Most organisations preparing for ISO/IEC 42001 audit underestimate which evidence matters most. An audit does not start with the policy pack. It starts with five questions a Lead Auditor decides in the first hour.
When organisations talk about preparing for ISO/IEC 42001 certification, the conversation almost always starts with the policy pack. A policy framework gets drafted, an AI use policy gets approved at executive level, a tool-assessment template gets circulated, and the assumption is that the audit will follow the document trail from policy to evidence.
It does not.
An ISO/IEC 42001:2023 audit — like any well-conducted management system audit — does not start with the policies. It starts with five questions the auditor decides within the first hour on site. The answers shape everything that follows. Organisations that recognise this in advance build evidential structures that hold up. Organisations that focus exclusively on the policy pack get tested on questions the policies were never designed to answer.
This piece is a Lead Auditor's view of what gets examined first, and why.
1. Can you produce your AI inventory in under five minutes?
The first question is not phrased as "show me your AI inventory". It is phrased as "what AI systems are currently in use, who owns each one, and where is the documentation?" The answer reveals the maturity of the management system in seconds.
Three patterns surface.
The first is the organisation that produces a spreadsheet within five minutes. It may not be perfect, but it is current, structured, and authoritative. Every system has a named owner, a risk classification, a deployment date, and a link to its impact assessment. This organisation will pass the inventory question. The auditor will then test the inventory by picking a system off it and asking to see the underlying records. The audit moves forward.
The second is the organisation that produces multiple competing documents. IT has a tool list. Procurement has a vendor list. Compliance has a risk register. None of them agree, and none of them maps cleanly to the EU AI Act's risk classification framework. The auditor learns from this exactly what the organisation does not yet have: a single source of truth. The audit slows down. The conversation moves from inventory to inventory-management capability — a different and harder question.
The third is the organisation that cannot produce anything authoritative in the first hour. Shadow AI use is unmapped. The Microsoft 365 Copilot rollout was procured separately from the "AI projects" tracked by IT. The marketing team's content generation tools were never disclosed to compliance. The audit cannot proceed substantively until this is resolved, and the auditor's finding will reflect that.
The inventory question is not the deepest one in the audit. It is the first one. But because the rest of the audit depends on it, getting it wrong colours everything that follows.
2. Who is the accountable executive for AI use, and what decision did they make this quarter?
Annex A of ISO/IEC 42001 requires defined roles and responsibilities for AI use within the management system. Every framework I have seen has a named accountable executive on paper. The auditor's interest is in whether that role is operational.
The probe is simple: name the executive, then ask the executive — not the compliance team, not the project manager, the executive — what AI decisions they have made this quarter. The answer tells the auditor whether the management system runs upward into the executive layer or stops below it.
The strongest response sounds operational: "I approved the deployment of System X in February under our tool-assessment process. I declined a request to deploy System Y in March because the impact assessment surfaced unresolved residency concerns. I am currently reviewing the risk reclassification of System Z following the Omnibus deadline change." The auditor hears: this person owns AI decisions, has a record of decisions, and can explain the reasoning behind them.
The weaker response sounds positional: "I have ultimate accountability for AI, and the team escalates to me when needed." The auditor hears: this person is named on the policy but does not actually exercise the role. The follow-up question lands hard. Show me the last three AI decisions you made.
A defined role without operational evidence is not a satisfied control. ISO/IEC 42001 distinguishes the two with care.
3. What did your last impact assessment change?
The EU AI Act and ISO/IEC 42001 both require AI impact assessments. The risk in any framework like this is that assessments become a paperwork exercise: a template gets filled out, signed off, and filed. The audit's interest is in whether the assessment process actually changes outcomes.
The question is direct. Show me an impact assessment from the past six months where the outcome was not "proceed with deployment as planned". What did the assessment surface, and what changed as a result?
If every assessment in the file has approved every deployment unchanged, the auditor concludes the assessment is not functioning as a control. It is functioning as a sign-off ritual. This is among the most common patterns we see. Organisations build the assessment process before they have a culture of consequential review, and the process inherits the culture's habits.
The strongest evidence is an assessment that recommended modifications, deferrals, additional controls, or non-deployment — and a corresponding record showing what was done in response. The weakest is a stack of "approved, proceed" outcomes with no exceptions. Auditors are trained to look for the exceptions. Their absence is itself a finding.
4. How does an AI failure escalate, and who has it ever happened to?
ISO/IEC 42001 Annex A requires incident management. The audit examines this not by reading the procedure, but by asking for a worked example.
The worked example matters because incident management is the control that almost always looks complete on paper and turns out to be untested in practice. Until something has actually escalated, the procedure is theoretical. The auditor wants the unrehearsed answer.
In mature management systems, the answer comes with a specific story: in October, an AI tool produced an output that an affected employee complained about; the complaint was logged within four hours; the system was suspended within a day; the impact assessment was reopened; a corrective action was documented; the lessons fed into the next training cycle. Names attached, dates attached, evidence on file. The auditor closes that control with confidence.
In immature systems, the answer is hypothetical: "If something happened, it would escalate to X, who would convene Y." The auditor hears the conditional verbs and adjusts the audit plan. Untested controls require deeper testing. Hypothetical procedures get probed. The audit slows.
The implication for preparing organisations is uncomfortable: you want an incident on file before the audit. Not a major one. A logged, resolved, documented near-miss is worth more in audit than the cleanest possible procedure document with no exercise history.
5. What does the management review actually review?
The final question is about the management review cycle. ISO/IEC 42001 requires top management to review the AI management system at planned intervals. Every framework defines this. The audit examines what the review actually contains.
The strongest reviews look like board papers: trend data on AI usage, risk classification changes over the period, audit findings closed and open, training completion rates, incidents and corrective actions, regulatory developments and their impact on scope, customer or partner feedback on AI use. The review produces decisions, recorded in minutes, with action owners and dates.
The weakest reviews look like compliance reports: a binary statement that the management system continues to operate, followed by an attestation that the policy framework remains current. The auditor reads the minutes for evidence that anything was actually reviewed. If the minutes record nothing was decided, nothing was decided.
Management review is the control that ties the system together. A management review that does not produce decisions is a management review in name only. The auditor's finding reflects this directly: the control is in form but not in substance.
What this means for organisations preparing for audit
Three observations follow from the pattern.
First, the strongest preparation for audit is not the cleanest possible policy pack. It is the operational management system the policies describe, running long enough that it produces evidence the audit can examine. An organisation with six months of imperfect-but-real evidence will outperform one with twelve months of perfect-on-paper preparation. Imperfections in evidence are routine audit findings. Absence of evidence is structural.
Second, the questions above are answerable now, not just at audit time. Run them yourself. Ask the executive what AI decisions they made this quarter. Ask for an impact assessment that did not end in unchanged approval. Ask how the last AI incident escalated. The answers reveal where the management system is mature and where it is not — months or years before an external auditor arrives.
Third, the gap between EU AI Act compliance and ISO/IEC 42001 alignment is exactly this set of questions. The Act tells you the controls must exist. The standard tells you how to operate them. Without the management system underneath, EU AI Act compliance is documentary; with it, the compliance becomes operational. The same evidence supports both.
For Irish organisations approaching the AI Office of Ireland's August 2026 commencement, the questions above are not just audit preparation. They are also the questions a regulator with compulsory information powers will ask from December 2026 onwards. The audit lens is useful precisely because it is the lens an external party — auditor, regulator, or significant counterparty — will eventually apply.
The work that satisfies a Lead Auditor satisfies most of what comes next.