures with the eye of an auditor: according to the criteria of materiality, risk and evidence. The result is not an endless consulting project, but a reliable picture. At fixed prices, without cost risk.
Use cases in the financial sector
Structuring AI use cases in finance and controlling and assessing their suitability for approval and audit. Use Cases)
Company-wide governance
Assess company-wide AI governance regarding responsibilities, control gaps, and auditability Management System)
What I judge every use case and every governance structure by
Not every AI use case is equally risky. What's crucial is how relevant the AI application is for decision-making, reporting or compliance. And whether it is documented in such a way that its procedures are comprehensible and demonstrable if there are any doubts.
Materiality
How relevant is the use case for decisions, reporting or compliance?
Risk
What governance and control requirements arise from the use of AI? And what error and detection risks arise?
Evidence
Are roles, approvals, change management and human intervention comprehensibly documented and verifiable?
„Exam-adjacent“ means: I assess according to the same standards that would be applied in an annual financial audit – focusing on traceability, appropriateness or effectiveness, and verifiability. Not as a formal audit, but as a systematic, independent evaluation.
Ready for a first conversation?
Within 30 minutes, we can clarify whether and how I can usefully support you.
Achim Korten | Auditor
Certifications: EU AI Act · ISO/IEC 27001:2022 + 42001:2023
Publisher of the LinkedIn newsletter „AI Governance Compass“
AI in the financial sector: controllable, releasable, auditable
AI accelerates planning, reporting, and analysis. At the same time, the risk increases that results cannot be clearly classified or released later, or that internal and external auditors will ask questions that no one can answer.
An audit-related assessment of AI governance shows whether your AI use cases are reliably documented, clearly accountable and compatible with external requirements.
Typical use cases:
-
- Draft reports/Management comments
- Forecasting and planning aids
- Deviation analyses
- Release templates
- AI-supported controlling analyses
- Analyses relevant to valuation
Three performance levels for evaluating the use case
Initial assessment UC
A use case.
Initial identification and categorisation of gaps and fields of action.
Assessment of accounting relevance.
Duration: a few days
UC analysis
One or more use cases.
Structured analysis of objectives, responsibilities, risks, documentation capability.
Assessment of relevance for the annual financial statement audit.
Duration: 1-2 weeks (depending on the number of use cases)
Audit-related assessment UC
One or more use cases.
Traceability, control, evidence.
Assessment of audit risk.
Duration: 2-4 weeks (depending on the number of use cases)
Your benefit
Ensuring robust governance, more trust in AI-supported decisions, better connectivity for internal audit, compliance and audit-related issues.
A fixed price is agreed for each of the service packages. This means there is no cost risk for you.
Ready for a first conversation?
Within 30 minutes, we can clarify whether and how I can usefully support you.
Achim Korten | Auditor
Certifications: EU AI Act · ISO/IEC 27001:2022 + 42001:2023
Publisher of the LinkedIn newsletter „AI Governance Compass“
AI Management System: Make governance gaps visible before others do
In governance and audit contexts, it is increasingly not just about individual AI use cases. It is equally relevant whether AI applications are embedded in a resilient governance environment: with clear roles, defined change control, standardised documentation requirements, adapted and effective control systems and traceable decisions.
An assessment of your AI governance reveals whether the approach practised is sustainable both on paper and in practice, whether it is incomplete or - on closer inspection - not sufficiently evidence-based.
A systematic analysis of your AI governance makes these aspects visible and assessable. Including an assessment of whether your AI governance approach is viable, incomplete or - on closer inspection - not sufficiently evidence-based after all.
Selected test fields
-
- Model owner and substitution rules
- Stop and override mechanisms
- Release regulations
- Logging / Audit Trail
- Change control
Typical documentation of results
-
- Traffic light status per use case with justification
- Identification and risk indication of control gaps
- Assessments of verifiability and/or auditability
- Suggestions for improvement measures
- Management summary for the company management
Three performance levels for assessing AI governance
Initial assessment GO
Compact entry.
Overview of existing governance regulations.
Initial identification and categorisation of gaps and fields of action.
Structured interview with the person responsible for governance.
Duration: a few days
Analyse GO
In-depth consideration.
Analysis of governance structures, documentation, processes, risk management.
Clear overall picture.
Structured interviews.
Duration: 1-2 weeks (depending on company size)
Exam-related Assessment GO
Assessment in the style of an annual audit.
Traceability, risk management, appropriateness/effectiveness of controls, verifiability of the AI governance approach.
Duration: 2-4 weeks (depending on company size)
Target audience
Company management, supervisory bodies, capital providers, potential investors, compliance officers, internal audit. In general, companies that use AI use cases in decision-making processes or are preparing to use them.
A fixed price is agreed for each of the service packages. This means there is no cost risk for you.
Let's talk about your situation.
Within 30 minutes, we can clarify whether and how I can usefully support you.
Achim Korten | Auditor
Certifications: EU AI Act · ISO/IEC 27001:2022 + 42001:2023
Publisher of the LinkedIn newsletter „AI Governance Compass“
Frequently asked questions
1) How does an initial assessment take place?
Once the scope of services has been defined, you will receive a list of the documents to be provided. These are analysed and supplemented by a compact interview. The result is a compact report on the findings and - where appropriate - suggestions for improvement.
2) What if documents are missing?
A complete documentation status is not required. Missing evidence is transparently categorised as a gap. That in itself is already a helpful realisation.
3) How long does it take?
On the one hand, this depends on the agreed scope of services. It also depends on your preparation and the availability of the relevant contact persons. Ideally, larger scopes of services can be finalised within four weeks.
4) Does this also make sense for medium-sized companies?
Yes. In the medium-sized business sector in particular, risks often arise from unclear responsibilities and a lack of evidence. A pragmatic governance framework helps to operate AI stably and verifiably at both the use case and company levels.
5) What happens to the data and information received?
Data is exchanged with you via secure connections. In principle, all data storage is protected against access by third parties. I only use European IT infrastructure for data storage.