What auditors actually want
ISO 42001 is a management system standard. That means the audit isn't just checking whether a policy exists. It is checking whether your organization can show repeatable governance, assigned responsibilities, risk-based planning, operational controls, monitoring, internal audit, and continual improvement across AI systems. ISO 19011 adds the broader guidance on how internal audits are planned, conducted, reported, and followed up.
So the practical question is not, "Do we have documentation?" It is, "Can we show a complete chain from control requirement to implemented practice to retained evidence?" If your evidence can't be tied to an actual process, owner, and system boundary, it will feel thin in audit interviews even when the document stack looks impressive.
Fast reality check: if your current folder is mostly policy PDFs with no inventory, approvals, risk records, review minutes, or corrective action trail, you do not have an evidence pack. You have a document library.
Seven evidence categories you need
| Category | What to include | Why it matters |
|---|---|---|
| Governance and leadership | AI policy, roles and responsibilities, committee charter, management review inputs and outputs. | Shows leadership commitment and operating accountability. |
| Scope and inventory | AIMS scope statement, AI system inventory, system categorization, interested-party analysis. | Proves what is in scope and why. |
| Risk and impact assessment | AI risk assessments, treatment plans, impact assessments, residual risk decisions. | Shows risk-based planning rather than generic control copying. |
| Operational controls | Lifecycle procedures, human oversight controls, change approvals, monitoring rules, incident playbooks. | Demonstrates that controls operate in practice. |
| Data and third-party governance | Data quality checks, provenance records, privacy reviews, vendor due diligence, contract clauses. | Covers external dependency and data exposure. |
| Assurance and audit | Internal audit program, audit reports, nonconformities, corrective action tracking, competence records. | Shows the system is tested and improved. |
| Performance and improvement | KPIs, monitoring outputs, incidents, lessons learned, management review actions. | Shows the AIMS is maintained, not frozen. |
The evidence set should map to clauses 4 through 10 and, where relevant, Annex A control activity. Don't overcomplicate the first version. A tight evidence pack beats a bloated repository nobody can navigate.
Internal audit questions worth rehearsing
Internal audits should do more than confirm a template exists. They should pressure-test whether people can explain and evidence the system. Five questions usually surface the gaps fast:
- Which AI systems are in scope, and who owns each one? If the inventory and ownership view are inconsistent, stop there.
- Show me one recent risk assessment and the resulting treatment decision. This exposes whether risk review is real or ceremonial.
- Which actions require human oversight, and how is that enforced? Particularly important for agentic or consequential systems.
- How do you know third-party AI components remain acceptable? This reveals whether vendor governance exists after onboarding.
- Show one issue that led to corrective action and how closure was verified. Auditors want to see learning, not static compliance theatre.
If process owners can't answer those without rummaging through inboxes, the issue isn't wording. It is operational design.
How to structure the evidence pack
The cleanest approach for SMEs is one master index plus linked evidence folders. The index should show: control or clause reference, evidence name, owner, source system, review cadence, and file location. Then keep the underlying evidence in seven folders aligned to the categories above.
Don't bury everything in clause-number folders alone. Auditors may think in clauses, but operators think in processes and systems. Build for both. A good index lets you filter by clause, AI system, process owner, and last review date.
Practical path: if you're starting from zero, use the free assessment to identify domain gaps, move into ACT Tier 1 for inventory and matrix mapping, then use ACT Tier 2 for the policy and evidence artefacts that close the audit trail.
Frequently asked questions
Do we need separate evidence for every Annex A control?
Not always as separate files. One artefact can support multiple controls. The key is traceability. You must be able to show which evidence supports which requirement.
Is a policy template enough for audit readiness?
No. Policies are necessary, but auditors will ask for records showing the policy was implemented, reviewed, monitored, and improved.
What is the fastest evidence gap to fix?
Inventory plus ownership. Once each AI system has an owner and scope, the rest of the evidence map becomes much easier to assemble.
Does ISO 19011 replace ISO 42001 audit requirements?
No. ISO 42001 sets the management system requirement for internal audit. ISO 19011 provides broader audit guidance on planning, conduct, competence, reporting, and follow-up.