As AI regulation accelerates, ISO 42001 offers a blueprint for responsible governance — and internal audits are where that blueprint meets reality.
If you’re working towards your ISO 42001 certification, you are well aware of the fact that an internal audit is a key component of the process. Unlike an AI Impact Assessment, which examines AI projects or systems at a more granular level, the ISO 42001 Internal Audit takes the whole organization into account. An ISO 42001 Internal Audit’s goal is to verify compliance and governance effectiveness on a recurring basis, whereas AI Impact Assessments are designed to identify and mitigate risks for people/society before deployment.
Here is another way to think of internal audits vs. impact assessment checks: the internal audit is checking to see if your whole house is in order–policies, processes, and governance. The impact assessment on the other hand is checking to see if a particular room in your house is safe to use–i.e., a specific AI project or system.
If you’re not sure where to start with your internal audit, you are in the right place. Read on to learn more.
Preparing for the Audit
Like anything compliance-related, the more you practice, the more confident you will feel. Preparing for an ISO 42001 internal audit is no different. In fact, if you have gone through ISO 27001 certification, the auditing process might be familiar to you. There are several core tenets to keep in mind:
- Know the scope of work. Is this audit covering the entire AI management system (AIMS) or just certain parts (i.e. a pilot AI use case, risk assessment process, or governance framework)? You will need to marry up the scope with organizational priorities appropriately.
- Build a timeline. Whether your organization completes audits on an annual basis or more frequently, it’s important to establish a proper cadence that everyone involved can follow.
- Establish your team/responsibilities. Who is auditing, who is being audited, and how are you going to capture data as you go along? These are all considerations to remember.
A great piece of advice when preparing for an Internal Audit is “say it, show it, prove it.” Say it asks: is there a documented policy/procedure? Show it implies there is evidence that the policy is implemented? and prove it is just that–can you demonstrate outcomes of all the hard work you’re doing, such as reduced bias rates and fewer incidents? This is why it can’t be overstated the importance of documenting every step of the audit process.
Carrying Out the Audit
Once preparation is complete, you can kick off the audit with an opening meeting where you bring everyone together. Follow this up with interviews, documentation reviews, and evidence sampling before wrapping up with a closing session.
An audit is defined as “a methodical examination and review.” You’re essentially looking at various pieces of data and information, and verifying that what they say is true. Examples of this are:
- AI risk logs: were bias tests, privacy checks and explainability reviews properly documented?
- Incident response records: if there are AI-related failures, what are they and how were they reported?
- Training records: was your staff properly trained on the latest AI ethics and governance guidelines?
- Model monitoring reports: are you creating reports to show ongoing tracking of model drift, accuracy and fairness?
Make sure that you continue to “say it, show it, and prove it,” as you go along through the testing and verification part of the journey. It’s also important to evaluate your organization against the ISO 42001 clauses, i.e. leadership, planning, support, operations, performance evaluation and improvement. Remember, you are blending process audits (governance) with technical audits (data/model practices).
Understanding the Findings
If certification is your goal, it’s important to know how you ranked on the audit so you can make enhancements to drive change. There are a couple of different ways that auditors categorize findings that might aid you, which include:
- Conformity: requirements met
- Minor nonconformity: small deviation that doesn’t undermine the system
- Major nonconformity: serious issue that must be corrected before certification
- Opportunities for improvement (OFIs): areas to strengthen beyond baseline compliance
These findings will be influential in driving your organization forward, or taking a moment to pause and course correct as needed. Once again, the importance of documentation can’t be overstated. The team’s corrective actions should be assigned, tracked and verified. Audits are not a solo sport, but rather a team effort that requires plenty of crosschecking and camaraderie to keep everyone engaged.
Closing
At the end of the day, an internal audit is designed to pick apart the processes, policies and controls that make up your organization, while answering a central question: Are we doing what we said we would do, and does it align with ISO 42001? By keeping your audit evidence-based, blending process and technical, and maintaining a culture of support will ensure your team stays connected and accountable. When done the right way, an ISO 42001 internal audit doesn’t just check boxes–it strengthens the organization’s AI governance and establishes trust that regulators, partners and customers increasingly expect.
Not sure where to start? Let us perform your first ISO 27001 internal audit.