The ISO 42001 audit: internal and external audits explained
- ISO 42001 involves internal audits you run and an external certification audit by an accredited body.
- Internal audits find and fix problems before they become failures and are required by the standard.
- The external audit has Stage 1 (documentation) and Stage 2 (implementation), followed by surveillance and recertification.
- Use an accredited certification body, and let strong internal auditing make the external audits routine.
- Current as of June 2026. This is general information, not legal advice.
Internal audits
The standard requires you to audit your own AI management system at planned intervals. An internal audit checks whether the system conforms to the standard and to your own requirements, and whether it is effectively implemented and maintained. It is your mechanism for finding and fixing problems before they become failures. Internal audits are run by your own people (or someone you appoint), and crucially the auditor should be objective and not auditing their own work. A genuine internal audit that surfaces real issues is one of the most valuable parts of the management system.
The external certification audit
The external audit is conducted by an accredited certification body and is what leads to your ISO 42001 certificate. It has two stages:
- Stage 1: A documentation review. The auditor checks that your management system is designed correctly, that the required documents and Statement of Applicability are in place, and that you are ready for Stage 2. It identifies gaps to close first.
- Stage 2: An implementation review. The auditor examines evidence that the system actually operates: that controls and processes work in practice, interviewing staff and testing records. Passing Stage 2 leads to certification.
Surveillance and recertification audits
Certification is not a one-time event. After you are certified, the certification body conducts annual surveillance audits to confirm you are maintaining and improving the system, and a fuller recertification audit at the end of the three-year cycle. These ongoing audits reflect the standard's continual-improvement nature: you are certified against a living system, so it is checked periodically that the system is still alive.
Why accreditation matters
For an external certificate to carry weight, the certification body should be accredited by a recognised national accreditation authority. Accreditation provides assurance that the body is competent, independent, and consistent. When choosing a certification body, confirming its accreditation is an important step, because an unaccredited certificate may not be recognised by the buyers and regulators you are trying to satisfy.
How the audits fit together
The internal and external audits reinforce each other. Strong internal auditing means the external audit confirms a system that is already sound, which makes certification smoother and surveillance audits routine. Weak internal auditing means problems surface in front of the certification body, which is slower and more stressful. Treating internal audit as a genuine discipline, rather than a formality, is what makes the external audits straightforward.
Key terms
- Internal audit
- An organisation's own audit of its management system, required by the standard.
- Certification body
- An independent body, accredited to audit and certify against ISO standards.
- Surveillance audit
- An annual check by the certification body that the system is being maintained.
- Accreditation
- Formal recognition that a certification body is competent, independent, and consistent.