How many AI systems can one auditor cover in a year?

This depends on system complexity and audit depth. A full-time AI auditor can typically conduct 6 to 12 engagements per year, ranging from focused reviews to comprehensive assessments.

Should the audit program cover AI systems in development?

Yes. Pre-deployment audits are valuable for identifying compliance gaps before they reach production. Include systems in late-stage development in the audit program with appropriate scoping.

How do you handle AI systems acquired through M&A?

Acquired AI systems should be added to the audit universe immediately. Conduct a baseline assessment within 90 days of acquisition to identify compliance gaps and integration requirements.

Can the audit program be outsourced?

The execution of individual audits can be outsourced, but the organization retains responsibility for program governance, risk-based planning, and corrective action follow-up. A fully outsourced program risks losing institutional knowledge.

How does the audit program relate to the EU AI Act post-market monitoring plan?

The audit program should incorporate post-market monitoring requirements (Article 72). Monitoring activities generate evidence that auditors evaluate, and audit findings may trigger updates to monitoring plans.

Quick answer

An AI audit program is a structured, ongoing schedule of audit activities covering all AI systems based on risk, ensuring continuous compliance verification, resource efficiency, and alignment with organizational objectives and regulatory requirements.

Updated June 2026 · MmowW AI Compliance

Building an Audit Program for AI Systems: Annual Planning and Resource Allocation (2026)

What Is an AI Audit Program?

An audit program is the overarching plan that governs all audit activities across an organization's AI systems over a defined period, typically one to three years. Unlike individual audits, the program takes a portfolio view, ensuring that all AI systems receive appropriate audit attention based on their risk profile.

Program Design Principles

Risk-based: Higher-risk systems receive more frequent and thorough audits
Comprehensive: All AI systems in the inventory are covered over the program cycle
Resource-efficient: Activities are scheduled to optimize auditor availability and minimize operational disruption
Adaptive: The program adjusts to changes in the AI portfolio, regulations, and risk landscape
Documented: Program plans, execution, and results are formally recorded

Establishing the AI System Universe

The audit program begins with a complete inventory of AI systems. For each system, document the following attributes relevant to audit planning.

Attribute	Purpose
System name and version	Identification
Risk classification (EU AI Act or internal)	Audit frequency and depth
Business owner	Audit coordination
Deployment status	Scope relevance
Last audit date	Scheduling
Previous findings status	Follow-up planning
Regulatory requirements	Criteria selection

Risk-Based Scheduling

Assign audit frequency based on risk classification and other factors.

Risk Level	Audit Frequency	Audit Depth
High risk (EU AI Act Annex III)	Annually + event-triggered	Comprehensive
Medium risk	Every 18-24 months	Focused on key risks
Low risk	Every 2-3 years	Light-touch review
New deployments	Pre-deployment + 6-month post-deployment	Full lifecycle review

Event-Triggered Audits

Beyond scheduled audits, certain events should trigger additional audit activity: significant model updates, regulatory changes, reported incidents, material changes in data sources, or expansion to new markets or populations.

Resource Allocation

Team Composition

An AI audit program requires a mix of competencies. Build a resource plan that covers audit methodology expertise, AI and machine learning technical knowledge, regulatory and legal knowledge, data governance expertise, and domain expertise for specific AI applications.

Capacity Planning

Estimate audit days per engagement based on system complexity and audit depth. A comprehensive audit of a high-risk AI system typically requires 15 to 30 auditor-days. Focused reviews may require 5 to 10 days. Multiply by the number of planned engagements to determine total program capacity needs.

Annual Audit Plan

The annual audit plan specifies which audits will be conducted in the coming year, with timelines and resource assignments.

Plan Components

List of planned audit engagements with scope summaries
Timeline for each engagement (planning, fieldwork, reporting)
Auditor assignments
External audit coordination (if applicable)
Budget allocation
Follow-up activities for previous findings

Program Governance

The audit program should be approved by the AI governance committee or equivalent oversight body. Program performance should be reported regularly, including completion rates, finding trends, and resource utilization.

Program Evaluation

Evaluate the audit program's effectiveness annually using the following metrics.

Percentage of planned audits completed
Coverage of the AI system universe
Finding trends over time (improving, stable, or deteriorating)
Average time to close findings by severity
Stakeholder satisfaction with audit quality and timeliness
Regulatory acceptance of audit evidence

Continuous Improvement

Use program evaluation results to improve the next cycle. Adjust audit frequency, methodology, team composition, and resource allocation based on lessons learned. The audit program should evolve as the organization's AI portfolio and regulatory environment change.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.