Brochures

The ISO 42001 Audit: What Auditors Look For

Zertia Team · 6 min read
Share

Most preparation guides for ISO 42001 audits are written from the inside out: “here is what you need to prepare.” This one is written from the outside in: “here is what an auditor actually looks for when they walk into your organization.”

The shift in perspective changes what you prioritize. It reveals where organizations most often trip up, and why auditors consistently find issues in the same five or six places across very different companies.

## The common belief

The default mental model of an audit is a checklist exercise. The auditor has a list of requirements. You have a list of documents. The auditor confirms each requirement is addressed by a corresponding document. The audit ends when every box is ticked.

That mental model produces binders of policies that pass on paper and collapse in interview. A competent auditor does not read your policy to check it exists. They read it to decide what questions to ask your people.

## What auditors actually look for

An ISO 42001 audit is structured around a simple question applied at every clause and control: “Is this system real?” Reality is tested through three layers, in roughly this order.

### Layer 1: Design

Does the management system exist on paper? Policies, procedures, scope, objectives, roles, controls. This is the quickest layer to assess and the easiest to pass. Most organizations get here without difficulty.

### Layer 2: Deployment

Has the designed system actually been rolled out to the people who are supposed to operate it? Do AI use-case owners know the intake process exists? Do data scientists know the bias testing expectation? Do operators of deployed AI systems know the monitoring they are supposed to perform? This is where auditor interviews start finding gaps.

### Layer 3: Evidence of operation

Is the deployed system producing the records it is supposed to produce? Real risk assessments for real AI systems. Real approval decisions with real dates. Real monitoring logs with real anomalies flagged and addressed. Real incidents with real root-cause analyses. Layer 3 is where most first-time certifications struggle. It is also the layer that cannot be faked.

> A management system that exists only at the design layer is documentation. A management system that operates through all three layers is governance. The audit tests which one you have.
>

## The six places organizations most often trip up

Across audits, the same categories of issues appear consistently. Knowing them in advance is usually enough to avoid them.

### 1. AI inventory that does not match reality

The certified scope claims to cover all AI systems the organization operates. A walk through product teams reveals AI systems the management system does not know about. Shadow AI is the single most common finding.

### 2. Risk assessments that are theoretical

The risk register lists generic AI risks, not risks traced to specific systems in use. The auditor asks “which of these risks applies to the HR screening model in production?” and the answer is unclear. Impact assessment, a central Annex A control, fails at this step.

### 3. Human oversight that exists only on slides

The policy says humans review high-risk outputs before action. The operational reality shows review happens in bulk, after the fact, or not at all, because the volume makes meaningful review impossible. Oversight exists as a control claim, not as a control.

### 4. Third-party AI untracked

The organization treats itself as a deployer of three vendor systems. A closer look reveals twelve third-party AI components embedded in SaaS tools, CRM plugins, and productivity software. None has gone through the third-party AI evaluation process.

### 5. Monitoring without response

Drift and performance monitoring is in place. Alerts fire. The auditor asks what happens after the alert, and the answer is “the team looks at it.” There is no documented response workflow, no thresholds for escalation, no record of decisions taken.

### 6. Management review that is ceremonial

A management review took place. The minutes show presentations were given. They do not show decisions made, resources reallocated, or changes approved based on the data presented. Clause 9.3 of the standard expects the review to drive change, not simply to occur.

## Reframing the question

The preparation question most teams ask is “Will we pass?” The useful question is “If the auditor picks a random AI system we operate and asks me to walk them through its governance lifecycle, can I show them everything without improvising?”

If the answer is yes for every system in scope, the audit is a formality. If the answer is yes for most systems but not all, the audit will find the exceptions. Auditors pick strategically.

## The structural shift

Audit practice has moved, over the past decade, from document sampling to process tracing. Older audits could be passed by a well-organized document repository. Modern audits follow a specific AI system through the management system end-to-end: intake, risk assessment, approval, deployment, monitoring, change management, incident handling.

This process-tracing approach is especially pronounced for ISO 42001 because the subject matter demands it. A static document cannot demonstrate that a dynamic system is governed. Only the traceable operation can.

## What this means for your organization

Run a dry-run audit internally, with the same method. Pick one AI system at random. Trace it through every applicable clause and control. What evidence exists? Who owns it? How current is it? The gaps surfaced in a dry run are gaps you can fix; the gaps surfaced by the certification body become findings.

Train your people to talk like operators, not rehearsers. Auditors recognize rehearsed answers instantly. Operators who explain how they actually do the work, including the difficulties, come across as credible even when the process has rough edges.

Prepare for the sampling, not the full surface. Auditors sample. Your job is to make sure every AI system in scope could hold up under sampling, not just the ones you would showcase.

> A good audit does not validate your system. It reveals it. The audit result is a description of how your organization actually operates, not how it claims to operate.
>

Ready to move from documentation to certification?

📩 [[email protected]](mailto:[email protected]) · 🌐 [zertia.ai](http://zertia.ai)

Your fast track to compliance starts here

Our team is ready to support your compliance, cybersecurity, and privacy needs. Complete the contact form or reach out to [email protected], and our experts will guide you through the next steps.