Question 24
Domain 5 — AI Assurance, Audit, and Responsible AdoptionAuditing Generative AI Course: Why is it important to define the audit scope in a GenAI audit?
Correct answer: A
Explanation
Defining the audit scope sets the boundaries of the review so auditors can include the “critical processes, systems, and business functions” that affect GenAI use. It also keeps the audit focused on “critical risks,” which helps prioritize the areas most likely to impact governance, compliance, and model performance.
Why each option is right or wrong
A. To ensure the inclusion of critical processes, systems, and business functions, and to focus on critical risks.
ISA 300 requires the auditor to establish the overall audit strategy and plan the audit so it is directed to the areas of greatest risk, and ISA 315 requires identification of the entity’s relevant processes, systems, and business activities to assess risks of material misstatement. In a GenAI audit, defining scope is what ensures those critical workflows, supporting systems, and business functions are actually covered, while also narrowing attention to the highest-risk issues rather than diluting effort across low-impact areas.
B. To reduce the time spent on the audit by excluding non-critical systems.
C. To ensure compliance with all organizational policies and procedures.
D. To identify all potential risks within the organization.