ISO 42001
ISO 42001 Audit: What Auditors Actually Look For
An inside look at what ISO 42001 auditors actually check during Stage 1 and Stage 2 audits, and the evidence that satisfies them versus what doesn't.
May 9, 2026 · 7 min read
ISO 42001
Auditors aren't grading how well-written your policies are — they're checking for specific evidence patterns that prove the AI management system actually operates. Here's what they check at each stage, and what commonly fails.
TL;DR
- Stage 1 checks that required documentation exists and is internally consistent; Stage 2 checks that the AIMS is actually operating, not just documented.
- Auditors specifically look for consistency between your Statement of Applicability and your actual registered AI systems.
- Internal audit independence is checked closely — the same person shouldn't design and audit the same control.
- Evidence of genuine operating history (training completions, management reviews, incident logs) matters more than polished policy writing.
- The most common nonconformity is a Statement of Applicability that no longer reflects the organization's actual AI systems.
Two Stages, Different Focus
What Stage 1 Auditors Check
- Does the AIMS scope statement match the organization's actual AI activities?
- Is the AI policy signed off by top management, not just drafted?
- Does the Statement of Applicability cover all 38 Annex A controls with clear inclusion/exclusion reasoning?
- Are roles and responsibilities clearly assigned, not left implicit?
What Stage 2 Auditors Check
| Evidence type | What auditors are verifying |
|---|---|
| Internal audit reports | That an independent internal audit actually happened, with real findings |
| Management review minutes | That leadership actually reviewed the AIMS, not just delegated it entirely |
| Training records | That staff competence requirements were genuinely met, not just documented as a policy |
| Risk assessment records tied to specific systems | That risk work is concrete, not generic organization-wide statements |
Internal Audit Independence
Auditors specifically check whether the person who performed the internal audit is independent of the area being audited — a compliance lead auditing their own control implementation raises a flag, regardless of how thorough the audit report looks on paper.
The Most Common Nonconformity
A Statement of Applicability that no longer matches the organization's actual AI systems — written once during the initial project and never updated as systems were added, changed or retired. This single gap is responsible for a disproportionate share of audit findings.
Primary Sources
- ISO — ISO/IEC 42001:2023
- NIST — AI Risk Management Framework
How Auditors Actually Sample Evidence
Auditors rarely review every single AI system in scope in exhaustive detail — they sample. That means a handful of systems, chosen either at random or because they look highest-risk, get checked in real depth, while others are spot-checked more lightly. The practical implication: every registered system needs to be audit-ready, not just the ones you expect the auditor to pick.
Preparing Your Team for Interview Questions
- System owners should be able to explain their AI system's purpose and risk classification without prompting
- The compliance lead should be able to walk through the Statement of Applicability control by control
- Anyone involved in internal audit should be ready to describe specific findings, not just confirm the audit happened
How Surveillance Audits Differ From the Initial Certification Audit
Annual surveillance audits are narrower than the original Stage 1/Stage 2 pair — auditors typically sample a subset of clauses and controls each year rather than reviewing everything again, focusing especially on areas where changes have occurred since the last visit: new AI systems, updated risk assessments, or previous nonconformities. Organizations sometimes assume surveillance audits are a formality; auditors who find the AIMS has quietly stopped operating between visits can still suspend certification.
Where Unorma Fits
Evidence that stays current
Frequently asked questions
What's the difference between Stage 1 and Stage 2 audits?
Stage 1 reviews whether required documentation exists and is internally consistent. Stage 2 checks for evidence the AIMS is actually operating — internal audits performed, reviews held, training completed.
What's the most common reason organizations get a nonconformity?
A Statement of Applicability that's drifted out of sync with the organization's actual AI systems, usually because it was written once and never updated.
Does the internal auditor need to be from outside the organization?
Not necessarily, but they need to be independent of the specific area being audited — the same person shouldn't design a control and then audit its effectiveness.
Does well-written policy documentation guarantee passing Stage 2?
No — Stage 2 specifically looks for evidence the policies are actually being followed in practice, not just that they exist and read well.
Do auditors review every AI system in scope in full depth?
No — they typically sample, checking a handful of systems in real depth while spot-checking others. Every system still needs to be audit-ready, since you don't control which ones get picked.
How should system owners prepare for auditor interviews?
They should be able to explain their system's purpose and risk classification without prompting, and anyone involved in internal audit should be ready to describe specific findings, not just confirm the audit took place.
Are annual surveillance audits less thorough than the initial certification audit?
They're narrower in scope — typically sampling a subset of clauses and controls rather than everything — but they can still suspend certification if the AIMS is found to have stopped operating between visits.
Can we ask the auditor which systems they'll sample in advance?
Generally no — auditors typically don't disclose their sampling selection ahead of time, which is exactly why every registered system needs to be audit-ready rather than just the ones you'd expect to be picked.
Key terms in this article
About the author

Compliance Specialist
Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.
View full profileKeep reading
More from the blog
AI Compliance Software
AI Compliance Software
What Is AI Compliance Software? A Complete Guide for 2026
AI compliance software turns scattered spreadsheets and PDFs into a live system of record for every AI system you build or use. Here's what it does, who needs it, and how to evaluate it.
EU AI Act
EU AI Act
EU AI Act Deadlines in 2026 and 2027: What the Digital Omnibus Actually Changed
In May 2026, EU lawmakers provisionally agreed to delay the AI Act's high-risk deadlines. Here's exactly what changed, what didn't, and what's legally binding today.
ISO 42001
ISO 42001
ISO 42001 Certification Requirements: The Complete Checklist
ISO 42001 has 10 clauses and 38 Annex A controls. This is the complete, plain-language checklist for what you actually need to have in place before your audit.