Obtaining Assurance Regarding Your AI Processes: How It Works
Obtaining Assurance Regarding Your AI Processes: How It Works
AI Assurance in a SOC2 Report
With the growing use of AI within business processes, the need to manage AI systems in a responsible and controlled way is increasing. As AI becomes more embedded in operations, organizations will be expected by the market (and under the AI Act) to obtain assurance regarding their AI processes. BDO can provide support in achieving assurance. In the past reporting year, we have already issued assurance reports covering AIrelated processes.To be able to provide assurance regarding AI processes, your organization must have internal controls in place regarding the AI system, even if AI is only integrated into your processes and not developed inhouse. This AI-system can be structured using the ISO 42001. Below we state how ISO 42001 provides a structure for an Information Management System (ISMS), as well as the legal requirements of the AI Act.
ISO 42001: A Structured Approach to AI Management Systems
ISO 42001 is the first international standard specifically designed for AI Management Systems (AIMS). The standard provides guidance for the ethical and transparent development, implementation, and management of AI systems. It covers essential elements such as risk assessments, governance, documentation, and continuous improvement. This guidance can be integrated into an existing internal control environment but require a thorough risk analysis and mapping of controls against ISO 42001 to create a solid governance foundation.The internal control measures can be incorporated into a SOC2(+) report, enabling the organization to report on the AI management system.
The AI Act: Regulatory Framework for AI in Europe
The AI Act, partly enforced since February 2025, introduces a riskbased approach to regulating AI systems. Highrisk applications, such as CVscreening algorithms or facial recognition, must comply with strict requirements related to transparency, data governance, and conformity. Organizations that have embedded AI must align their internal controls with these regulatory expectations. ISO 42001 provides operational guidance that aligns closely with these legal obligations.AI as Part of SOC2+ Assurance
Although SOC2(+) traditionally focuses on IT systems and data security, AI is increasingly included in the scope of assurance engagements. There is a growing need to explicitly address AIrelated risks, which presents a challenge for many organizations. BDO can support you in this process. For guidance, you can contact our Technology Risk Assurance team.Obtain Assurance Over AI
