Unorma

ISO 42001

ISO 42001 Audit: What Auditors Actually Look For

An inside look at what ISO 42001 auditors actually check during Stage 1 and Stage 2 audits, and the evidence that satisfies them versus what doesn't.

Zofia Kubiak
Zofia Kubiak

May 9, 2026 · 7 min read

ISO 42001

Auditors aren't grading how well-written your policies are — they're checking for specific evidence patterns that prove the AI management system actually operates. Here's what they check at each stage, and what commonly fails.

TL;DR

  • Stage 1 checks that required documentation exists and is internally consistent; Stage 2 checks that the AIMS is actually operating, not just documented.
  • Auditors specifically look for consistency between your Statement of Applicability and your actual registered AI systems.
  • Internal audit independence is checked closely — the same person shouldn't design and audit the same control.
  • Evidence of genuine operating history (training completions, management reviews, incident logs) matters more than polished policy writing.
  • The most common nonconformity is a Statement of Applicability that no longer reflects the organization's actual AI systems.

Two Stages, Different Focus

Stage 1Documentation reviewStage 2Operating evidence
Stage 1 checks the paperwork exists; Stage 2 checks it's actually being followed.

What Stage 1 Auditors Check

  • Does the AIMS scope statement match the organization's actual AI activities?
  • Is the AI policy signed off by top management, not just drafted?
  • Does the Statement of Applicability cover all 38 Annex A controls with clear inclusion/exclusion reasoning?
  • Are roles and responsibilities clearly assigned, not left implicit?

What Stage 2 Auditors Check

Evidence typeWhat auditors are verifying
Internal audit reportsThat an independent internal audit actually happened, with real findings
Management review minutesThat leadership actually reviewed the AIMS, not just delegated it entirely
Training recordsThat staff competence requirements were genuinely met, not just documented as a policy
Risk assessment records tied to specific systemsThat risk work is concrete, not generic organization-wide statements

Internal Audit Independence

Auditors specifically check whether the person who performed the internal audit is independent of the area being audited — a compliance lead auditing their own control implementation raises a flag, regardless of how thorough the audit report looks on paper.

The Most Common Nonconformity

A Statement of Applicability that no longer matches the organization's actual AI systems — written once during the initial project and never updated as systems were added, changed or retired. This single gap is responsible for a disproportionate share of audit findings.

Primary Sources

How Auditors Actually Sample Evidence

Auditors rarely review every single AI system in scope in exhaustive detail — they sample. That means a handful of systems, chosen either at random or because they look highest-risk, get checked in real depth, while others are spot-checked more lightly. The practical implication: every registered system needs to be audit-ready, not just the ones you expect the auditor to pick.

Preparing Your Team for Interview Questions

  • System owners should be able to explain their AI system's purpose and risk classification without prompting
  • The compliance lead should be able to walk through the Statement of Applicability control by control
  • Anyone involved in internal audit should be ready to describe specific findings, not just confirm the audit happened

How Surveillance Audits Differ From the Initial Certification Audit

Annual surveillance audits are narrower than the original Stage 1/Stage 2 pair — auditors typically sample a subset of clauses and controls each year rather than reviewing everything again, focusing especially on areas where changes have occurred since the last visit: new AI systems, updated risk assessments, or previous nonconformities. Organizations sometimes assume surveillance audits are a formality; auditors who find the AIMS has quietly stopped operating between visits can still suspend certification.

Where Unorma Fits

Evidence that stays current

Unorma’s evidence vault keeps the Statement of Applicability synchronized with your actual registered systems, and audit simulation previews likely auditor questions before the real audit. Read the full ISO 42001 requirements checklist for what auditors are checking against.

Frequently asked questions

What's the difference between Stage 1 and Stage 2 audits?

Stage 1 reviews whether required documentation exists and is internally consistent. Stage 2 checks for evidence the AIMS is actually operating — internal audits performed, reviews held, training completed.

What's the most common reason organizations get a nonconformity?

A Statement of Applicability that's drifted out of sync with the organization's actual AI systems, usually because it was written once and never updated.

Does the internal auditor need to be from outside the organization?

Not necessarily, but they need to be independent of the specific area being audited — the same person shouldn't design a control and then audit its effectiveness.

Does well-written policy documentation guarantee passing Stage 2?

No — Stage 2 specifically looks for evidence the policies are actually being followed in practice, not just that they exist and read well.

Do auditors review every AI system in scope in full depth?

No — they typically sample, checking a handful of systems in real depth while spot-checking others. Every system still needs to be audit-ready, since you don't control which ones get picked.

How should system owners prepare for auditor interviews?

They should be able to explain their system's purpose and risk classification without prompting, and anyone involved in internal audit should be ready to describe specific findings, not just confirm the audit took place.

Are annual surveillance audits less thorough than the initial certification audit?

They're narrower in scope — typically sampling a subset of clauses and controls rather than everything — but they can still suspend certification if the AIMS is found to have stopped operating between visits.

Can we ask the auditor which systems they'll sample in advance?

Generally no — auditors typically don't disclose their sampling selection ahead of time, which is exactly why every registered system needs to be audit-ready rather than just the ones you'd expect to be picked.

About the author

Zofia Kubiak
Zofia Kubiak

Compliance Specialist

Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.

View full profile