What an ISO 42001 Audit Really Checks (and What It Doesn't)

When I walk into an organization as an auditor, many people expect me to inspect the servers. Models, training data, algorithms. That is a misunderstanding. An ISO 42001 audit doesn't check technology. It checks whether the organization has its AI under control, and that is something entirely different.

First the process. Then the role. Then the evidence. I look in that order.

What an ISO 42001 audit is not

An auditor does not check whether an AI model performs well. That is the job of validation. Nor whether the cloud architecture is sound, that belongs in the ISO 27001 scope. And not whether you are using the best available model either. Model choice is your decision, not mine.

An audit doesn't ask: does your AI work? It asks: who is accountable when it doesn't?

What is actually on the test bench

An ISO 42001 audit (standard published in 2023, audits now conducted under ISO/IEC 42006) examines five core areas, and not a single one of them is primarily technical:

• Leadership and accountability: Does someone visibly hold the mandate to be accountable for AI governance? Is it written into a role, a record, a board decision?
• Risk management: Do you know the risks your AI poses to affected people and to the organization? Have you assessed them systematically, not from gut feeling?
• Impact assessment: Can you show what consequences an AI system has for the outside world (ISO/IEC 42005)? Not just risks to you, but effects on others.
• Awareness and competence: Do staff know what they are and aren't allowed to do? Who completed the mandatory training? Is there evidence?
• Controls and evidence: Have you selected the relevant controls from Annex A, and can you demonstrate that they are effective?

A concrete scene from audit practice

I ask in a mid-sized company: "Which AI systems are you currently using?" The managing director names three. The head of IT adds: "Plus the component inspection in plant three. And the chat assistant for sales." The managing director looks surprised.

This is not a trap. It is the audit test: does a complete, maintained inventory of AI systems exist? When leadership learns about systems instead of already knowing them, the governance isn't there yet.

The next test is classification. I ask about the applicant-screening tool in HR. "It's only a filter," says the head of IT. Wrong. An AI that pre-sorts or scores job applications falls into the high-risk category under Annex III of the EU AI Act. That triggers obligations around human oversight, bias testing, transparency, and documentation. Anyone who doesn't know this has a gap in their risk register, and a hard question coming in the audit.

An AI tool that sorts résumés isn't a convenience. It is a discrimination claim waiting to become actionable.

The same applies to AI-assisted quality inspection in manufacturing: does the camera reliably detect a crack, or does it wrongly pass defective parts? That is not just a quality issue, it is product liability. Anyone operating here without documented validation, without defined thresholds, without an escalation path has built AI risks into their production without controlling them.

What an auditor sees in the first two hours

Experienced auditors don't need three days to gauge maturity. Four indicators reveal it by mid-morning:

• Can the responsible person answer "Which AI do we use?" in under two minutes?
• Is there a risk register with concrete entries, or just a list of theoretical risk categories?
• Is there a training overview with names, dates, and content, or just a PDF sitting on the server?
• Are the Annex A controls linked to concrete measures, or simply ticked off?

If all four are clean, the audit runs as a confirmation. If two are thin, it goes deeper. If three or four are thin, it is too early for an external audit, and an honest gap analysis helps more than an embarrassing, lost certification mandate.

Why technology is only a by-catch in the audit

Imagine someone certifying your fire protection without ever looking at your fire alarm system. Sounds absurd, but it is exactly what to expect with ISO 42001. The standard examines the management system, not the equipment. It checks whether you know what you are doing, why you are doing it, who answers for it, and whether your controls fit.

That is not a flaw in the standard. That is its purpose. Technology changes monthly. Accountability, roles, and risks do not. That is precisely why the standard builds on what endures.

When an organization is audit-ready

Audit-ready does not mean having every answer ready. Audit-ready means being able to demonstrate, traceably, where you stand, where you don't, and what is planned. Auditors don't expect perfection. They expect honesty, evidence, and consistency.

Those who have that walk into the audit relaxed. Those who don't should not go to the certification body first, but go to themselves first.