Last updated: 2026-03-29 | By Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC — Principal Consultant, Certify Consulting
Internal audits are not a box-ticking exercise. For organizations pursuing ISO 42001:2023 certification — or maintaining it — the internal audit is one of the most consequential activities in your entire AI management system (AIMS). It is the moment where your documented commitments collide with operational reality, and the results directly determine your readiness for the external certification body.
After helping more than 200 clients achieve first-time audit pass rates across multiple ISO frameworks, I can tell you with certainty: organizations that treat internal audits as a genuine diagnostic tool consistently outperform those that treat them as a pre-audit rehearsal. The difference shows up in how findings are scoped, scored, and resolved.
This guide gives you a complete, clause-by-clause internal audit checklist for ISO 42001:2023, a practical scoring methodology, and the criteria auditors actually use to classify observations. Whether you are conducting your first internal audit or refining a mature program, this is the reference you need.
Why the ISO 42001 Internal Audit Is Different From Other ISO Audits
ISO 42001 was published in December 2023 as the world's first international standard specifically designed for AI management systems. Its internal audit requirements follow the familiar High-Level Structure (HLS) used across ISO management system standards — meaning if your team has ISO 9001 or ISO 27001 audit experience, the process architecture will feel familiar.
However, three features make ISO 42001 internal audits distinctly more complex:
- AI system risk is dynamic. Unlike product quality or data security, AI system behavior can shift as models are retrained, fine-tuned, or exposed to new data distributions. Your audit must capture point-in-time evidence and assess whether ongoing monitoring controls are functioning.
- Impact assessments are a first-class artifact. ISO 42001 clause 6.1.2 requires AI impact assessments, and auditors — both internal and external — will scrutinize these documents as primary evidence of risk identification.
- Responsible AI objectives interact with business objectives. Clause 6.2 requires organizations to set AI objectives with measurable targets. Auditors must verify that these objectives are not just documented but actively tracked and connected to resource allocation decisions.
According to BSI Group, organizations that complete at least one full internal audit cycle before their Stage 2 external audit are significantly more likely to achieve certification without major nonconformities. A well-executed ISO 42001 internal audit is the single highest-leverage activity between your gap assessment and your certification audit.
How to Structure Your Internal Audit Program (Clause 9.2 Requirements)
ISO 42001 clause 9.2 sets out the internal audit requirements. Before diving into the checklist, your program itself must satisfy four structural requirements:
- Audit frequency and planning: The audit program must define the frequency, methods, responsibilities, planning requirements, and reporting for each audit cycle.
- Criteria and scope: Each audit must have defined criteria (the requirements being audited against) and a defined scope (which processes, systems, and organizational units are in scope).
- Impartiality: Auditors must not audit their own work — this is a non-negotiable independence requirement.
- Documented results: Audit findings must be retained as documented information.
A practical tip: for most organizations with fewer than five AI systems in scope, a single annual internal audit covering all clauses is sufficient. For organizations with active AI development pipelines or multiple AI applications, consider a rolling audit program that covers different process clusters on a quarterly basis.
The ISO 42001 Internal Audit Checklist: Clause by Clause
Use this checklist as your primary evidence-gathering tool during the audit. For each item, the auditor should record: (a) objective evidence reviewed, (b) personnel interviewed, and (c) the finding classification (see scoring section below).
Clause 4 — Context of the Organization
4.1 Understanding the Organization and Its Context
- [ ] Has the organization documented internal and external issues relevant to its AI management system?
- [ ] Do internal issues include factors such as organizational culture, existing technology infrastructure, and data governance maturity?
- [ ] Are external issues documented, including applicable laws (e.g., EU AI Act, sector-specific regulations), societal expectations, and competitive context?
- [ ] Is the context review dated and subject to periodic update?
Evidence to request: Context analysis documents, management review minutes referencing context updates, PESTLE or SWOT analyses if used.
4.2 Understanding the Needs and Expectations of Interested Parties
- [ ] Has the organization identified relevant interested parties (customers, regulators, affected communities, employees)?
- [ ] Are the requirements of each interested party documented?
- [ ] Is there a mechanism to detect changes in interested party requirements?
Evidence to request: Stakeholder register, customer contract review records, regulatory mapping documentation.
4.3 Determining the Scope of the AIMS
- [ ] Is the scope of the AI management system clearly documented?
- [ ] Does the scope specify which AI systems, organizational units, and processes are included?
- [ ] Where boundaries or exclusions exist, are they justified?
Evidence to request: Scope statement document, AI system inventory cross-referenced to scope.
4.4 AI Management System
- [ ] Has the organization established, implemented, maintained, and is continually improving its AIMS?
- [ ] Are the processes needed for the AIMS and their interactions determined?
Clause 5 — Leadership
5.1 Leadership and Commitment
- [ ] Can top management demonstrate commitment to the AIMS (not just delegate it)?
- [ ] Is AI policy aligned with the organization's strategic direction?
- [ ] Has top management ensured that AIMS objectives are compatible with organizational objectives?
- [ ] Are roles, responsibilities, and authorities for AI governance assigned and communicated?
Evidence to request: Board or executive committee minutes mentioning AI governance, AI policy sign-off records, organizational charts with AI governance roles.
5.2 AI Policy
- [ ] Is the AI policy documented, approved at the executive level, and available to relevant parties?
- [ ] Does the policy include a commitment to responsible AI and continual improvement?
- [ ] Does the policy address relevant legal and regulatory compliance obligations?
Citation hook: ISO 42001:2023 clause 5.2 requires the AI policy to include explicit commitments to responsible AI development and operation, continual improvement, and compliance with applicable legal and regulatory requirements.
5.3 Organizational Roles, Responsibilities, and Authorities
- [ ] Are roles for AI risk management, impact assessment, and incident response clearly assigned?
- [ ] Do individuals in these roles have the authority to act?
- [ ] Is there a designated function responsible for AIMS performance reporting to top management?
Clause 6 — Planning
6.1 Actions to Address Risks and Opportunities
- [ ] Has the organization determined risks and opportunities relevant to the AIMS context and objectives?
- [ ] Are actions planned to address these risks and opportunities?
- [ ] Are planned actions integrated into AIMS processes?
6.1.2 AI Risk Assessment
- [ ] Is there a documented AI risk assessment process?
- [ ] Does the risk assessment cover risks to individuals, groups, and society (not just organizational risks)?
- [ ] Are risk criteria defined, including acceptable risk thresholds?
- [ ] Is risk assessment evidence retained and dated?
Evidence to request: AI risk assessment methodology document, completed risk registers for each in-scope AI system, risk treatment decisions.
6.1.3 AI Impact Assessment
- [ ] Has an AI impact assessment been completed for each AI system in scope?
- [ ] Does the impact assessment address potential harms: physical, psychological, financial, societal?
- [ ] Are impact assessments reviewed when the AI system undergoes significant change?
- [ ] Are impact assessments linked to risk treatment decisions?
This is one of the most frequently cited gap areas during certification audits. Impact assessments are often present but not connected to actual risk treatment plans — a classic major nonconformity trigger.
6.2 AI Objectives and Planning to Achieve Them
- [ ] Are AI objectives documented for relevant functions and levels?
- [ ] Are objectives measurable or otherwise verifiable?
- [ ] Do objectives address responsible AI principles (transparency, fairness, reliability, privacy, safety, security)?
- [ ] Are plans in place that specify what will be done, resources required, who is responsible, and target timescales?
Clause 7 — Support
7.1 Resources
- [ ] Has the organization determined and provided the resources needed for the AIMS?
- [ ] Are resource decisions documented and traceable to AIMS requirements?
7.2 Competence
- [ ] Are required competencies for AI-related roles defined?
- [ ] Is evidence of competence retained (training records, certifications, credentials)?
- [ ] Where competency gaps exist, are actions taken and their effectiveness evaluated?
Evidence to request: Job descriptions with competency requirements, training matrices, training completion records, competency evaluation records.
7.3 Awareness
- [ ] Are personnel aware of the AI policy and their contribution to AIMS effectiveness?
- [ ] Is there documented awareness training for AI ethics, responsible AI, and incident reporting?
7.4 Communication
- [ ] Is there a documented communication plan for internal and external AI-related communications?
- [ ] Are external communications about AI systems accurate and not misleading?
7.5 Documented Information
- [ ] Are required documented information items (as specified across all clauses) present, controlled, and retained?
- [ ] Is there a document control procedure covering creation, review, approval, and version management?
Clause 8 — Operation
8.1 Operational Planning and Control
- [ ] Are processes for AI system development, deployment, and operation planned and implemented?
- [ ] Are controls in place to ensure AI systems operate within defined parameters?
- [ ] Are changes to AI systems subject to a change management process?
Citation hook: ISO 42001:2023 clause 8.1 requires organizations to plan, implement, control, and maintain AI system operational processes, including managing changes to prevent unintended consequences.
8.2 AI Risk Assessment (Operational)
- [ ] Is the AI risk assessment process applied before deployment of new or modified AI systems?
- [ ] Is risk assessment evidence retained for each deployment decision?
8.3 AI System Impact Assessment (Operational)
- [ ] Are impact assessments conducted prior to operational deployment?
- [ ] Are third-party AI systems (procured models, APIs) subject to impact assessment requirements?
8.4 AI System Lifecycle
- [ ] Does the organization manage AI systems across their full lifecycle: design, development, testing, deployment, monitoring, and decommissioning?
- [ ] Are decommissioning procedures documented and followed?
8.5 Documented Information for Operations
- [ ] Is operational documentation for each AI system maintained (system cards, model documentation, data provenance records)?
Clause 9 — Performance Evaluation
9.1 Monitoring, Measurement, Analysis, and Evaluation
- [ ] Are there defined metrics for AI system performance, fairness, reliability, and safety?
- [ ] Is monitoring data collected and analyzed at defined intervals?
- [ ] Are results reported to responsible functions?
9.2 Internal Audit
- [ ] Is there a documented internal audit program?
- [ ] Are auditors competent and independent?
- [ ] Are audit findings documented and reported to top management?
- [ ] Are nonconformities from internal audits tracked through to closure?
9.3 Management Review
- [ ] Does top management conduct management reviews at planned intervals?
- [ ] Do management review inputs include: audit results, objective performance, nonconformity status, interested party feedback, risk landscape changes?
- [ ] Are management review outputs documented, including decisions and action items?
Clause 10 — Improvement
10.1 Continual Improvement
- [ ] Is there evidence of continual improvement activity — not just reactive correction?
- [ ] Are improvement opportunities identified from monitoring, audits, and management reviews?
10.2 Nonconformity and Corrective Action
- [ ] When nonconformities occur, are they documented, analyzed for root cause, and corrected?
- [ ] Are corrective actions reviewed for effectiveness?
- [ ] Is there a nonconformity log maintained as documented information?
How to Score ISO 42001 Audit Findings
Consistent, defensible scoring is what separates a professional internal audit from an informal walkthrough. Use the following four-tier classification system, which aligns with ISO 19011 guidance and standard certification body practice.
| Finding Class | Definition | Certification Impact | Typical Response Timeframe |
|---|---|---|---|
| Major Nonconformity | A clause requirement is absent, completely ineffective, or systematically not followed. The AIMS cannot achieve its intended outcomes. | Blocks certification until resolved | 30–90 days with verification |
| Minor Nonconformity | A clause requirement exists and generally functions but has a specific, isolated gap or lapse. Does not prevent the AIMS from achieving its intended outcomes. | Must be resolved or have an accepted plan before/at Stage 2 | 30–60 days |
| Observation / OFI | No nonconformity exists, but a trend, weakness, or improvement opportunity is identified. | No direct certification impact | Address in next planning cycle |
| Positive Finding | Evidence of particularly effective implementation or best practice worth recognizing and potentially sharing. | N/A — encourages AIMS maturity | N/A |
Scoring Decision Rules
Use these five decision rules when classifying findings:
- The "absent vs. ineffective" test: If no documented process exists, it is a major. If the process exists but has a single documented lapse, it is a minor.
- The "systemic vs. isolated" test: If the same gap appears in three or more instances across independent records, escalate from minor to major regardless of individual severity.
- The "intended outcome" test: Ask — can the AIMS still achieve its intended outcomes despite this gap? If no, it is a major. If yes, it is a minor at most.
- The "lifecycle coverage" test: If an impact assessment or risk assessment is missing entirely for a deployed AI system (not just incomplete), this is a major nonconformity under clauses 6.1.2, 6.1.3, and 8.3.
- The "leadership evidence" test: If top management cannot produce any objective evidence of AIMS engagement (clause 5.1), this is a major — not an observation.
Citation hook: In ISO 42001 internal audits, a finding is classified as a major nonconformity when a required clause element is entirely absent, systematically ineffective, or when the AI management system cannot demonstrably achieve its intended responsible AI outcomes as a result of the gap.
Common Major Nonconformities Found in ISO 42001 Audits
Based on my experience supporting organizations through ISO 42001 certification, these are the five most frequently identified major nonconformities during internal and certification audits:
- No AI impact assessment for deployed systems (Clause 6.1.3 / 8.3) — The organization has an impact assessment template but has not completed assessments for one or more AI systems already in production.
- AI objectives with no measurable targets (Clause 6.2) — Objectives like "improve AI fairness" exist but have no defined metrics, baselines, or target dates.
- Scope excludes active AI systems without justification (Clause 4.3) — Commercially available AI tools used in significant business processes are excluded from scope without documented rationale.
- No evidence of management review with AIMS-specific agenda (Clause 9.3) — General business review meetings are cited as management reviews but contain no AIMS-specific agenda items or documented outputs.
- Corrective actions closed without effectiveness verification (Clause 10.2) — Previous nonconformities are marked "closed" in the log, but no evidence of effectiveness review exists.
Before, During, and After the Audit: A Practical Timeline
4–6 Weeks Before the Audit
- Confirm audit scope, criteria, and schedule in writing
- Assign auditors and verify independence from the processes they will audit
- Distribute the audit plan to auditees with sufficient notice
- Request pre-audit documentation packages from process owners
During the Audit
- Conduct opening meeting to confirm scope, logistics, and confidentiality
- Follow the checklist systematically; do not skip clauses to save time
- Record objective evidence references for every finding (document ID, interviewee name, observation date)
- Classify findings in real time using the scoring rules above
- Conduct closing meeting to present preliminary findings before leaving
Within 2 Weeks After the Audit
- Issue the formal audit report with all findings classified and documented
- Initiate corrective action requests (CARs) for all nonconformities
- Load findings and CARs into the nonconformity log
- Schedule follow-up verification dates for major nonconformities
Connecting Internal Audit Results to Certification Readiness
Your internal audit is not a standalone event — it feeds directly into your management review (clause 9.3) and your corrective action system (clause 10.2). Before scheduling your Stage 2 external audit, verify that:
- All major nonconformities from the internal audit have been resolved and their corrective actions verified as effective
- Minor nonconformities have either been resolved or have documented, time-bound corrective action plans
- The audit report and all CARs are retained as documented information
- Management review minutes reference the internal audit results and include documented decisions
For organizations working toward initial certification, I typically recommend completing the internal audit no later than 8 weeks before the scheduled Stage 2 audit date. This gives sufficient time to address major findings, collect effectiveness evidence, and incorporate results into a pre-Stage-2 management review.
If you want an expert set of eyes on your internal audit findings before your certification audit, explore our ISO 42001 certification readiness services or review our ISO 42001 implementation guide for a full-system perspective.
FAQ: ISO 42001 Internal Audit
How often should an ISO 42001 internal audit be conducted?
ISO 42001 clause 9.2 requires that internal audits be conducted at planned intervals. For most organizations, an annual full-system audit is the baseline. Organizations with active AI development pipelines, multiple AI systems, or recent significant changes should consider semi-annual or rolling quarterly audits to maintain adequate coverage.
Can the same person who built the AIMS conduct the internal audit?
No. ISO 42001 clause 9.2 explicitly requires auditors to be objective and impartial, which means they cannot audit their own work. For small organizations without sufficient internal auditor resources, engaging a qualified external consultant to conduct the internal audit is both compliant and common practice.
What is the difference between an observation and a minor nonconformity?
An observation (also called an Opportunity for Improvement, or OFI) identifies a potential weakness or improvement area where no clause requirement is currently being violated. A minor nonconformity identifies a specific, isolated instance where a clause requirement is not being met. Minor nonconformities require formal corrective action; observations do not.
Do third-party AI tools (e.g., procured AI APIs) need to be included in the internal audit?
Yes, if those tools are within your AIMS scope. ISO 42001 clause 8.3 requires impact assessments for AI systems the organization uses, including third-party AI systems. Your internal audit should verify that procured AI systems have documented impact assessments and that supplier controls are in place.
What documentation must be retained from an ISO 42001 internal audit?
At minimum: the audit program, the audit plan for each audit, the audit report with classified findings, and records of any corrective actions taken as a result. These are required documented information items under clause 9.2 and must be controlled in accordance with clause 7.5.
Jared Clark is Principal Consultant at Certify Consulting and has guided 200+ organizations through ISO management system certification with a 100% first-time audit pass rate. For ISO 42001 internal audit support, pre-audit readiness reviews, or full implementation assistance, visit certify.consulting.
Last updated: 2026-03-29
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.