UAF Accredited ISO 42001 Audit
ISO 42001 Audit Guide
The ISO 42001 Audit is the independent assessment that verifies your Artificial Intelligence Management System conforms to ISO/IEC 42001:2023. This guide explains Stage 1, Stage 2, surveillance, recertification, evidence review, sample questions, common findings, and preparation steps.
Book Your ISO 42001 Audit
Confirm audit dates, readiness, audit mode, and quotation within four business hours.
Audit Lifecycle
The four types of ISO 42001 audit
Across the certification lifecycle, your organisation undergoes audit types with different purposes, duration, and depth.
Stage 1 Audit
Stage 1 determines whether your AIMS documentation meets ISO/IEC 42001:2023 requirements and whether your organisation is ready for a meaningful Stage 2 audit.
Confirm AIMS scope is appropriate, clearly defined, and aligned to AI use cases
Verify that the AI Policy and AIMS Manual exist and meet ISO 42001 requirements
Review AI risk assessment methodology and the AI Risk Register
Examine the Statement of Applicability and Annex A control selection rationale
Identify major gaps that must be closed before Stage 2
Plan Stage 2 audit days, sampled sites, personnel interviews, and dates
Confirm regulatory and stakeholder requirements applicable to AI
Stage 2 Audit
Stage 2 verifies that the AIMS described in your documentation is implemented, effective, and consistently applied across the certified scope.
Opening meeting with senior management
Interviews with AIMS Manager, AI System Owners, Data and Privacy Lead, Information Security Lead, Ethics Lead, Internal Auditor, and operational teams
Walk-throughs of selected AI use cases from intent and design to deployment and monitoring
Sampling of model cards, risk treatments, incident logs, records, and corrective actions
Observation of operations, deployment pipelines, dashboards, or control rooms where applicable
Site sampling for multi-site organisations per IAF MD 1
Closing meeting with formal findings and certification recommendation
Audit Checklist
Top 30 areas TNV Global auditors examine
Leadership and Governance
Senior management commitment to AI governance
AI Policy aligned to strategy, ethics, and regulation
AIMS scope statement with clear boundaries
AI System Owners, Risk Owners, and Ethics Reviewers assigned
AI Steering Committee or governance forum records
AI Risk Management
AI risk assessment methodology documented and applied
AI Risk Register current and periodically reviewed
Risk treatment plans with owners, controls, dates, and status
AI Impact Assessment for high-risk use cases
Statement of Applicability justified against Annex A
AI Lifecycle Controls
AI Use Case Inventory includes internal and third-party AI or LLMs
AI development lifecycle controls from design to decommissioning
Data governance for sourcing, quality, labelling, lawful basis, and rights
Model validation for performance, fairness, and robustness
Deployment monitoring, drift detection, and version control
Orderly decommissioning of AI systems and data
Human Oversight, Ethics, Security
Human Oversight Procedure for high-impact AI decisions
AI Ethics Charter covering fairness, transparency, and accountability
Bias and fairness testing records with remediation actions
Explainability through model cards, decision logs, and user explanations
Security of AI assets, access control, encryption, and secure development
Privacy by design and third-party AI supplier due diligence
Operations and Management System Performance
AI incident logs, root cause analysis, and corrective actions
Change management for AI use cases and model updates
AI-specific awareness and training records
Internal audit programme, independence, findings, and follow-up
Management review outputs, decisions, and action items
Continual improvement and stakeholder communication records
Sample Questions
What to expect during auditor interviews
TNV Global auditors customise interview questions based on your AI scope, organisation, and risk profile.
Senior Management
"How does AI fit into your organisation's strategic objectives?"
"What are the top three AI-related risks the business is currently managing?"
"How do you ensure AI is developed and used ethically across the organisation?"
"What resources have you committed to AI governance?"
AI System Owners
"Tell me about this AI use case and who is impacted."
"Walk me through the risk assessment for this AI system."
"How is training data sourced, validated, and refreshed?"
"How do you test for bias and fairness?"
"Show me the most recent model performance monitoring report."
Data, Privacy, and Security Leads
"What is the lawful basis for processing personal data in AI training?"
"How are data quality controls applied to AI training datasets?"
"How are training data, model artefacts, and AI infrastructure secured?"
"What controls are in place against prompt injection or adversarial input?"
Internal Auditor
"Show me your internal audit programme for the AIMS."
"What were the most significant findings from the last internal audit?"
"How do you ensure auditor competence and independence?"
Findings
Audit findings and closure pathways
10 most common first-time audit findings
Incomplete AI Use Case Inventory, especially third-party LLMs used by staff
Generic risk register without AI-specific risks such as bias, hallucination, drift, prompt injection, or data poisoning
Statement of Applicability without justification for included or excluded controls
No documented Human Oversight Procedure for high-impact decisions
Missing bias and fairness testing records before deployment
Weak third-party AI risk management and supplier due diligence
AI incident management handled only as generic IT incidents
No recent internal AIMS audit or insufficient auditor independence
Management review without ISO 42001-specific inputs and outputs
No awareness training records for AI Policy and AIMS responsibilities
Preparation
Practical 30-day Stage 2 readiness checklist
Organisations that complete every item rarely receive Major non-conformities.
Documentation Readiness
AI Policy is signed by senior management and dated
AIMS Manual reflects current scope, AI use cases, and processes
AI Risk Register is current with AI-specific risks identified
Statement of Applicability is justified for every Annex A control
AI Use Case Inventory includes third-party AI and LLMs
Procedures are version-controlled and accessible to staff
Operational Readiness
Internal AIMS audit completed with findings closed or in progress
Management review meeting held with documented outputs
Bias and fairness testing records available for sampled AI use cases
Incident logs current and corrective actions documented
Training records current and awareness sessions delivered
Logistical Readiness
AIMS sponsor identified and available throughout the audit
AI System Owners briefed on audit schedule and interview timings
Evidence repository accessible to the auditor
Screen-sharing platform tested in advance for remote audits
Opening and closing meeting attendees confirmed, including senior management
FAQ
Frequently asked questions about ISO 42001 audits
What is an ISO 42001 Audit?
An ISO 42001 Audit is the independent assessment by an accredited certification body to verify that an organisation's AI Management System conforms to ISO/IEC 42001:2023.
What is the difference between Stage 1 and Stage 2 audits?
Stage 1 is a documentation review confirming AIMS readiness. Stage 2 verifies implementation and effectiveness through evidence, interviews, and sampling.
Who conducts ISO 42001 audits at TNV Global?
TNV Global audits are conducted by IRCA-qualified Lead Auditors with competence in AI, ML, information security, and management system auditing.
How long does an ISO 42001 audit take?
Stage 1 typically takes 1 to 3 audit days. Stage 2 typically takes 2 to 10+ audit days depending on organisation size, sites, and AI scope.
Can the ISO 42001 audit be conducted remotely?
Yes. TNV Global supports on-site, remote, and hybrid audit modes in accordance with IAF MD 4.
What does the auditor examine during the audit?
Auditors examine leadership, AI risk management, lifecycle controls, data governance, human oversight, ethics, security, incidents, internal audit, and management review.
What happens if the audit identifies non-conformities?
Findings are classified as Major NC, Minor NC, or Opportunity for Improvement. Major NCs must be closed before certificate issuance.
How can we prepare for the audit?
Complete documentation readiness, operational readiness, and logistical readiness before Stage 2, including internal audit and management review.
Is the audit confidential?
Yes. TNV Global auditors and the certification body are bound by ISO 17021-1 confidentiality requirements.
How do we book an audit?
Submit the form on this page, email admin@tnvglobal.com, or call +44 7877 901727 or +91 98380 70227.