Getting through an internal audit

The internal audit requirements for ISO 42001 are based on Clause 9.2, which mandates a risk-based audit program, competent and independent auditors, documented audit evidence, and clear follow-up on nonconformities and improvement actions. Treat it like an ISO 27001-style internal audit, but with AI-specific scope, risks, lifecycle controls, and impact assessments. What clause 9.2 expects

• You must plan and implement one or more internal audits at planned intervals to check AIMS conformity with ISO 42001 and your own requirements.​
• Auditors must be objective and impartial, meaning they cannot audit activities they are directly responsible for.​
• Audit results (including reports, nonconformities, and corrective actions) must inform management reviews and drive continual improvement under clauses 9 and 10.​

Scoping your internal audit

• Define AIMS scope in line with clause 4.3: which AI systems, business processes, locations, and supporting services are in.​
• Ensure the scope encompasses all AI lifecycle stages (design, data, modeling, deployment, monitoring, and retirement) and the relevant Annex A control areas, including risk/impact assessment, transparency, human oversight, and data management.​

Evidence auditors typically sample Auditors will look for evidence that your AI Management System (AIMS) is defined, implemented, and operating effectively. This usually includes:

• AIMS documentation demonstrating intent and governance: approved policies, procedures, defined roles and responsibilities, risk and impact assessment methodologies, and oversight forums aligned to ISO 42001 clauses 4–8.
  
• Operational evidence showing the system in use: completed AI risk and impact assessments (A.5), data provenance and quality controls (A.7), bias and performance testing results, human-in-the-loop approvals, incident and issue logs, access controls, and model change/approval records.​

Auditors will look for evidence that your AI Management System (AIMS) is defined, implemented, and operating effectively. This usually includes: Running the internal audit Prepare: Define a clear audit plan covering objectives, scope, criteria (ISO 42001 requirements mapped to your internal controls), auditees, and timing. Use clause-level checklists to ensure every “shall” requirement is assessed. Execute: Validate both conformity and effectiveness by interviewing control owners, reviewing records, and observing how controls operate in practice. The focus is on whether the AIMS is actually guiding AI risk management—not just whether documents exist. Handling findings and “getting through”

• Classify findings into conformities, minor nonconformities, major nonconformities, and observations, and document them clearly with evidence and clause references.​
• For each nonconformity, perform a root cause analysis, define corrective actions with owners and timelines, implement and document the fixes, and maintain proof for your external audit.