Internal Audit Guide
Complete guide to planning and conducting internal audits of the AI Management System including audit program, checklists, and reporting.
Chapter Overview
This chapter provides a comprehensive guide to planning and conducting internal audits of your AIMS as required by Clause 9.2. Effective internal audits are essential for verifying conformance and driving improvement.
The organization shall conduct internal audits at planned intervals to provide information on whether the AIMS:
• Conforms to the organization's own requirements
• Conforms to the requirements of ISO 42001
• Is effectively implemented and maintained
Audit Program
Audit Program Elements
| Element | Description |
|---|---|
| Objectives | What the audit program aims to achieve |
| Scope | What will be audited over the program period |
| Schedule | When audits will be conducted |
| Resources | Auditors, time, budget |
| Methodology | How audits will be conducted |
| Reporting | How results will be reported |
Audit Frequency Factors
| Factor | Higher Frequency Needed |
|---|---|
| Risk Level | High-risk AI systems |
| Previous Results | Areas with past nonconformities |
| Changes | Recently changed processes or systems |
| Maturity | New or immature processes |
| Regulatory | Heavily regulated areas |
| Importance | Critical processes |
Annual Audit Schedule Template
Q1: Clauses 4-5 (Context, Leadership), A.2-A.3 (Policy, Organization)
Q2: Clause 6 (Planning), A.5-A.6 (Impacts, Lifecycle)
Q3: Clauses 7-8 (Support, Operation), A.7-A.8 (Data, Transparency)
Q4: Clauses 9-10 (Performance, Improvement), A.9-A.10 (Use, Third-party)
Ensure all clauses and applicable Annex A controls are covered at least annually.
Audit Process
Audit Phases
| Phase | Activities | Output |
|---|---|---|
| 1. Planning | Define scope, criteria, schedule, team | Audit plan |
| 2. Preparation | Review documentation, prepare checklists | Audit checklist |
| 3. Opening Meeting | Confirm scope, explain process | Meeting record |
| 4. Evidence Gathering | Interviews, document review, observation | Audit notes |
| 5. Analysis | Evaluate evidence against criteria | Findings |
| 6. Closing Meeting | Present findings, agree actions | Meeting record |
| 7. Reporting | Document audit results | Audit report |
| 8. Follow-up | Verify corrective actions | Closure records |
Audit Planning
Audit Plan Content
Audit Reference: [Unique ID]
Audit Date(s): [Dates]
Audit Type: [Internal/Surveillance/Certification]
Scope:
• Clauses to be audited
• Annex A controls to be audited
• AI systems in scope
• Locations/departments
Criteria:
• ISO 42001:2023
• Organization's AIMS documentation
• Applicable regulations
Audit Team:
• Lead Auditor: [Name]
• Auditor(s): [Names]
Schedule:
• [Time] - Opening meeting
• [Time] - [Area/Process]
• [Time] - [Area/Process]
• [Time] - Closing meeting
Auditees: [Names and roles]
Evidence Gathering
Evidence Types
| Type | Examples |
|---|---|
| Documentation | Policies, procedures, records, reports |
| Interviews | Discussions with personnel at all levels |
| Observation | Watching processes being performed |
| System Review | Examining AI systems, tools, dashboards |
| Sampling | Selecting samples of records or outputs |
Interview Techniques
- Use open-ended questions (what, how, why, show me)
- Ask for evidence to support statements
- Follow audit trails
- Verify understanding by summarizing
- Remain objective and non-judgmental
- Take clear notes
Audit Checklist - ISO 42001
Clause 4: Context
☐ Are external and internal issues identified? (4.1)
☐ Are interested parties and their requirements identified? (4.2)
☐ Is the AIMS scope documented and available? (4.3)
☐ Is the AIMS established and maintained? (4.4)
☐ Are process interactions defined? (4.4)
Clause 5: Leadership
☐ Is there evidence of top management commitment? (5.1)
☐ Is the AI policy documented and approved? (5.2)
☐ Is the policy communicated and available? (5.2)
☐ Are roles and responsibilities assigned and communicated? (5.3)
☐ Is someone responsible for AIMS conformance and reporting? (5.3)
Clause 6: Planning
☐ Is there a documented risk assessment process? (6.1.2)
☐ Are risk criteria established? (6.1.2)
☐ Do assessments cover the AI lifecycle? (6.1.2)
☐ Is there a documented risk treatment process? (6.1.3)
☐ Is there a Statement of Applicability? (6.1.3)
☐ Does the SoA justify exclusions? (6.1.3)
☐ Is there an approved risk treatment plan? (6.1.3)
☐ Are AI objectives established and measurable? (6.2)
Clause 7-10 Summary
Clause 7 (Support):
☐ Are adequate resources provided?
☐ Is competence determined and evidenced?
☐ Is awareness training provided?
☐ Are communications planned?
☐ Is documented information controlled?
Clause 8 (Operation):
☐ Are operational controls implemented?
☐ Are risk assessments conducted as planned?
☐ Are risk treatments implemented?
☐ Are impact assessments conducted?
Clause 9 (Performance):
☐ Is performance monitored and measured?
☐ Is there an internal audit program?
☐ Are management reviews conducted?
Clause 10 (Improvement):
☐ Are nonconformities addressed?
☐ Are corrective actions effective?
☐ Is continual improvement demonstrated?
Audit Findings
Finding Classifications
| Classification | Definition | Response Required |
|---|---|---|
| Major Nonconformity | Absence or total breakdown of requirement; systemic failure | Immediate corrective action required |
| Minor Nonconformity | Single lapse or partial non-fulfilment | Corrective action required |
| Observation | Area for improvement; not a nonconformity | Consider for improvement |
| Positive Finding | Good practice observed | Share and maintain |
Writing Findings
Requirement: [Specific clause or control requirement]
Evidence: [Objective evidence observed]
Finding: [Clear statement of conformity or nonconformity]
Example:
Requirement: Clause 6.1.3 requires a Statement of Applicability with justification for exclusions.
Evidence: The SoA dated 2024-01-15 excludes control A.7.5 (Data Preparation) with no justification provided.
Finding: Minor nonconformity - SoA does not include justification for excluded control.
Audit Report
Report Content
1. AUDIT DETAILS
• Audit reference and date
• Audit scope and criteria
• Audit team
• Auditees
2. EXECUTIVE SUMMARY
• Overall assessment
• Number of findings by type
• Key observations
3. AUDIT FINDINGS
For each finding:
• Finding reference
• Classification (Major/Minor/Observation)
• Requirement
• Evidence
• Finding statement
4. POSITIVE OBSERVATIONS
• Good practices noted
5. CONCLUSION
• Audit objectives achieved?
• AIMS conformance assessment
• Recommendations
6. DISTRIBUTION
• Recipients of report
7. SIGN-OFF
• Lead Auditor signature and date
Auditor Competence
Required Competencies
| Area | Competence Needed |
|---|---|
| Audit Skills | ISO 19011 audit principles and techniques |
| ISO 42001 | Understanding of all requirements |
| AI Knowledge | Basic understanding of AI systems and risks |
| Organization | Knowledge of organization context |
| Communication | Interview and reporting skills |
Independence Requirements
- Auditors must not audit their own work
- Independence from area being audited
- No conflicts of interest
- Objective and impartial
1. Audit program must cover all clauses and applicable controls
2. Audits verify conformance AND effectiveness
3. Auditors must be competent and independent
4. Findings must be evidence-based
5. Follow up on corrective actions
6. Internal audit is preparation for certification