ISO 42001 Audit: Internal, Stage 1 and Stage 2 Explained

The ISO 42001 audit process is the mechanism through which your AI management system is independently verified — both by your own internal audit team and by an accredited third-party certification body. Understanding how the ISO 42001 audit works, what auditors look for at each stage, and how to prepare your organisation effectively is essential for any business pursuing AI management system certification. A poorly prepared organisation can spend months building a solid AIMS and still face avoidable nonconformities because the audit process itself was misunderstood.

The ISO 42001 audit framework has three distinct components. First, the internal audit — a mandatory self-assessment conducted before any external certification body arrives. Second, the Stage 1 documentation review — an initial desk-based assessment by the certification body of your AIMS documentation. Third, the Stage 2 on-site audit — the full operational verification that your AIMS is genuinely working in practice. According to the official ISO standard publication, each component serves a different purpose and requires different preparation. Treating them as a single event is one of the most common mistakes organisations make when approaching certification.

This article walks through every component of the ISO 42001 audit process in detail — explaining what each stage involves, how auditors think, what evidence is expected, and how to prepare your team for a smooth certification outcome.

Tl; DR:

Concern: Organisations that misunderstand the ISO 42001 audit process face avoidable nonconformities, delayed certification, and wasted remediation effort — see the full framework at our ISO 42001 certification hub.
Overview: The ISO 42001 audit process has three components — a mandatory internal audit, a Stage 1 documentation review, and a Stage 2 on-site operational audit — each requiring distinct preparation and producing different outputs.
Solution: CertPro CPA LLC prepares organisations for all three audit components — including internal audit facilitation, Stage 1 documentation review support, and Stage 2 pre-audit readiness assessments.

ISO 42001 Audit Process — Overview

The ISO 42001 Internal Audit: Purpose and Requirements

The ISO 42001 internal audit is a mandatory requirement under Clause 9.2 of the standard. Its purpose is to provide the organisation with an independent, systematic assessment of whether the AIMS conforms to the standard’s requirements and is operating effectively. Critically, the internal audit must be completed before the certification body’s Stage 1 visit — it is not an optional pre-certification activity but a core AIMS requirement in its own right.

The internal audit serves two functions simultaneously. First, it gives the organisation an opportunity to identify and remediate gaps before external auditors arrive — reducing the likelihood of major nonconformities during certification. Second, it demonstrates to external auditors that the organisation has a functioning AIMS self-assessment capability — which is itself a certification requirement.

Scope and Coverage of the Internal Audit

The ISO 42001 internal audit must cover the full scope of the AIMS — every clause of the standard, every Annex A control within scope, every business unit and location included in the AIMS boundaries, and every AI system governed by the management system. Partial internal audits that cover only selected areas create gaps that external auditors will identify and question.

Internal Auditor Independence Requirements

A critical requirement of the ISO 42001 internal audit is auditor independence. Internal auditors must not audit their own work. There are several approaches to meeting this requirement: staff from other business units can audit AIMS elements outside their own area of responsibility, external support can be engaged to conduct or support the internal audit, or a cross-functional internal audit team can be structured so that each area is audited by someone from a different function. What is not acceptable is having the person who wrote a policy audit their own compliance with that policy.

Internal Audit Report Requirements

The ISO 42001 internal audit must produce a formal audit report that records the audit scope, audit criteria, methodology, findings, nonconformities identified, and recommended corrective actions. This report becomes part of the AIMS documented evidence base and is reviewed by external auditors during Stage 1. Each nonconformity in the internal audit report must be tracked through to closure — with documented corrective actions, evidence of implementation, and effectiveness verification. Open nonconformities that have not been addressed before Stage 1 will be picked up by external auditors and may escalate to major nonconformity status.

The ISO 42001 Stage 1 Audit: Documentation Review

The Stage 1 ISO 42001 audit is conducted by the accredited certification body and typically takes place remotely. Its primary purpose is to review your AIMS documentation and verify that the documented system meets the standard’s requirements before committing to a full Stage 2 operational audit.

Stage 1 is not a rubber stamp. According to BSI’s AI management system guidance, Stage 1 findings that reveal fundamental documentation gaps will result in Stage 2 being postponed until remediation is complete.

What Auditors Check During Stage 1

• AI Policy — Present, approved at senior leadership level, containing all mandatory elements, communicated to relevant staff, and reviewed within the required schedule
• AIMS Scope Statement — Clearly defines AIMS boundaries, justifies any significant exclusions, and is consistent with the documented risk assessment
• AI Risk Register — Contains identified risks relevant to the AI systems within scope, with assessed likelihood and impact, and planned treatment actions
• Statement of Applicability — Covers every Annex A control, provides applicability determinations with justifications, and is consistent with the risk treatment plan
• AI Objectives — Documented, measurable, consistent with the AI policy, and accompanied by plans for achievement and monitoring
• Internal Audit Report — Complete, covers the full AIMS scope, identifies findings and nonconformities, and shows corrective action tracking
• Management Review Records — Documents that a formal management review has been conducted covering the required agenda items and producing documented outputs

Stage 1 Findings and Their Implications

Stage 1 audit findings fall into three categories. Observations are minor points that auditors note but that do not prevent progression to Stage 2. Minor nonconformities are gaps that must be addressed but can be remediated after Stage 2 commences. Major nonconformities are fundamental compliance gaps that must be resolved and evidenced before Stage 2 can be scheduled.

Organisations that have conducted a thorough internal audit before Stage 1 and addressed all internal findings typically receive clean or near-clean Stage 1 outcomes. Those who proceed to Stage 1 without completing the internal audit process — or with unresolved internal audit findings — regularly encounter major nonconformities that delay certification by weeks or months.

The ISO 42001 Stage 2 Audit: Operational Verification

The Stage 2 ISO 42001 audit is the full certification audit — the point at which the certification body verifies that your AIMS is genuinely operational, not just documented. Stage 2 is where the real work of certification is assessed, and it is where organisations that have built documentation without operational implementation consistently run into significant problems.

Stage 2 audits are typically conducted on-site — though remote options are increasingly accepted. The audit duration depends on organisation size and scope complexity, ranging from one day for small, single-site organisations to a week or more for large, multi-site enterprises with complex AI operations.

How Stage 2 Auditors Think

Auditors are trained to verify that controls are genuinely operating — not just described in policy documents. Their core methodology involves three activities: document review, process observation, and staff interviews.

Document review at Stage 2 focuses on operational records — monitoring logs, incident records, risk register updates, change control documentation, training completion records, and corrective action evidence. Policies without supporting operational records do not satisfy Stage 2 requirements. Process observation involves auditors watching operational processes — how AI systems are monitored, how human oversight is applied, how AI-related incidents are detected and escalated. If the documented process does not match what auditors observe in practice, a nonconformity is raised regardless of how well the documentation is written.

Staff Interviews During Stage 2

Staff interviews are one of the most powerful audit tools used during Stage 2. Auditors interview people at multiple levels — from leadership to operational staff — to verify that AI governance awareness is genuine, that staff understand their AIMS responsibilities, and that the governance described in documentation reflects actual practice.

Common staff interview questions include: What is the AI policy and what does it mean for your work? How do you identify and report AI-related incidents? What human oversight processes apply to the AI systems you work with? When did you last receive training on AI governance? What would you do if you noticed an AI system producing unexpected outputs?

Organisations that brief staff on the existence of policies without ensuring genuine understanding consistently receive interview-based findings. Effective preparation means running awareness sessions before Stage 2, not just distributing documentation and hoping staff read it.

AI System Evidence Review

A significant portion of Stage 2 audit time is spent reviewing AI system-specific evidence — the documentation and operational records that demonstrate lifecycle controls are genuinely implemented for each AI system within scope. Auditors will typically select a sample of AI systems and examine the complete governance evidence trail for each, looking for: documented objectives and requirements, data governance records, development methodology documentation, validation test plans and results, operational procedures, monitoring records, and incident response records.

How to Prepare Your Team for the ISO 42001 Audit

Six to Eight Weeks Before Stage 1

Conduct a pre-Stage 1 readiness review — a structured assessment of your AIMS documentation completeness against a Stage 1 checklist. Every mandatory document should be present, current, approved, and consistent with every other document in the AIMS. Our readiness assessment guide provides a detailed framework for this review. Address any documentation gaps identified before Stage 1, and ensure the internal audit has been completed with all findings addressed.

Four to Six Weeks Before Stage 2

Run a pre-Stage 2 operational readiness check — verify that operational records for every AI system within scope are current and complete. Review monitoring logs, incident records, training completion evidence, and change control documentation. Identify any gaps and address them before the audit date.

Additionally, brief relevant staff at all levels on the audit process, their roles during staff interviews, and the key governance principles they should be able to articulate. Briefings should focus on genuine understanding, not scripted answers — auditors probe for depth and will follow up on rehearsed responses.

During the Audit

Provide auditors with efficient access to documentation and relevant staff. Designate an audit liaison whose sole responsibility during the audit is to coordinate information flow between the audit team and your organisation. When auditors identify potential findings, engage constructively rather than defensively — acknowledge findings calmly, request clarity on what evidence would resolve the concern, and commit to addressing identified gaps systematically.

ISO 42001 Surveillance Audits and Recertification

The ISO 42001 audit cycle does not end at initial certification. After receiving your certificate, your organisation enters a three-year surveillance cycle that includes annual surveillance audits and a full recertification audit at the end of year three.

Surveillance audits are shorter than the initial Stage 2 audit — typically covering a subset of the full AIMS scope, focusing on areas where findings were raised during the previous audit and verifying that continual improvement is genuine. However, organisations that treat their AIMS as a live, operational governance system — updating risk registers, conducting internal audits, running management reviews, and addressing corrective actions promptly — consistently pass surveillance audits without significant findings.

Recertification at year three covers the full AIMS scope and is similar in scope to the original Stage 2 audit. Organisations that have maintained their AIMS consistently through the three-year cycle find recertification straightforward.

For a full walkthrough of the ISO 42001 certification timeline from initial engagement through recertification, see our certification process guide. For help understanding what Annex A controls auditors examine most closely, see our Annex A controls breakdown.

Common ISO 42001 Audit Findings and How to Avoid Them

• Incomplete Statement of Applicability — Missing controls, unjustified exclusions, or inconsistency between the SoA and the risk treatment plan. Resolve by reviewing every Annex A control systematically and cross-checking SoA selections against the risk register.
• No operational evidence for documented controls — Policies and procedures that describe controls without supporting operational records. Resolve by verifying that every documented control has current, retrievable evidence of operation before Stage 2.
• Staff unaware of AI governance responsibilities — Staff who cannot articulate their AIMS responsibilities during interviews. Resolve with structured awareness sessions before Stage 2, not just policy distribution.
• Monitoring without documented thresholds — AI systems monitored informally without defined performance thresholds or documented response procedures. Resolve by documenting monitoring metrics, thresholds, and escalation procedures for every AI system in scope.
• Management review not conducted — No documented management review before Stage 1. Resolve by scheduling and completing a formal management review with documented agenda, attendees, outputs, and action log.

Prepare for Your ISO 42001 Audit with CertPro

CertPro CPA LLC prepares organisations for every stage of the ISO 42001 audit process — from internal audit facilitation and Stage 1 documentation review support to Stage 2 pre-audit readiness assessments and staff briefings. Contact us to discuss your audit preparation needs.

Get ISO 42001 Audit Support from CertPro CPA LLC →

FAQ