Internal Audit Explained for ISO 42001
ISO 42001 Clause 9.2
Internal audit gives the organisation independent evidence that the AI management system is doing what it claims to do. Without it, the management system has no internal feedback loop.
ISO 42001 Clause 9.2 - Internal Audit Explained
Clause 9.2 follows the standard Annex SL internal audit requirements with no AI-specific additions. The audit programme covers the AI management system as part of the wider integrated management system, with AI-specific audit activity built into the existing audit cycle.
What ISO 42001 Clause 9.2 requires
The organisation must conduct internal audits at planned intervals to provide information on whether the AI management system conforms to the organisation's own requirements for the AI management system and the requirements of the standard, and whether it is effectively implemented and maintained.
The organisation must plan, establish, implement and maintain an audit programme. The programme must consider the importance of the processes concerned and the results of previous audits. The organisation must define the audit objectives, criteria and scope for each audit, select auditors and conduct audits to make sure of objectivity and impartiality, and report results to relevant managers. Documented information must be available as evidence of the implementation of the audit programme and the audit results.
The AI audit programme
The audit programme is the schedule of audits planned over a defined period, typically a year. For an integrated management system, the AI management system is incorporated into the wider audit programme rather than audited separately. The programme identifies which clauses, processes and controls will be audited, when, by whom, and against what criteria.
The programme should reflect the importance of each process and the results of previous audits. Higher-risk AI processes such as the impact assessment process or the AI risk assessment process warrant more frequent audit than lower-risk processes such as the document control of AI documented information. Areas where previous audits have identified findings warrant earlier follow-up to verify that corrective action has been effective.
Audit scope and criteria for AI
For each audit, the scope and criteria must be defined. The scope sets out which clauses, processes, AI systems or controls are being audited. The criteria are the requirements against which conformity is being tested - these include the standard, the organisation's own management system requirements, contractual requirements, and applicable legal and regulatory requirements.
For an AI management system audit, the criteria typically include the relevant clauses of ISO 42001, the included Annex A controls from the Statement of Applicability, the AI policy, and any applicable legal requirements. The scope might be the whole AI management system in a single audit cycle, or specific AI systems or processes audited in turn over the cycle.
Auditor competence and independence
Auditors must be selected to make sure of objectivity and the impartiality of the audit process. They must also have appropriate competence. For AI audits, this can be more demanding than for other management system audits because AI raises technical, ethical and legal considerations that may be outside the experience of generalist auditors. The implementation guidance under B.4.6 recognises this and supports the use of external expertise where the necessary skills are not available internally.
Independence is preserved by making sure auditors do not audit their own work. In small organisations this can be difficult and may require external auditors or auditors from a different part of the business. The standard does not prohibit this provided objectivity and impartiality are maintained.
Reporting and follow-up
The results of audits must be reported to relevant managers. In practice this means a written audit report identifying conformities, nonconformities and observations, with the nonconformities raised through the corrective action process under Clause 10.2. The audit programme must track the closure of nonconformities and the verification of corrective action effectiveness.
For an AI management system, the audit programme typically schedules a full coverage cycle over the certification period. Each clause and each significant control is audited at least once during the cycle, with high-risk areas audited more frequently. The programme is reviewed annually and adjusted based on findings, changes to the management system, and the results of management reviews.
Where the organisation has an existing integrated management system audit programme, the AI dimension is added rather than replacing what is already there. A schedule that covers ISO 9001, ISO 27001 and ISO 42001 in an integrated cycle is more efficient than three parallel programmes.
When auditing Clause 9.2, I look at the audit programme, the planned audits, the audits actually completed, and the records of findings and corrective action. I want to see that the audit programme is risk-based, that audits are being conducted by competent and independent auditors, and that findings are being followed through to closure.
For AI audits specifically, I check the auditor's competence to audit AI activities. A generalist auditor without AI awareness training may not be in a position to audit the AI risk assessment process or the impact assessment process effectively. The standard requires competent auditors, and AI competence is part of that.
Our audit programme covers the integrated system across the year. AI-specific clauses get audited in the same cycle. We use the same internal auditors for the management system as for ISO 9001 and ISO 27001, with additional AI awareness training delivered before the AI clauses are audited. That gave us the competence we needed without bringing in external auditors.
Practical Compliance Guidance
The IMS1 Manual Section 5.4 Management System Audits/IMS1-5-3-Management System Audits sets out the procedure for planning and undertaking internal audits across the management system, including the AI-specific audit activity required by Clause 9.2. The internal audit schedule is the operational view of the audit programme, and the audit checklists provide the criteria against which AI processes are tested.
The following alphaZ documents support compliance with ISO 42001 Clause 9.2.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including the P-120 AI Policy and the AI-specific registers, assessments and forms. |
| ER1 Issues and Actions Register | Records the audit findings and the corrective actions raised against them, providing the audit trail for closure of nonconformities under Clause 10.2. |
| F-Q3 Management Review | Provides the format for reporting audit results and trends to top management at the management review. |
Note - all the above files can be downloaded with an alphaZ subscription.
