Overview & objectives

Internal audit is a systematic, independent, and documented process to assess whether the AI Management System (AIMS) conforms to ISO/IEC 42001 requirements and internal policies. It identifies strengths, weaknesses, and opportunities for continual improvement. Audits must be objective, repeatable, and produce defensible evidence suitable for external certification audits.

Audit programme structure

• Annual Plan: Cover all AIMS clauses (context, risk, operation, performance, improvement) across a 12-month cycle.
• Frequency: Quarterly or risk-based; more frequent for high-risk AI systems or newly implemented processes.
• Auditor independence: Auditors must not audit their own work; consider cross-team or external support.
• Risk weighting: Prioritise critical AI systems, new deployments, and known areas of regulatory exposure (e.g., high-risk under EU AI Act).

Planning & scope definition

• Define scope: AI services, processes, departments, or vendors to be audited.
• Inputs: Risk register, incidents, CAPA logs, management review outputs, external requirements.
• Outputs: Audit plan, team assignment, checklist, sampling strategy, and expected deliverables.
• Audit criteria: ISO/IEC 42001 clauses, internal policies, legal overlays (EU/UK), and specific control objectives.

Audit checklists & sampling

Audit checklists should link each ISO 42001 clause or control to relevant evidence and test steps. Sampling must include both policy documentation and operational records.

• Clause coverage: 4–10 (context, leadership, planning, support, operation, performance, improvement).
• Sampling: randomised selection of risk logs, incident reports, training records, CAPA tickets, oversight logs, supplier DD reports.
• Traceability: each finding references a document ID, evidence link, or record screenshot.
• Checklists: living documents stored in version control or audit management tools (e.g., Zoho WorkDrive, Notion, Confluence).

Conducting the audit

• Opening meeting: confirm objectives, scope, schedule, and confidentiality expectations.
• Audit execution: interviews, record reviews, walk-throughs, sampling, and validation of corrective actions.
• Recording findings: fact-based, concise, objective. Capture evidence identifiers (file name, URL, screenshot ID).
• Closing meeting: summarise nonconformities (NCs), observations, and recommendations; agree on CAPA owners and timelines.

Findings, reporting & grading

Reports must classify findings to reflect risk severity and required action. A balanced report also highlights good practices to support continual improvement.

• Grading:
  • Major NC: absence or complete failure of a process or control; immediate CAPA required.
  • Minor NC: isolated lapse; CAPA within 30 days.
  • Observation: potential improvement or risk of future nonconformity.
  • Positive note: demonstration of effective or innovative control.
• Distribution: AIMS Manager, Authorising Officer, process owners; share summary in management review.
• Retention: minimum 3 years or as defined by AIMS retention policy.

Evidence collection & control

Evidence is the foundation of audit credibility. It must be authentic, retrievable, and tamper-evident.

• Sources: signed policies, risk logs, meeting minutes, screenshots, dashboards, audit trails, version-controlled files.
• Evidence Index: maintain master log with ID, owner, type, date, link, and classification (confidential/public).
• Access control: restrict edit rights; immutable audit snapshot per audit cycle.
• Storage: encrypted drives (Zoho WorkDrive, SharePoint, S3 with retention lock).
• Format: PDFs, screenshots, exports with checksums; avoid editable formats as final evidence.

Nonconformities & CAPA

• Root cause analysis: 5 Whys, fishbone, or fault-tree method; classify by process, people, system, or governance cause.
• Action plan: corrective (fix issue) + preventive (prevent recurrence); each with owner, target date, verification method.
• Tracking: CAPA register linked to NC ID and evidence of closure (screenshots, re-audit results).
• Verification: re-audit after CAPA closure to confirm sustained effectiveness.

Tools & templates

Audit Plan — Internal Audit Cycle 2025-Q4
Scope: AIMS clauses 6–10 (risk, operation, performance, improvement)
Objectives:
  - Verify implementation of AI risk controls.
  - Validate post-market monitoring and CAPA evidence.
  - Confirm traceability between policies, procedures, and records.
Team: Lead Auditor (Jane Doe), SME (John Smith)
Schedule: 2025-11-14 to 2025-11-18
Deliverables: Audit Report, NC Register, CAPA Tracker Update
  

Integration with AIMS & management review

• Audit outcomes feed directly into management review inputs (clause 9.3).
• Link NCs and CAPA progress to risk and performance dashboards.
• Use audit results to recalibrate training, risk appetite, and oversight procedures.
• Summaries shared with Oversight Board to ensure transparency.

KPIs & metrics

• Audit completion rate: % of planned audits executed.
• NC closure time: median days to close NCs.
• Repeat findings: % of NCs recurring within 2 cycles.
• Evidence retrieval SLA: average time to locate a requested record.
• CAPA effectiveness: % of CAPA verified as effective post-closure.

Implementation checklist

• Annual audit programme approved and communicated.
• Auditors trained and independent of audited areas.
• Checklists mapped to ISO/IEC 42001 clauses.
• Evidence Register maintained with immutable records.
• Audit reports issued, reviewed, and archived with NC/CAPA linkage.
• Metrics reviewed in management meetings; continual improvement actions logged.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 07 Nov 2025 • This page is general guidance, not legal advice.