1 · Scoping & audit plan
We fix scope, criteria and objectives: which systems, which standard (ISO/IEC 42001, 27001 or your own requirements), which role, and agree the audit plan.
Methodology · ISO 19011
How I audit
A good audit is not a search for mistakes, it is a structured, evidence-based picture of whether your system actually works. My method follows ISO 19011 and is published openly here, so you (and your procurement) can see exactly how I work and justify the choice of an independent auditor.
The five phases
2 · Preparation
I review your documents up front and build a risk-based sampling plan, so the on-site time goes where the risk is, not where it is convenient.
3 · On-site / remote
Opening meeting, walk-through (for production: incoming goods → production → QA → dispatch), interviews and evidence gathering. Documentation review and interviews run reliably remote; physical processes are seen on-site.
4 · Evaluation & findings
Conclusions are drawn only from evidence, on a risk-based sample. Each finding is classified by severity (see below), fact-based, never gut feeling.
5 · Report & follow-up
A clear, traceable audit report with findings and recommended actions, then verification that corrective actions actually worked. The follow-up is what turns an audit into a result.
How findings are classified
Every finding is rated by severity and based on evidence, transparent and reproducible.
| Severity | What it means | Example & consequence |
|---|---|---|
| Major nonconformity | A requirement is systematically unmet, or a whole element is missing. | Example: there is no documented AI risk assessment at all. Blocks certification until resolved. |
| Minor nonconformity | A requirement is unmet in an isolated case; the system works in principle. | Example: the AI policy is approved but two weeks past its annual review date. Corrective action with a deadline. |
| Opportunity for improvement | Conforming, but it could be done better. | Example: competence records exist but could be filed more centrally. A recommendation, not an obligation. |
The principles I audit by
ISO 19011 sets out the principles that guide every auditor. They are not decoration, they are why an audit result can be trusted.
- Integrity & fair presentation
- Due professional care
- Confidentiality
- Independence & impartiality
- Evidence-based approach
- Risk-based approach
Why sampling? An audit can never check everything. It works from a risk-based sample, that is recognised methodology (ISO 19011), not a shortcut. I focus the sample where the risk to people, safety or compliance is highest.
Want this rigour for your audit?
Whether a supplier audit, an internal audit or certification readiness, we agree scope and method up front, in writing.