Compliant But Unsatisfactory: The Gap Between Auditing Standards and Practices for Probabilistic Genotyping Software

TL;DR

This paper examines how the design of audit standards for probabilistic genotyping software affects their effectiveness, revealing gaps between intended outcomes and actual practices through a case study.

Contribution

It analyzes the influence of audit standard design on audit effectiveness and offers recommendations to improve standard formulation and evaluation.

Findings

Gaps exist between audit standards' goals and actual auditing practices.

Vague language and undefined terms in standards hinder effective audits.

Standards can be compliant without enforcing meaningful restrictions.

Abstract

AI governance efforts increasingly rely on audit standards: agreed-upon practices for conducting audits. However, poorly designed standards can hide and lend credibility to inadequate systems. We explore how an audit standard's design influences its effectiveness through a case study of ASB 018, a standard for auditing probabilistic genotyping software -- software that the U.S. criminal legal system increasingly uses to analyze DNA samples. Through qualitative analysis of ASB 018 and five audit reports, we identify numerous gaps between the standard's desired outcomes and the auditing practices it enables. For instance, ASB 018 envisions that compliant audits establish restrictions on software use based on observed failures. However, audits can comply without establishing such boundaries. We connect these gaps to the design of the standard's requirements such as vague language and undefined terms. We conclude with recommendations for designing audit standards and evaluating their effectiveness.