ISO 42001 Internal Audit: Step-by-Step Checklist for Australia

You’ve implemented ISO 42001. Your AI governance processes are documented, roles are assigned, and staff have been trained. Now comes the question that every organisation eventually faces: is any of this actually working?

That’s what an internal audit answers. ISO 42001 Clause 9.2 requires organisations to conduct regular audits of their AI management system to verify that it conforms to the standard and operates effectively in practice. For Australian organisations pursuing ISO 42001 certification, this isn’t optional—it’s a hard requirement. For those implementing ISO 42001 without pursuing formal certification, internal audits are the feedback loop that keeps your system from becoming stale documentation.

What ISO 42001 Clause 9.2 Actually Requires

Clause 9.2 is divided into two subsections: general requirements (9.2.1) and audit programme specifics (9.2.2).

At its core, Clause 9.2 mandates that you conduct internal audits at planned intervals to determine whether the AIMS (AI Management System) conforms to ISO 42001, conforms to your own documented requirements, and is effectively implemented and maintained. The standard doesn’t prescribe an exact frequency—that’s up to your organisation based on risk and maturity. A high-risk organisation using AI in critical decisions might audit quarterly; a lower-risk organisation might audit annually.

The audit programme must be documented: you need written procedures covering the audit scope, frequency, methods, auditor responsibilities, reporting protocols, and how you’ll follow up on findings. This documentation itself is often an audit finding—organisations skip it because it feels bureaucratic, then fail certification when the auditor discovers there was no formal audit plan.

Who Can Conduct an ISO 42001 Internal Audit

ISO 42001 requires auditors to demonstrate competence. This doesn’t mean they need to be external third-party auditors; internal staff can conduct internal audits if they have the right knowledge and training.

Auditor competency includes: understanding ISO 42001 requirements, knowledge of the organisation’s AI systems and governance, understanding of audit principles (objectivity, evidence-based assessment), and ideally some training in audit methodology. For many Australian organisations, a hybrid approach works: one or two internal people (compliance officer, governance lead) undergo ISO 42001 internal audit training, then conduct audits with support from external consultants on their first cycle.

Importantly, auditors should not audit areas they directly control. If the IT manager is responsible for data governance, they shouldn’t audit the data governance controls they implemented—that’s a conflict of interest. Independence strengthens the audit’s credibility.

The 6-Step ISO 42001 Internal Audit Process

A structured audit follows six distinct phases, each with its own deliverables and timeline.

Step 1: Audit Planning

Before you conduct a single interview, plan what you’re auditing. Define the scope: which AI systems, which business processes, which governance areas? What criteria will you use (ISO 42001, your own policies, regulatory obligations)? Create an audit schedule for the year covering all critical areas. Identify who will conduct audits and who will be interviewed.

Planning typically takes 1–2 weeks. You should have a written audit plan before you start.

Step 2: Document Review

Review your AI management system documentation: governance policies, risk registers, AI tool inventory, training records, incident reports, approval forms, audit logs. The goal is to understand your system on paper before you test it in practice. Ask: Is documentation current? Are procedures actually documented, or do people “just know” how to do things? Are there obvious gaps?

Document review typically takes 2–3 weeks and reveals the first round of findings (usually: outdated procedures, missing documentation, inconsistent naming conventions).

Step 3: Staff Interviews

Talk to people doing the work. Interview data scientists (how are AI models approved?), product managers (how do you handle AI risks?), compliance officers (how is training tracked?), finance (how are audits budgeted?). Use open-ended questions: “Walk me through how you’d get a new AI tool approved.” Listen for where people’s descriptions differ from documented procedures—that gap is gold.

Interviews typically take 2–4 weeks depending on organisation size. Plan 30–60 minute interviews with each key person.

Step 4: Evidence Collection

Don’t accept anecdotes. If someone says “All AI decisions are reviewed before deployment,” ask to see the evidence: the checklist, the sign-off form, the log of reviews. Evidence includes: completed risk assessments, approval emails, training attendance records, incident investigation reports, audit logs, tool inventory lists.

Evidence collection runs in parallel with interviews. You’re looking for objective proof that processes are being followed.

Step 5: Nonconformity Classification and Analysis

For each finding, classify it as Major, Minor, or Observation. A Major nonconformity is a systematic failure that affects core controls or indicates the AIMS isn’t operating as designed (example: no evidence that any AI systems have been risk-assessed). A Minor nonconformity is an isolated gap that doesn’t affect the overall integrity of the system (example: one AI tool approval was missing from the sign-off log). An Observation is an opportunity for improvement without being technically noncompliant (example: risk registers could be more detailed).

Only Major nonconformities prevent certification. Minor nonconformities require corrective actions to address root causes.

Step 6: Report and Corrective Action Planning

Document findings in a formal audit report including: executive summary, audit scope and methodology, findings (classified as Major/Minor/Observation), evidence, risk impact, and required corrections with deadlines. Management typically has 30 days to respond with a corrective action plan (CAP) explaining how they’ll fix each issue.

The report should be constructive: explain not just what’s wrong, but what good compliance would look like. This report becomes your roadmap for the next audit and your evidence of due diligence if regulators ever ask.

15-Point ISO 42001 Internal Audit Checklist

Use this checklist to structure your audit and ensure you’re covering the scope of ISO 42001. The checklist translates Clause 9.2 requirements into concrete questions you’ll answer during the audit.

Governance and Scope
1. Is there a current, documented AI management system scope? Does it cover all AI systems in the organisation?
2. Are governance roles and responsibilities clearly assigned and understood by staff?
3. Is there documented evidence that management reviews the AIMS (at least annually)?

Risk Management and Controls
4. Are all significant AI systems included in a risk register with documented risk assessments?
5. Are controls documented for each identified risk? Can you see evidence they’re being applied?
6. Are there documented procedures for approving new AI systems before deployment?
7. Is there a data governance policy governing personal information in AI systems?

Monitoring and Incident Response
8. Are there documented audit logs or monitoring evidence showing AI systems are performing as intended?
9. Is there an incident reporting process? Can you find evidence of incident records?
10. Are incidents investigated and corrective actions documented?

Training and Competency
11. Is there documented evidence that staff have received training on AI governance relevant to their roles?
12. Are competency requirements defined for roles that make AI decisions or manage AI systems?

Audit Program and Improvement
13. Is there a documented internal audit plan covering the scope of the AIMS?
14. Are previous audit findings tracked and corrective actions verified?
15. Is there evidence that the AIMS has been updated based on audit findings, incidents, or regulatory changes?

Score each question Yes/No, then dive deeper on the No responses. Those are your audit findings.

Common Audit Findings in Australian Organisations

After conducting dozens of ISO 42001 audits, patterns emerge in what Australian organisations typically miss.

Finding 1: Incomplete AI System Inventory. Organisations often undercount their AI systems. RPA tools, spreadsheet macros, vendor-provided algorithms, and tools brought in by individual teams aren’t included in the official inventory. The result: undocumented AI systems operate without risk assessment or controls. Fix: Conduct a systematic inventory including all forms of AI, not just large language models.

Finding 2: Risk Register Without Teeth. Many organisations have a risk register, but it’s disconnected from reality. Documented risks don’t match what auditors observe in practice; controls are listed but not visibly implemented. Fix: Make risk registers iterative. Update them when new systems are introduced or incidents occur. Link risk register entries to actual control evidence (audit logs, approval forms, etc.).

Finding 3: Training Without Verification. Staff receive AI governance training, but there’s no mechanism to verify they understood it or are applying it. Fix: Document training attendance with names and dates. Periodically test that people remember and follow what they learned. Training is only effective if it changes behaviour.

Finding 4: Outdated Procedures. AI governance procedures are written once, then never updated. They reference tools the organisation no longer uses or approval processes that were changed informally. Fix: Assign someone to review and update procedures annually (treat it like a board-approved policy review).

Preparing for Your First ISO 42001 Internal Audit

If you’re implementing ISO 42001 and haven’t yet conducted an internal audit, here’s how to prepare.

Month 1: Build your audit plan (scope, schedule, auditor assignment). Month 2: Review your documentation and tidy it up (outdated procedures will just create findings). Month 3: Conduct the audit itself. Month 4: Management responds with corrective action plans. Month 5–6: Verify corrective actions are implemented.

Plan to find some findings—that’s the point of the audit. The organisations that succeed are the ones that treat findings as learning opportunities, not failures. An audit with zero findings often indicates you’re not auditing rigorously enough.

Frequently Asked Questions

Q: How often should we conduct internal audits?

A: ISO 42001 requires planned intervals based on risk. Most organisations audit annually; high-risk or rapidly changing organisations might audit twice yearly. Your first audit can be comprehensive (covering all scope); subsequent audits can focus on areas that changed or had findings.

Q: Can we conduct audits every two years instead of annually?

A: You can, but external auditors (for certification) often view longer gaps as a risk. Annual audits demonstrate commitment to continuous improvement. If budget is constrained, consider auditing critical areas annually and less critical areas every two years.

Q: What if we find a major nonconformity before certification? Does that delay certification?

A: Yes. A major nonconformity indicates the AIMS isn’t functioning as designed. You must implement and verify the corrective action before certification can proceed. This is actually healthy—it means the audit caught a real problem before it became a regulatory issue.

The Audit: Your System’s Health Check

An ISO 42001 internal audit is like a medical checkup for your AI governance. It identifies what’s working, what’s broken, and what needs attention. The audit itself doesn’t fix problems—but it creates the visibility and accountability to drive fixes.

The organisations that mature fastest on ISO 42001 are the ones that treat audits as continuous feedback, not once-yearly compliance box-ticking. Each audit informs the next; each finding drives improvement.

Ready to conduct your first ISO 42001 internal audit, or to improve your audit process? Anitech can help you plan, conduct, and act on audit findings. Contact us or book a consultation to discuss your audit readiness and build a robust audit programme that drives genuine improvement.