Audit Plan Template & Checklist (ISO 42001 §9.2 + NIST RMF)
ISO 42001 Template Internal Audit & CAPA
+ On this page
Key takeaways
- Standardised audit plan ensures repeatable, defensible AIMS audits across products and teams.
- Evidence is linked via EV-IDs to your Technical Documentation File (TDF) and Risk/CAPA systems.
- Grading matrix drives proportional remediation, board reporting and post-market monitoring.
Purpose & objectives
Define an internal audit approach that validates AIMS effectiveness, control design/operation, and compliance with ISO 42001, NIST AI RMF, and EU/UK obligations. Objectives: (1) confirm conformity, (2) detect gaps, (3) drive continual improvement.
Audit plan structure
| Section | Description | Example Entry |
|---|
| Audit ID & Version | Unique ID, version, dates | AUD-42001-Q4-2025 v1.0 (19–22 Nov) |
| Objectives | What the audit will verify | Evaluate §6 Risk Mgmt, §8 Operation, PMM integration |
| Scope | Processes, units, products | AnswerBot v2.2 EU deployments; AIMS core processes |
| Criteria | Standards & policies | ISO 42001 §§4–10; NIST RMF; EU AI Act Annex IV |
| Team & Roles | Lead auditor, SMEs | Lead: Compliance Lead; SME: ML Ops, DPO |
| Methods | Interviews, sampling, tests | Document review, walkthroughs, record sampling |
| Schedule | Daily agenda | D1 plan; D2 fieldwork; D3 synthesis; D4 close-out |
| Deliverables | Outputs & audience | Audit report, NC log, CAPA plan → Board & Owners |
Scope & criteria
- Process scope: AIMS governance, risk, training/competence, lifecycle controls, logging/traceability, PMM.
- System scope: Model registry, datasets, pipelines, runtime logging, incident portal, CAPA tracker.
- Criteria: ISO 42001 §§4–10; NIST (Govern/Map/Measure/Manage); EU AI Act (Arts 9–15, Annex IV).
- Exclusions: Non-AI automation (RPA) unless feeding model decisions.
Sampling & methods
| Artefact Type | Sampling Rule | Minimum Sample | Notes |
|---|
| Policies/Procedures | Risk-based: critical first, then random 20% | ≥ 6 docs | Include Master AI Policy, Data Governance, IRP |
| Risk Records | Top 10 residual risks + 10% random | ≥ 15 items | Trace to EV-IDs & CAPA |
| Model Releases | Latest + 2 historical per product | ≥ 3 versions | Check lineage, evaluation, sign-offs |
| Runtime Logs | 1 month window; stratified by severity | ≥ 50 records | Verify Article 12 traceability |
| Incidents | All SEV-1/2 + 20% SEV-3 | All critical | Confirm RCA & CAPA closure |
Interview & walkthrough guide
- Leadership: Governance cadence, management review inputs/outputs, resources, KPIs.
- Data Science: Dataset provenance, bias testing, evaluation gates, release approvals.
- ML Ops/SRE: Deployment controls, rollback, observability, incident runbooks.
- Security: Threat modelling, vulnerability mgmt, pen-test outcomes, secrets handling.
- DPO/Legal: DPIAs, DSR handling, transparency notices, human oversight rights.
Evidence matrix & EV-IDs
| Criterion | Evidence (EV-ID) | Owner | Location |
|---|
| ISO §6.1 Risk Mgmt | EV-RMS-010 (Risk Register) | AI Risk Officer | Firestore / Drive |
| EU Annex IV Docs | EV-TDF-021 (Tech Doc File) | Compliance Lead | Drive / SharePoint |
| Logging Art.12 | EV-LOG-034 (Trace Logs) | ML Ops Lead | SIEM / Export |
- Minor NC: Localised deviation with low risk; corrective action ≤ 30 days.
- Major NC: Systemic or high-risk failure; action ≤ 10 days; management escalation.
- Critical NC: Immediate risk to safety/rights/compliance; halt, hotfix, board notification.
CAPA flow: Raise NC → assign owner & due date → root-cause analysis (5-Whys/Fishbone) → corrective + preventive actions → effectiveness check → closure with EV-ID evidence.
Templates & CSV schemas
A) Audit Plan Header (CSV headers)
Audit_ID,Version,Start_Date,End_Date,Objectives,Scope,Criteria,Lead_Auditor,Team,Methods,Schedule,Deliverables
B) Audit Fieldwork Notes (CSV headers)
Note_ID,Audit_ID,Process,Record_Sampled,Interviewee,Observation,Evidence_ID,Prelim_Rating,Followup
C) NC & CAPA Log (CSV headers)
NC_ID,Audit_ID,Clause,Description,Severity,Root_Cause,Corrective_Action,Preventive_Action,Owner,Due_Date,Status,Evidence_ID,Closure_Date
Framework alignment
| Framework | Reference | Relevance |
|---|
| ISO/IEC 42001 | §9.2, §10.2 | Internal audits; non-conformity & corrective action. |
| NIST AI RMF | Measure • Manage | Performance evaluation & governance actions. |
| EU AI Act | Annex IV; Art 16 | Technical documentation; provider obligations. |
| UK DSIT AI Framework | Principle 6 | Accountability and assurance. |
Implementation checklist
- ✅ Audit Plan approved by Governance Board and scheduled in the IAEMS calendar.
- ✅ Sampling plan documented; evidence EV-IDs pre-collected where possible.
- ✅ Daily brief/close sessions defined with auditees and owners.
- ✅ NC grading rules communicated; CAPA workflow linked to Desk tickets.
- ✅ Final report delivered; follow-up audit logged with due dates.
© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 19 Nov 2025 • This page is general guidance, not legal advice.