fairlane.systems

AI-READINESS AUDIT · SERVICE

AI-Readiness Audit: where your business stands with AI today – clarified in one to five days

Stack scan, data-protection check, three prioritised use cases. Report plus 90-min debrief. Light from CHF 1,700, Deep CHF 3,900.

Researched & fact-checked by: · As of: 2026-05

What is an AI-Readiness Audit?

An AI-Readiness Audit is a short, focused assessment. We check where artificial intelligence actually helps your business – and where it does not. Three building blocks: stack scan (which systems, data, and interfaces exist), data-protection check of your existing tools (vendor data flow, hosting location, data-processing agreements) and three prioritised use cases with a cost-benefit calculation.

The audit is deliberately not a consulting marathon. Light (1 to 2 days, CHF 1,700) is the management view for a director facing an investment decision. Deep (3 to 5 days, CHF 3,900) is the technical variant when IT leads need a verifiable report. Alongside sits the Discovery Workshop (1 day, CHF 2,200) as a joint working session with management and key staff.

The audit is not a certificate. It is also not a substitute for an ISO/IEC 42001 examination (see "When not"). It is a clearly scoped tool for the moment when you want to know whether, where and how AI pays off – before you brief external consultants or pick a vendor.

Why it matters

Most AI projects in Swiss SMEs start without an assessment. The result: a workshop, a PDF, a recommendation – and afterwards you run nothing. Or worse: you buy a tool that sends client data to US cloud services, and only notice you have a problem after the data-protection inquiry.

An audit breaks this loop at three points. First, it produces an honest inventory: which processes are actually suitable for AI, and which are not. Many are not – and knowing that saves money. Second, it puts the data-protection question BEFORE the tool choice: which data may which model see? Which vendors meet the new Swiss data-protection act (revDSG, in force September 2023) and the EU AI Act (Regulation 2024/1689, high-risk rules from August 2026)?

Third, it prioritises. We do not hand over "ten ideas" – we deliver three use cases with effort, expected saving and risk. That is the basis for a management decision in 30 minutes, not three meetings. The Swiss Federal Statistical Office reports that in 2024 about 16 percent of Swiss firms used AI, with a clear lead for large companies – the SME gap is real, and slide decks do not close it.

How the audit runs

The audit runs in four blocks, spread across one to five working days.

Block 1 – Kickoff (60 min): We listen. What is on your operational plate? Where does time get lost? What have you already tried? We sign a short NDA, gather access requests and set the scope.

Block 2 – Stack scan (asynchronous, half a day to a full day): We inventory the systems in use – CRM, accounting, mail, document storage, line-of-business apps. This includes hosting location, SaaS vendors, available API interfaces, and data classification (public, internal, confidential, professional secrecy).

Block 3 – Data-protection check (half a day to a full day; Deep adds vendor data-flow mapping): Which tools send which data where? Which contracts exist (data processing, data export)? Where are revDSG and EU AI Act gaps? In Light this is a heatmap; in Deep it is a detailed vendor data-flow diagram.

Block 4 – Use-case workshop and debrief (90 min): We present three prioritised use cases, with effort estimated in days, expected savings per month or quarter, and risk classification. Then we discuss with management. You receive the report (8 to 40 pages depending on variant) plus a risk heatmap as PDF and as editable Markdown. You can keep working with it – even without us.

Audit workflow in 6 steps

  1. 01Kickoff (60 min): NDA, scope, access requests, key people.
  2. 02Stack scan: inventory of CRM, accounting, mail, document storage, line-of-business apps.
  3. 03Data-protection check: vendor data flow, hosting location, revDSG and EU AI Act gaps.
  4. 04Use-case long list: 8 to 15 candidates from stack scan and client conversation.
  5. 05Prioritisation: 3 top use cases with effort, savings and risk classification.
  6. 06Debrief (90 min): report, risk heatmap, recommendations – jointly with management.

When the audit makes sense

An audit makes sense when (a) you sense that AI is "coming" but do not know where to start, (b) a vendor has offered you a tool and you want a second opinion, (c) a client or industry body asks about your AI strategy, or (d) you want to invest but the cost-benefit is unclear.

Concrete triggers we have seen over the past months: a fiduciary office with 12 mandates that wants to standardise client onboarding. A law firm with 30 years of correspondence that needs a searchable client memory. An industrial SME with three sites that wants to automate mail triage and lead routing. In all three cases the first step was an audit – not a tool purchase.

The audit is also useful before an ISO/IEC 42001 certification. We do not deliver the certificate, but we deliver the technical layer (data flow, vendor list, risk heatmap) that an auditor and lawyer expect for the formal examination. That saves three to six weeks of prep work.

When not

An audit is the wrong choice if you need a formal ISO/IEC 42001 certification – we are not an auditor for that. ISO 42001 (the 2023 standard, EN version 2026) is a certifiable management system with 10 clauses and 39 controls. It requires an accredited body (BSI, KPMG, A-LIGN and others). We deliver the prep work, not the certificate.

Also wrong is the audit if you are looking for pure legal advice. We do not produce a data-protection ruling, a legal opinion on DSG conformity, or a FINMA assessment. For legally binding statements we work with a Swiss law firm – the audit then provides the technical basis on which the firm builds its opinion.

And the audit is wrong if you only need an implementation quote. If your use case is already clear ("we want a WhatsApp bot for appointment booking"), jump straight to the corresponding service module. The audit is worth it when the question is "is it worth it at all – and if so, where first?" With a clear use case it is a detour.

Trade-offs

STRENGTHS

  • Fixed price, clear scope – no consulting-hours trap
  • Three prioritised use cases with effort vs. benefit, not ten ideas
  • Data-protection check before tool choice – no US cloud lock-in
  • The report belongs to you, in PDF and editable Markdown
  • Pre-work for ISO 42001 certification if later required

WEAKNESSES

  • No certificate – for formal ISO 42001 you need an accredited body
  • No legal opinion – for DSG rulings we partner with a law firm
  • A detour when the use case is already clear – book the service module directly
  • Often over-sized for micro-businesses under 5 people

FAQ

How much time do I need to invest as a director?

For Light: about 2 hours spread across the audit (kickoff plus debrief). For Deep: 2 to 3 hours plus a short introduction round with key staff. We do the rest asynchronously – no workshop-marathon weeks.

Why not go straight to ISO 42001 certification?

Because an ISO 42001 certification takes 3 to 9 months and costs CHF 20k to 60k – worth it when your clients or industry require it. For most Swiss SMEs it is overdimensioned today. The audit is the step before: it clarifies whether certification is worth it at all – and which gaps need closing first.

What about the report – does it stay with you?

No. The report belongs to you. You receive it as a PDF and as editable Markdown. You can pass it internally, hand it to another consultancy or shelve it. We retain an anonymised lessons-learned note for our knowledge base, nothing identifying.

What if the audit recommends doing nothing?

Then we say so. In two mandates over the past months we recommended exactly that – because maturity was too low or the cost-benefit too poor. That is part of the "no sales pressure" promise. An honest no saves you four- to five-figure follow-on costs.

Related topics

SERVER & INFRASTRUCTURE · SERVICEServer & Infrastructure: Ubuntu, Docker, monitoring – set up, hardened, handed overMULTI-LLM GATEWAY · SERVICEMulti-LLM Gateway: eight providers, one entry point, compliance routingRAG ON YOUR OWN KNOWLEDGE · SERVICERAG on your own knowledge: answers from your documents – with sources, not made uprevDSG · COMPLIANCErevDSG / revFADP and AI: what the revised Swiss Data Protection Act means for LLM useAUDIT TRAIL · AI CONCEPTAI audit trail design: what to log so an AI answer stays audit-ready

Sources

  1. ISO/IEC 42001:2023 – AI Management Systems (official standard page) · 2026-03
  2. EN ISO/IEC 42001:2026 – European adoption catalogue entry · 2026-04
  3. KPMG Switzerland – ISO/IEC 42001 for AI governance · 2026-02
  4. Lorikeet Security – ISO/IEC 42001 Deep Dive 2026 · 2026-03
  5. EUR-Lex – Regulation (EU) 2024/1689 (EU AI Act) · 2024-07

FITS YOUR STACK?

What this looks like in your business – a 30-minute intro call.

Book a call