Preparing for an ISO 42001 internal audit

ISO 42001 Clause 9.2 requires internal audit as the check step in the plan-do-check-act cycle. Its purpose is to verify that the management system is not just documented but operating: that processes run, records are maintained, and the system is improving. An AIMS that has never been internally audited cannot demonstrate that it is more than a collection of policies.

The internal audit also serves as a rehearsal for the certification audit. The questions an internal auditor asks — show me the risk register, show me the treatment plan, show me the management review record — are the same questions a certification body auditor will ask. Finding gaps internally gives the organisation time to correct them before the external audit.

An ISO 42001 internal auditor is testing three things in sequence:

Documented conformance. Does the management system have the documented information the standard requires? Does a policy exist? Is the scope document current? Does the risk register cover all systems in scope? Are treatment plans complete?

Process operation. Are the documented processes running? Have AI system owners actually used the risk assessment process, or were entries produced once and left unchanged? Have re-assessment triggers been checked? Has the monitoring plan produced output?

Improvement trajectory. Is the AIMS getting better? Are previous internal audit findings closed? Are non-conformances being addressed? Does the management review show that top management is engaging with AIMS performance?

The auditor's fundamental question is not “does the documentation look good?” It is “can I trace a line from the policy to a decision made under it to the record of that decision?” If that traceability line breaks anywhere — if the policy exists but no decisions are traced back to it — the management system is incomplete.

ISO 42001 Clause 9.2 requires the organisation to establish, implement, and maintain an audit programme. The programme must define:

• Scope. Which clauses and which AI systems are covered by each audit cycle. For a first-cycle internal audit, scope should cover all clauses and all AI systems declared in the AIMS scope document.
• Criteria.The standards against which the audit evaluates — the ISO 42001 standard text, the AIMS policy framework, and the organisation's own documented procedures.
• Frequency.ISO 42001 requires audits at “planned intervals”. Most organisations operate an annual internal audit cycle, with a supplemental audit scheduled when significant changes occur.
• Auditor selection. Named auditors with documented competence (ISO management system auditing experience, AI domain knowledge) and documented independence from the activities they audit.

The audit programme itself is documented information under Clause 7.5. It must be maintained and updated when scope changes, significant risks emerge, or previous audits identify systematic weaknesses that require more frequent coverage.

For each clause, the following documents and records should be available before an internal audit begins:

• Clause 4. AIMS scope document (current version, version history), stakeholder needs analysis.
• Clause 5. AI policy (board-approved, current version), role assignment records for AI governance lead and AI system owners, executive communication records.
• Clause 6. AI risk assessment methodology documentation, risk register for each in-scope system with all AI-specific categories populated, treatment plans with named owners and acceptance records.
• Clause 7. Competency records for AIMS roles, awareness training records, document control log.
• Clause 8. Lifecycle records for each system: deployment gate approval, security review report, change log, re-assessment records where triggers have fired.
• Clause 9. Monitoring plan outputs, previous audit reports (if any), management review minutes.
• Clause 10. Non-conformance log, corrective action records with closure evidence.

First-cycle ISO 42001 internal audits consistently find the same categories of gap. The table below summarises them with the clause reference and typical finding type.

The pattern behind most of these gaps is the same: the management system was built as a documentation exercise and has not been operated. Documents exist; processes do not run; records are absent. The corrective action for this pattern is not more documentation — it is operating the existing documentation and producing records.

ISO 42001 Clause 10.1 requires the organisation to react to non-conformities raised in internal audit by taking corrective action. The corrective action process has four required steps:

• React. Address the immediate non-conformity — produce the missing document, close the missing record, correct the process gap.
• Root cause. Determine why the non-conformity occurred — what process failure or systemic gap allowed it to exist.
• Correct systematically. Take action to eliminate the root cause, not just the symptom.
• Verify effectiveness. Review the corrective action to confirm it worked — at the next audit cycle or through targeted follow-up.

Corrective action records must be retained as documented information. A certification body auditor will specifically request the corrective action records from the previous internal audit cycle and will verify that the actions are closed — not just that they were planned.

An internal audit and a certification audit ask similar questions but have different stakes and different auditor contexts.

An internal audit is conducted by the organisation's own auditors (or contracted auditors reporting to the organisation). Findings are input to the improvement process. The organisation has discretion over how findings are classified and how quickly corrective actions are completed.

A certification audit is conducted by an accredited certification body (CB) with the authority to grant or withhold the certificate. The CB auditor operates under a different set of professional standards and has no relationship with the organisation being audited. Findings are classified as major non-conformities (which prevent certification until closed), minor non-conformities (which must be addressed within a defined timeframe), or observations (which are recommendations without a mandatory response).

The primary practical difference is preparation time. An internal audit finding gives the organisation weeks or months to correct. A Stage 1 finding means Stage 2 is delayed until the gap is closed to the CB's satisfaction. Running a thorough internal audit six months before the certification audit — not three weeks before — is the most reliable preparation strategy.

The ISO 42001 AI governance toolkit includes an internal audit checklist mapped to each clause, an auditor independence declaration template, and a non-conformance record template with root cause and corrective action fields.