DE EN
Digital Compliance

Audit of AI and AI supported software solutions (AIC4 and IDW PS 861)

Request a consultation

AI in focus: security, quality and trust. Artificial intelligence opens up enormous opportunities – but only tested systems create trust. With AIC4 or IDW PS 861 certification, you can ensure quality, transparency and compliance and position yourself as a reliable partner in the digital market.

 

 

Competent consulting:

If your cloud services involve AI services that use machine learning, have an impact on your information security or need reliable statements on security and transparency, we can support you in setting up, testing and auditing these services in accordance with BSI AIC4 and IDW PS 861.

By complying with a recognised catalogue of criteria, you can provide proof of security, quality and ethical standards to business partners and customers.

 

Benefit from the following advantages:

  • Suitable for testing and security assessments of AI cloud services
  • Minimise risks such as bias, lack of transparency and inadequate IT security
  • Strengthen user trust and reputation
  • Ensure compliance and governance – reliably and transparently
  • Clear, standardised and traceable testing processes for cloud AI services
  • Comparability and competitive advantages in supplier selection
 
 

Want to learn more?

AIC4 – Artificial Intelligence Cloud Services Compliance Criteria Catalogue

The AIC4 criteria catalogue from the German Federal Office for Information Security (BSI) sets forth security and quality requirements specifically for the provision of AI cloud services that use machine learning (ML) methods.

AIC4 defines explicit criteria for security, robustness, data quality, explainability and protection against bias over the entire life cycle of the AI service, i.e. the development, testing, validation, provision and monitoring of such services.

The aim is to present the information security of an AI cloud service in a transparent way, on the basis of a standardised test.
An AIC4 audit verifies a trustworthy level of cloud and AI security to cloud service providers and cloud customers, and facilitates objective comparability of AI software solutions and AI providers.

As the AIC4 is an extension of the established BSI C5 standard, audits can be carried out in the same manner as or in addition to BSI C5.


Typical AI services from the AIC-4 application area include:

  • Cloud services with ML components
    • Services that actively use machine learning algorithms, e.g. for image recognition, data analysis or language processing
  • Intensive or security-relevant use of ML
    • In particular, ML functionalities that can have a direct impact on confidentiality, integrity or availability.
    • An audit can be useful if customers need to recognise how AI affects their risk situation.
  • Cloud services according to C5 definition with AI extension
    • Every C5-compliant cloud service (e.g. IaaS, PaaS or SaaS) with an added AI component is AIC4-verifiable.
    • AIC4 is a voluntary supplement to C5 certification, specifically for evaluation and certification by auditors. 
       

IDW PS 861 - Audit of AI-Systems

IDW PS 861 is an auditing standard of the German Institute of Public Auditors for the voluntary auditing of (any) AI systems outside the audit of financial statements.

It is based on the international ISAE 3000 framework and offers a standardised audit procedure with formal requirements for acceptance of the engagement, performance of the audit, selection of criteria, documentation and issuing the audit opinion in a written audit report.

The subject of the audit is to describe the AI system, including the representations made by the legal representatives of the company in the description as to whether the AI system described fulfils the criteria.

An audit in accordance with IDW PS 861 can be performed as an adequacy assessment at a defined point in time or as a performance audit over a defined audit period.

The objective of the adequacy assessment is to assess

  • whether the description of the AI system (to be prepared by the legal representatives of the company) was prepared in all material respects in accordance with the minimum content contained in the auditing standard,
  • whether the measures presented in the description of the AI system and to be implemented by the legal representatives were appropriate in all material respects and were implemented at the time of the audit.

The aim of the performance audit – over and above the adequacy test – is to assess whether these measures were suitable, implemented in the audited time period and effective in the audited time period.


The standard requires four central quality dimensions as the minimum for the design of the AI system:

  • Ethical and legal requirements for artificial intelligence: Compliance with legal and regulatory requirements, protection of human autonomy, fairness, non-discrimination, etc.
  • Traceability: ransparency & explainability of the data and AI algorithms or AI models used (e.g. documentation of decision-making paths, model maps, data origin)
  • IT security: Protection of confidentiality, integrity, availability, authorisation (rights, access protection) and authenticity (uniqueness of transactions carried out by AI), binding nature 
  • Performance capability: Robustness, consistency and target achievement of the AI in relation to the company's underlying requirements