Owner: CISO (programme) with an independent internal auditor performing each audit
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: ISO/IEC 27001:2022 cl. 9.2; ISO/IEC 42001:2023 cl. 9.2; SOC 2 (control self-assessment / CC4.1); supports the ISMS Management Review
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: ISO/IEC 27001:2022 cl. 9.2; ISO/IEC 42001:2023 cl. 9.2; SOC 2 (control self-assessment / CC4.1); supports the ISMS Management Review
Purpose
Provide independent assurance that the ISMS and the AI Management System (AIMS) conform to their respective standards (ISO/IEC 27001:2022 and ISO/IEC 42001:2023), to Neuroscale’s own policies, and to applicable legal and contractual requirements — and that they are effectively implemented and maintained.Independence — the controlling requirement
ISO/IEC 27001:2022 cl. 9.2.2(c) and ISO/IEC 42001 cl. 9.2 require that auditors do not audit their own work. At Neuroscale’s scale, where the CISO/CTO operate most controls, internal audit independence is achieved by one of the following, in order of preference:- Contracted independent internal auditor — a qualified third-party firm (separate from the SOC 2 / ISO certification auditor and separate from the penetration-test vendor) performs the internal audit. This is the default for the ISO certification cycle.
- Internal auditor independent of the audited activity — a Neuroscale employee who does not own or operate the control being audited, where such a person exists.
- Outside-counsel-supervised review — where neither of the above is available for a given area, VGC LLP supervises the review as the compensating governance control, with the limitation documented.
Audit programme and frequency
- A rolling annual audit programme is maintained by the CISO. Over each 12-month cycle the programme covers all clauses (4–10) and all applicable Annex A controls of ISO/IEC 27001:2022 (per the Statement of Applicability) and, for the AIMS, all applicable Annex A controls of ISO/IEC 42001 (per the AIMS Statement of Applicability).
- The programme is risk-based: areas with higher risk, recent incidents, significant change, or prior findings are audited earlier and/or more frequently.
- At least one full internal audit covering the ISMS and AIMS is completed before each external certification audit and at least annually thereafter.
- The programme states, for each planned audit: scope, criteria, method, auditor, and schedule.
Conducting an audit
- Plan. The auditor confirms scope, criteria (the standard clause/control, the relevant policy, and applicable legal/contractual requirements from the Legal & Regulatory Register), and method (document review, interview, evidence sampling, technical inspection).
- Examine. The auditor gathers objective evidence — sampling records from the registers, Vanta tests, tickets, and signed artifacts — and tests whether each control is designed and operating as documented.
- Record findings. Each finding is classified:
- Major nonconformity — a control is absent, or a systemic failure means the requirement is not met.
- Minor nonconformity — an isolated lapse that does not amount to systemic failure.
- Opportunity for improvement (OFI) — conforms, but could be strengthened. Each finding records the criterion, the evidence, and the affected area.
- Report. The auditor issues a written Internal Audit Report (see below).
Internal Audit Report — required content
Each audit produces a report containing: audit scope and criteria; auditor and independence basis; dates; method and sample; a list of findings with classifications and evidence; a conformity statement per area; and recommended corrective actions. Reports are stored in the Internal Audit reports area of the evidence library and tabled at the next ISMS Management Review.Handling findings
- Every nonconformity is raised as a corrective action under the Corrective Action & Continual Improvement Procedure, with an owner, root-cause analysis, and a due date.
- Major nonconformities are escalated to the CISO and CEO at the time of identification and must have a corrective-action plan before the next management review.
- Open findings and their status are a standing agenda item at every ISMS Management Review until closed and verified.
Records
- Audit programme (annual).
- Per-audit plans and Internal Audit Reports — retained for 6 years.
- Corrective-action records linked to each finding.
Cross-references
- Information Security Policy — ISMS.
- AI Acceptable Use Policy → AIMS — AIMS.
- ISMS Management Review Procedure.
- Corrective Action & Continual Improvement Procedure.
- ISO 27001:2022 SoA / ISO 42001 AIMS SoA.
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial internal audit procedure (ISMS + AIMS; independence model). | Cameron Wolfe | Ishan Jadhwani |