Audital

AUDIT DEFENSE FOR AUTOMATED DECISIONING

The Global Standard for Algorithmic Governance.

Regulators demand more than intent; they demand evidence. Unstructured engineering logs (Jira/GitHub) are no longer sufficient to prove oversight during an inspection.

We execute a fixed-scope remediation to retroactively build the Audital Evidence Standard (v4) across your decision stack. We link every line of logic code to a specific executive signature, transferring liability from the individual Senior Manager to the approved process.

Jurisdiction Alignment: Structured to withstand regulatory inspection, enforcement review, and litigation scrutiny across NIST AI RMF (USA), EU AI Act (Europe), and FCA SMCR (UK).

REQUEST ENGAGEMENT LETTER

We operate on a fixed-scope basis. We execute a 5-day remediation to retroactively build the Audital Evidence Standard (v4) across your decision stack. This establishes the immutable baseline required for regulatory inspection.

INSPECTION REALITY: LIVE EVIDENCE VS. INTENT

Regulators do not audit your policy documents; they audit your active decision logs.

Inspection focuses on the specific logic version live in production at the moment of request. If you cannot produce an immutable, signed record of who authorised the code active on a transaction last Tuesday, you are non-compliant by default.

The Risk: Most enterprises fail here because they rely on fragmented engineering data (Jira tickets / GitHub commits) rather than a formal Governance Record.

The Standard: Absence of evidence is treated as evidence of absence. We ensure your record exists before the request is made.

AUDIT SCOPE & FRAMEWORKS

We benchmark your current internal controls against the Audital Evidence Standard (v4).

Our fixed-scope remediation ensures your automated decisioning aligns with the evidentiary requirements of:

  • USA: NIST AI Risk Management Framework (AI RMF)

  • UK: FCA Senior Managers Regime (SMCR) & DSIT

  • EU: EU AI Act (Article 14 - Human Oversight)

  • Global: ISO/IEC 42001

TARGET PROFILE: HIGH-LIABILITY ENTERPRISES

This framework is exclusively for financial institutions and fintechs where Automated Decisioning creates material regulatory risk.

It applies specifically to leadership teams under the Senior Managers Regime (SMCR), EU AI Act, or Banking Vendor Oversight standards who require forensic evidence to discharge their personal liability.

ENGINEERED FOR REGULATORY DEFENSE

  • We do not rely on interviews. We conduct a forensic review of your engineering logs (Jira, GitHub, Linear) to identify exactly where your "Authoriser-to-Code" audit trail is broken. We document every instance where a logic change was deployed without a linked Senior Manager signature, quantifying your immediate exposure under SMCR and GDPR Article 22.

  • We execute the fixed-scope remediation to bridge the gap between Engineering and Compliance. We retrofit your historical decision logs with the Audital Evidence Standard (v4), ensuring that every active algorithm can be traced back to a specific human authority. This creates the "Immutable Governance Record" required for regulatory defense.

  • Compliance is not a one-time event; it is a live state. Once the baseline is established, we provide ongoing oversight to ensure your engineering velocity does not outpace your governance. We monitor for "Logic Drift"—ensuring that as models and data sources change, your evidentiary record remains inspection-ready in real-time.

THE INDEPENDENCE MANDATE

Internal tooling (Jira, GitHub, Datadog) monitors performance. Regulators audit governance. These are not the same.

Your engineering team cannot mark their own homework. To satisfy the "Three Lines of Defense" risk model required by banking partners, oversight must be structurally independent from the teams building the code. We provide this external validation layer without slowing down deployment velocity.

Key Regulatory Realities:

  • Evidence over Intent: Regulators do not read strategy papers. They audit Live Decision Logs. If the record doesn't exist at the moment of inspection, it is treated as Negligence.

  • Non-Transferable Liability: You cannot blame the algorithm or the vendor (e.g., OpenAI/AWS). Under SMCR and the EU AI Act, liability sits exclusively with the Senior Manager.

  • Continuous Validation: A "point-in-time" audit is expired the moment you merge new code. Your evidentiary record must be as dynamic as your deployment cycle.

Designed for: Regulatory Inspection (FCA/PRA) & IPO Due Diligence

THE ENGAGEMENT PROTOCOL

In the absence of clear ownership and contemporaneous evidence, liability defaults to executive leadership. We reverse this exposure.

Phase 1 — The Evidence Standard Benchmark We do not waste time on "discovery." We immediately benchmark your current internal controls (Jira tickets, Git logs, Slack approvals) against the Audital Evidence Standard (v4).

  • Deliverable: A Gap Analysis identifying exactly where the "Authoriser-to-Code" link is broken in your current stack.

  • Outcome: Confirmation of specific regulatory exposure under SMCR and GDPR Article 22.

Phase 2 — Fixed-Scope Remediation (The £25k Audit) We execute a rapid, fixed-scope engagement to retroactively build the missing evidence layer across your historical decision logs. We do not require code changes; we overlay a governance wrapper on your existing infrastructure.

  • Deliverable: A Regulator-Ready Audit File linking every active algorithm to a human signature.

  • Standards Enforced: NIST AI RMF (USA) | EU AI ACT | FCA HANDBOOK.

  • Timeline: 5 Business Days.

Phase 3 — Continuous Audit Defense (Retainer) Once the baseline is established, we provide the ongoing "Third Line of Defense." We conduct monthly sampled audits of your decision logs to ensure engineering velocity has not drifted from the compliance standard.

  • Deliverable: Monthly "State of Governance" Attestation for the Board Risk Committee.

  • Outcome: Audit-readiness is maintained in real-time, preventing "compliance debt" from accumulating before the next inspection.

WHEN THE REGULATOR KNOCKS: MANDATORY ARTIFACTS

During an enforcement review or IPO due diligence, "intent to comply" is irrelevant. You are required to produce forensic evidence of the following immediately.

The Non-Negotiable Evidence List:

  • Governance Architecture: Signed SMR accountability maps defining exactly who owns the algorithm.

  • Traceability Records: The 'Authoriser-to-Code' link proving human oversight for every logic deployment.

  • Fairness Attestations: Evidence of bias testing signed off prior to deployment, not retrofitted afterwards.

  • Continuous Monitoring Logs: Proof that the system has not drifted from its initial compliance baseline.

The "Snapshot" Risk: Compliance is evaluated at the exact moment of inspection. If these records do not exist at the time of request, the gap is recorded as a Control Failure. You cannot remediate negligence after the fact.

Liability Reality: Under SMCR and the EU AI Act, this regulatory accountability sits personally with the Senior Manager. It cannot be outsourced to a vendor, a tool, or a third party.

Request engagement letter

We operate on a fixed-scope basis. We execute a 5-day remediation to retroactively build the Audital Evidence Standard (v4) across your decision stack. This establishes the immutable baseline required for regulatory inspection.