Launch offer: -20% off the Starter plan on top of your first free audit with code NEW20

← Back to blog

How to Prepare for an EU AI Act Internal Audit in 4 Weeks

A structured four-week preparation plan for your EU AI Act internal audit: from building your AI system inventory in week one to producing a prioritised action report in week four. Includes deliverables, responsible parties, and tools for each phase.

25 May 2026DILAIG

Internal audits are not optional under the EU AI Act. Article 9 requires providers of high-risk AI systems to maintain a quality management system that includes internal audit mechanisms. For deployers, Articles 26(5) and 26(7) establish continuous monitoring and internal review obligations that only make sense if someone is periodically and systematically verifying compliance.

But "audit" is a word that can paralyse teams as easily as it can protect them. The purpose of this guide is to make the preparation phase concrete: four weeks, four deliverables, and a clear set of responsibilities that fit within normal organisational capacity. This is not a full audit methodology — it is a preparation plan that allows a competent team to enter an audit with confidence rather than improvisation.

If you have not yet read our earlier piece on the ten key questions your internal auditor should ask (article 20 in the DILAIG blog series), that is useful background before beginning week three.

Week 1 — AI System Inventory

Objective: Know what AI systems your organisation uses, where, and in what role.

You cannot audit what you have not mapped. Organisations consistently underestimate the number of AI systems in active use. Many have been procured by individual departments without central visibility. The inventory phase is therefore more a discovery exercise than an administrative one.

Method

Start from three sources simultaneously:

  1. Procurement and IT asset records: Pull all software contracts from the past three years that include any reference to machine learning, predictive analytics, automated decision-making, recommendation engines, or algorithmic scoring.
  2. Departmental self-declaration: Send a short questionnaire (five questions maximum) to each business unit asking: Do you use any tool that produces automated recommendations or decisions? Does it involve individual-level outputs? Is it externally provided or internally built?
  3. High-risk Annex III cross-check: For each system identified, check whether its use case maps to the eight categories in Annex III of the EU AI Act (biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, administration of justice). Any match warrants deeper review.

Who to involve

  • IT / CISO team (asset records, vendor contracts)
  • HR, Legal, Finance, Operations department heads (self-declaration)
  • Compliance or DPO (GDPR overlap identification)
  • Procurement (contract review)

Template

A simple spreadsheet with the following columns is sufficient for week one: System name | Vendor | Business unit | Use case description | Annex III category (if any) | Internally built or externally procured | Data subjects involved (yes/no) | Current documentation held.

Week 1 Deliverable

A draft AI system inventory listing every AI tool in use, with Annex III flags where applicable. This becomes the scope document for the rest of the audit.

Week 2 — Risk Classification

Objective: Assign a regulatory risk level to each system in the inventory.

The EU AI Act's four-tier risk model (prohibited / high / limited / minimal) is defined in Articles 5, 6, and 7, and in Annexes I and III. Classification is not always straightforward — a single AI system can serve multiple use cases, some of which trigger high-risk classification while others do not.

Classification Decision Tree

Work through each system using the following logic:

  1. Is it prohibited? Review Article 5 (social scoring, real-time remote biometric identification in public spaces, subliminal manipulation, exploitation of vulnerabilities). If yes, halt deployment immediately and escalate to legal counsel.
  2. Is it a general-purpose AI model? If the system is a foundation model or a model integrated into multiple downstream products, Articles 51–55 apply separately. Flag for GPAI-specific review.
  3. Does it fall under Annex III? If the use case matches any of the eight Annex III categories, it is provisionally high-risk. Apply the de minimis test from Article 6(3): if the system merely performs a narrow preparatory task with no direct effect on a substantive decision, it may be exempt.
  4. Does it involve transparency obligations only? Systems that generate synthetic content, interact with users as chatbots, or produce deep fakes are subject to Article 50 disclosure requirements but are not high-risk unless they also meet Annex III criteria.
  5. Everything else: Minimal risk. No mandatory obligations beyond general good practice.

Documentation

For each classified system, record: classification outcome, the specific Annex III entry or Article 5 provision relied upon (or the reason for exclusion), and the date of classification. This record is foundational evidence in any supervisory inquiry.

Who to involve

  • Legal / compliance (final classification sign-off)
  • Business unit owner (use case clarification)
  • DPO (data subject impact assessment overlap)

Week 2 Deliverable

A classified AI system register: every system assigned to a risk tier, with written justification and sign-off from legal or compliance.

Week 3 — Gap Analysis Against EU AI Act Requirements

Objective: For each high-risk system, identify what is required, what exists, and what is missing.

This is the core analytical work of the preparation process. A gap analysis is a structured comparison between what the regulation requires and what your organisation currently has in place.

Evaluation Grid

Build a grid with the following rows for each high-risk system. Rate each as Compliant / Partial / Non-compliant / Not applicable.

Requirement Article Current Status Evidence Held Gap
Risk management system Art. 9
Data governance Art. 10
Technical documentation (Annex IV) Art. 11
Record-keeping / logging Art. 12, Art. 19
Transparency to users Art. 13
Human oversight measures Art. 14
Accuracy, robustness, cybersecurity Art. 15
Deployer obligations (Art. 26) Art. 26
Fundamental Rights Impact Assessment Art. 27
EU database registration Art. 71

Ten Key Questions (cross-reference to DILAIG article 20)

Our earlier article on internal AI Act audits identifies ten diagnostic questions that expose the most common compliance gaps. At minimum, your week three review should answer:

  1. Do we have Annex IV technical documentation for this system?
  2. Do we hold the EU Declaration of Conformity from the provider?
  3. Is the system registered in the EU database?
  4. Are human oversight measures formally documented and trained?
  5. Do we have a process for notifying serious incidents to the supervisory authority?

The answers to these five questions alone will reveal whether a system is materially compliant or requires urgent remediation.

Who to involve

  • Compliance / legal (regulatory interpretation)
  • System owner / IT (technical documentation)
  • HR or relevant department head (oversight procedures)
  • External legal counsel (if classification is contested)

Week 3 Deliverable

A completed gap analysis grid for each high-risk system, with an overall compliance status summary (number of requirements Met / Partial / Not Met per system).

Week 4 — Prioritisation and Internal Audit Report

Objective: Turn the gap analysis into a prioritised action plan and a written report that can be presented to senior management and used as evidence of good-faith compliance.

Prioritisation Logic

Not all gaps are equal. Use a two-dimension matrix:

  • Regulatory severity: Critical (directly required by binding article, high fine risk) / Important (required but with some discretion in implementation) / Recommended (best practice, not explicitly mandated).
  • Implementation effort: Low (under one week, no third-party dependency) / Medium (two to four weeks, internal coordination required) / High (requires provider cooperation, new tooling, or structural change).

Focus resources first on Critical-Low and Critical-Medium gaps. Critical-High gaps should be escalated to management with a defined remediation plan and timeline.

Internal Audit Report Structure

The report does not need to be lengthy. A well-structured 10–15 page document is more useful than a 100-page binder that no one reads. Recommended structure:

  1. Scope and methodology: What systems were reviewed, what framework was used, who was involved, what period is covered.
  2. Inventory summary: Number of systems identified, risk tier distribution.
  3. Key findings: Top five gaps across the system portfolio, with regulatory references.
  4. System-level findings: One page per high-risk system — classification, gap analysis summary, compliance status.
  5. Action plan: Prioritised list of remediation actions, with responsible person, target date, and success criterion.
  6. Residual risks: Gaps that cannot be closed before the compliance deadline, with mitigating measures.
  7. Sign-off: Review and approval by DPO, legal counsel, and senior management.

Who to involve

  • Compliance or legal (report drafting, sign-off)
  • DPO (GDPR overlap sections)
  • Senior management / board (approval, resource allocation for remediation)
  • CISO (cybersecurity and logging sections)

Week 4 Deliverable

A signed internal audit report with an appended prioritised action plan. This document should be retained for at least three years and produced on request to market surveillance authorities.

After the Four Weeks

The internal audit report is a starting point, not an endpoint. The action plan it generates requires owners, deadlines, and a tracking mechanism. We recommend a 30-day quick-win sprint focused on Critical-Low gaps immediately after the report is signed, followed by monthly progress reviews against the full action plan.

For providers of high-risk systems, the audit process feeds directly into the conformity assessment (Article 43) and must be reflected in the updated technical documentation. For deployers, it feeds into the Article 26 compliance framework and, where applicable, the Fundamental Rights Impact Assessment under Article 27.

DILAIG supports each phase of this four-week process — from automated inventory templates to gap analysis scoring and report generation. Reduce four weeks to four days. Start at dilaig.com.

Is your AI system compliant?

Free audit in 20 minutes.

Start the audit