Internal Audits
Purpose
This procedure establishes Rygen Technologies’ internal audit program for the AI Management System (AIMS) in accordance with ISO/IEC 42001:2023 Section 9.2, to provide information on whether the AIMS conforms to organizational requirements and the requirements of the standard, and is effectively implemented and maintained.
Scope
This procedure applies to all internal audits of the AIMS, covering all processes, activities, and areas within the defined AIMS scope including:
• AI systems (X1 Platform, Corsair, internal AI tools) • AIMS processes and procedures • AI governance activities • Risk management processes • All organizational units involved in AI activities
Audit Program Framework
Audit Frequency
Complete AIMS audit conducted annually.
Audit Method
The audit program employs: • Document review: Examination of AIMS documentation and records • Process observation: Direct observation of AI activities and processes • Stakeholder interviews: Discussions with personnel involved in AI activities • Sampling: Representative sampling of AI systems and processes • Evidence verification: Confirmation of implementation through objective evidence
Responsibilities
• Principal AI Engineer - Audit program owner and lead auditor, responsible for audit planning and scheduling and audit report approval • CTO - Audit program approval, resource allocation, and management of audit results • AI Governance Committee - Review audit findings, approve corrective actions, and monitor audit program effectiveness • Team Leads - Support audit activities, provide access to personnel and records, and implement corrective actions • Auditees - Cooperate with audit activities, provide requested information, and participate in interviews
Audit Planning and Scheduling
The Principal AI Engineer shall develop an annual audit plan by December 31st for the following year, considering:
• Process importance: Critical vs. supporting processes • Previous audit results: Areas with findings or concerns • Risk assessment outcomes: High-risk areas requiring attention • Changes in scope: New AI systems or processes • Resource availability: Auditor availability and workload • Business priorities: Strategic importance and timing
Audit Process
Audit Preparation
For each audit, define audit objectives clearly including: • Primary objective: Verify conformity to requirements • Secondary objectives: Assess effectiveness and identify improvements • Specific focus areas: Based on risk assessment and previous results
Establish audit criteria including:
Internal Requirements: • AIMS policies and procedures • AI governance frameworks • Risk management processes • Performance objectives and targets
External Requirements: • ISO/IEC 42001:2023 requirements • Applicable legal and regulatory requirements • Client contractual requirements
Determine audit scope by defining the boundaries of each audit: • Processes included: Specific AIMS processes to be audited • Organizational units: Teams and departments involved • Time period: Period covered by the audit • Locations: Physical or virtual locations (if applicable) • Exclusions: Any areas specifically excluded and why
Auditor Selection and Competence
Lead Auditor Requirements: • ISO 42001 knowledge and certification • AIMS implementation experience • Auditing skills and experience • Objectivity and impartiality
When needed, additional auditors may be selected based on: • Technical expertise: Specific AI or technical knowledge • Process knowledge: Understanding of specific business processes • Availability: Timing and workload considerations • Objectivity: No responsibility for the area being audited
Ensuring objectivity and impartiality requires: • Auditors shall not audit their own work • No direct reporting relationship between auditor and auditee • External auditors may be used for areas where internal objectivity is compromised • Audit assignments rotated when practical
Audit Execution
The opening meeting: • Confirms audit objectives, criteria, and scope • Reviews audit plan and timeline • Establishes communication protocols • Addresses questions and concerns
Information gathering includes:
Document Review: • AIMS policies and procedures • Process documentation • Records and evidence • Previous audit reports • Corrective action records
Process Observation: • Observe AI development activities • Review AI system operations • Examine risk management activities • Assess training and competence activities
Personnel Interviews: • Structured interviews with key personnel • Understanding of roles and responsibilities • Knowledge of procedures and requirements • Evidence of training and competence
Evidence evaluation involves: • Collect objective evidence • Verify conformity to requirements • Assess effectiveness of implementation • Identify areas for improvement • Document findings with supporting evidence
The closing meeting: • Presents preliminary findings • Discusses observations and concerns • Clarifies any misunderstandings • Outlines next steps and timeline
Audit Findings and Reporting
Finding Classification
Major Nonconformity
• Absence of or failure to implement a requirement • Situation that would seriously affect the AIMS capability • Pattern of minor nonconformities in the same area
Minor Nonconformity
• Isolated failure to meet a requirement • Situation unlikely to seriously affect AIMS capability • Documentation issues that don’t affect implementation
Observation
• Area for potential improvement • Good practice worth noting • Trend that could become an issue
Audit Report Content
Each audit report shall include: • Executive Summary: Key findings and overall assessment • Audit Details: Objectives, criteria, scope, dates, and participants • Findings: Detailed findings with evidence and references • Conclusions: Overall conformity assessment and effectiveness evaluation • Recommendations: Suggestions for improvement • Appendices: Supporting documentation and evidence
Report Distribution
Audit reports shall be distributed to: • CTO (within 5 business days) • AI Governance Committee members • Auditees and their managers • Document control system (Confluence)
Follow-up and Corrective Action
Corrective Action Requirements
• Major nonconformities: Require immediate corrective action plan • Minor nonconformities: Require corrective action within 30 days • Observations: Consider for improvement planning
Corrective Action Process
The process includes:
- Root cause analysis: Identify underlying causes
- Action planning: Develop specific corrective actions
- Implementation: Execute planned actions
- Verification: Verify effectiveness of actions
- Closure: Close findings when verified effective
Follow-up Audits
Conduct follow-up audits when: • Major nonconformities are identified • Corrective actions need verification • Systemic issues are discovered • Management requests additional verification
Control Effectiveness Verification
Annual Control Effectiveness Audit
Annex A control effectiveness shall be audited annually as a dedicated audit, separate from the annual full internal audit.
The dedicated audit shall assess each Annex A control against three criteria:
• Existence — Does objective evidence exist and is it current?
• Implementation — Is the control operating as described in the AIMS documentation?
• Outcome — Is the control producing the intended result?
All Annex A controls shall be assessed during the dedicated control effectiveness audit. The annual full internal audit shall sample a subset of controls for effectiveness rather than re-auditing all.
Specific timing for the dedicated control effectiveness audit is defined in the annual audit schedule document. Templates for the audit plan and checklist are maintained in the aims-governance repository.
Audit Records and Documentation
Required Records
Required records include: • Annual audit plans • Individual audit plans • Audit checklists and working papers • Audit reports • Corrective action plans and evidence • Follow-up audit reports • Auditor competence records
Record Management
• Storage: Confluence AI space with appropriate access controls • Retention: 3 years minimum for audit records • Backup: Included in organizational backup procedures • Access: Controlled access based on roles and responsibilities
Program Evaluation and Improvement
Program Effectiveness Monitoring
Monitor audit program effectiveness through: • Audit completion rates: Percentage of planned audits completed • Finding trends: Analysis of findings over time • Corrective action effectiveness: Success rate of corrective actions • Stakeholder feedback: Input from auditees and management • External audit results: Correlation with external audit findings
Program Review and Improvement
• Quarterly Review: Basic program performance metrics • Annual Review: Comprehensive program effectiveness evaluation • Continuous Improvement: Updates based on changes in AIMS scope or processes, new requirements or standards, lessons learned from audits, feedback from stakeholders, and external audit recommendations
Integration with Management Review
Audit program results provide input to management review including: • Summary of audit activities and findings • Trends in nonconformities and observations • Effectiveness of corrective actions • Recommendations for AIMS improvements • Audit program performance metrics
Templates and Forms
The following templates support this procedure: • Annual Audit Plan Template • Individual Audit Plan Template • Audit Checklist Template • Audit Finding Form • Audit Report Template • Corrective Action Plan Template
Revision History
| Version | Date | Author | Summary of Change |
|---|---|---|---|
| 1.0 | 2025-06-05 | Field Bradley | Initial draft. |
| 1.1 | 2025-09-02 | Field Bradley | Migrated to markdown and gitlab |
| 1.2 | 2025-01-13 | Field Bradley | Added Audit Program Appendix (A.1-A.6) |
| 1.3 | 2026-03-09 | Hank Galbraith | Added annual control effectiveness verification requirement |
Appendix: Audit Program
A.1 Three-Year Audit Cycle Schedule
This schedule establishes systematic coverage of all ISO/IEC 42001:2023 clauses over a three-year cycle. High-risk areas are audited annually; lower-risk foundational elements follow a rotating schedule.
Audit Coverage by Year
| Section | Title | Y1 | Y2 | Y3 | Frequency |
|---|---|---|---|---|---|
| Clause 4: Context of the Organization | |||||
| 4.1 | Understanding the Organization and Its Context | X | Triennial | ||
| 4.2 | Understanding Needs and Expectations of Interested Parties | X | Triennial | ||
| 4.3 | Determining the Scope of the AIMS | X | Triennial | ||
| 4.4 | AI Management System | X | Triennial | ||
| Clause 5: Leadership | |||||
| 5.1 | Leadership and Commitment | X | Triennial | ||
| 5.2 | AI Policy | X | X | X | Annual |
| 5.3 | Roles, Responsibilities and Authorities | X | Triennial | ||
| Clause 6: Planning | |||||
| 6.1.1 | Actions to Address Risks and Opportunities - General | X | X | X | Annual |
| 6.1.2 | AI Risk Assessment | X | X | X | Annual |
| 6.1.3 | AI Risk Treatment | X | X | X | Annual |
| 6.1.4 | AI System Impact Assessment | X | X | X | Annual |
| 6.2 | AI Objectives and Planning to Achieve Them | X | Triennial | ||
| 6.3 | Planning of Changes | X | X | Biennial | |
| Clause 7: Support | |||||
| 7.1 | Resources | X | Triennial | ||
| 7.2 | Competence | X | X | Biennial | |
| 7.3 | Awareness | X | Triennial | ||
| 7.4 | Communication | X | Triennial | ||
| 7.5.1 | Documented Information - General | X | X | Biennial | |
| 7.5.2 | Creating and Updating | X | X | Biennial | |
| 7.5.3 | Control of Documented Information | X | X | Biennial | |
| Clause 8: Operation | |||||
| 8.1 | Operational Planning and Control | X | X | X | Annual |
| 8.2 | AI Risk Assessment (Operational) | X | X | X | Annual |
| 8.3 | AI Risk Treatment (Operational) | X | X | X | Annual |
| 8.4 | AI System Impact Assessment (Operational) | X | X | X | Annual |
| Clause 9: Performance Evaluation | |||||
| 9.1 | Monitoring, Measurement, Analysis and Evaluation | X | X | X | Annual |
| 9.2.1 | Internal Audit - General | X | Triennial | ||
| 9.2.2 | Internal Audit Program | X | Triennial | ||
| 9.3 | Management Review | X | X | X | Annual |
| Clause 10: Improvement | |||||
| 10.1 | Continual Improvement | X | X | X | Annual |
| 10.2 | Nonconformity and Corrective Action | X | X | X | Annual |
Annual Focus Summary
| Year | Primary Focus | Secondary Focus |
|---|---|---|
| Year 1 | Context (4.1-4.4), Risk/Impact (6.1.x), Operations (8.x), Policy (5.2) | Performance (9.1, 9.3), Improvement (10.x), Competence (7.2), Document Control (7.5.x), Changes (6.3) |
| Year 2 | Leadership (5.1, 5.3), Objectives (6.2), Resources (7.1), Internal Audit Program (9.2.x) | All annual items (5.2, 6.1.x, 8.x, 9.1, 9.3, 10.x) |
| Year 3 | Awareness (7.3), Communication (7.4) | All annual items plus biennial items (6.3, 7.2, 7.5.x) |
A.2 Audit Frequency Definitions
| Frequency | Definition | Applicable Sections | Rationale |
|---|---|---|---|
| Annual | Audited every year | 5.2, 6.1.1-6.1.4, 8.1-8.4, 9.1, 9.3, 10.1-10.2 | High-risk areas with direct impact on AI system safety, effectiveness, and compliance |
| Biennial | Audited every two years | 6.3, 7.2, 7.5.1-7.5.3 | Medium-risk supporting processes with moderate change frequency |
| Triennial | Audited every three years | 4.1-4.4, 5.1, 5.3, 6.2, 7.1, 7.3, 7.4, 9.2.1-9.2.2 | Lower-risk foundational elements that change infrequently |
A.3 Mandatory Audit Triggers
The following events require an immediate audit of the affected areas, regardless of the scheduled audit cycle:
| Trigger Event | Audit Scope | Timeline |
|---|---|---|
| Major AI system incident (High/Highest priority per AI-014) | Clauses 8.x, 10.x, affected system controls | Within 30 days of incident closure |
| Major nonconformity identified (internal or external audit) | Affected clause(s) plus related processes | Within 60 days of corrective action implementation |
| New AI system deployment to production | Clauses 6.1.2-6.1.4, 8.1-8.4 for the specific system | Within 90 days of deployment |
| Significant change to AI policy or scope | Clauses 4.x, 5.2 | Within 60 days of change approval |
| Regulatory or standard requirement change | All affected clauses | Within 90 days of requirement effective date |
| Critical or High risk identified (score 10-25 per AI-008) | Clauses 6.1.x, 8.2-8.3, affected system | Within 30 days of risk identification |
| Failed external certification audit | All clauses with findings | Per certification body timeline |
| Data breach or security incident affecting AI systems | Clauses 8.x, AI-010, AI-011 scope | Within 30 days of incident closure |
A.4 Escalation Criteria and Re-Audit Requirements
When nonconformities are identified during audit, the following escalation and re-audit criteria apply:
Escalation Matrix
| Finding Type | Immediate Actions | Re-Audit Required | Re-Audit Timeline |
|---|---|---|---|
| Major Nonconformity | Notify CTO and AI Governance Committee within 24 hours; immediate corrective action plan required | Yes - full clause re-audit | Within 90 days of corrective action completion |
| Multiple Minor Nonconformities (3+ in same clause) | Escalate to CTO; root cause analysis required | Yes - targeted re-audit of affected area | Within 60 days of corrective action completion |
| Single Minor Nonconformity | Standard corrective action per AI-014 | Verification only (not full re-audit) | At next scheduled audit |
| Repeat Nonconformity (same finding as previous audit) | Escalate to CTO; effectiveness review of previous corrective action | Yes - expanded scope re-audit | Within 60 days of corrective action completion |
| Pattern of Observations (3+ related observations) | Review at next management review | Optional - at auditor discretion | At next scheduled audit |
Scope Expansion Criteria
When a re-audit is triggered, the scope may be expanded based on:
| Original Finding Scope | Expansion Criteria | Expanded Scope |
|---|---|---|
| Single process | Root cause affects multiple processes | Related processes in same clause |
| Single AI system | Systemic issue identified | All AI systems using same process or component |
| Documentation issue | Control effectiveness concern | Full clause including implementation |
| Implementation gap | Training or competence concern | Add Clause 7.2 (Competence) to scope |
A.5 Integration with Management Review
Audit program results are reported to the quarterly management review (AI-012) with the following inputs:
| Input | Frequency | Source |
|---|---|---|
| Audit completion status vs. schedule | Quarterly | Audit program records |
| Summary of findings by clause | Quarterly | Audit reports |
| Corrective action status and effectiveness | Quarterly | Jira and corrective action records |
| Trend analysis of nonconformities | Quarterly | Historical audit data |
| Re-audit results and outstanding items | Quarterly | Re-audit reports |
| Audit program effectiveness metrics | Annual | Program evaluation |
| Recommended schedule adjustments | Annual | Audit program review |
A.6 AIMS Document to ISO Clause Cross-Reference
This table maps AIMS handbook documents to the ISO/IEC 42001:2023 clauses they address, supporting audit planning and evidence collection:
| AIMS Document | ID | Primary ISO Clause(s) |
|---|---|---|
| AI Policy | AI-001 | 5.2 |
| AIMS Objectives | AI-002 | 6.2 |
| AIMS Scope | AI-003 | 4.1, 4.2, 4.3 |
| AIMS Charter | AI-004 | 4.4, 5.1 |
| Roles and Responsibilities | AI-005 | 5.3, 7.1 |
| Document Control | AI-006 | 7.5.1, 7.5.2, 7.5.3 |
| Communication Policy | AI-007 | 7.4 |
| Risk Management Framework | AI-008 | 6.1.1, 6.1.2, 6.1.3, 8.2, 8.3 |
| Impact Assessment Process | AI-009 | 6.1.4, 8.4 |
| Security Policy | AI-010 | 8.1 |
| Data Management | AI-011 | 8.1 |
| Management Review | AI-012 | 9.3 |
| System Development Lifecycle | AI-013 | 8.1, 6.3 |
| Nonconformity and Corrective Action | AI-014 | 10.1, 10.2 |
| Internal Audit | AI-015 | 9.2.1, 9.2.2 |
| Acceptable Use Policy | AI-016 | 8.1 |
| Performance Monitoring | AI-017 | 9.1 |
| Competency Matrix | AI-018 | 7.2 |
| Governance Committee Roles | AI-019 | 5.3 |
| Approved Tools | AI-020 | 8.1 |
| Training and Competence | AI-021 | 7.2, 7.3 |