Owner: CISO (programme) with an independent internal auditor performing each audit
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: ISO/IEC 27001:2022 cl. 9.2; ISO/IEC 42001:2023 cl. 9.2; SOC 2 (control self-assessment / CC4.1); supports the ISMS Management Review

Purpose

Provide independent assurance that the ISMS and the AI Management System (AIMS) conform to their respective standards (ISO/IEC 27001:2022 and ISO/IEC 42001:2023), to Neuroscale’s own policies, and to applicable legal and contractual requirements — and that they are effectively implemented and maintained.

Independence — the controlling requirement

ISO/IEC 27001:2022 cl. 9.2.2(c) and ISO/IEC 42001 cl. 9.2 require that auditors do not audit their own work. At Neuroscale’s scale, where the CISO/CTO operate most controls, internal audit independence is achieved by one of the following, in order of preference:
  1. Contracted independent internal auditor — a qualified third-party firm (separate from the SOC 2 / ISO certification auditor and separate from the penetration-test vendor) performs the internal audit. This is the default for the ISO certification cycle.
  2. Internal auditor independent of the audited activity — a Neuroscale employee who does not own or operate the control being audited, where such a person exists.
  3. Outside-counsel-supervised review — where neither of the above is available for a given area, VGC LLP supervises the review as the compensating governance control, with the limitation documented.
The auditor for each engagement and the basis for their independence are recorded in the audit plan and the ISMS Management Review minutes.
A clause 9.2 internal audit function independent of the operated controls is a certification dependency for ISO 27001:2022 and ISO 42001; the SOC 2 compensating controls (VGC review, CEO attestation) do not by themselves satisfy it. Standing up option 1 or 2 above is tracked as an open programme item.

Audit programme and frequency

  • A rolling annual audit programme is maintained by the CISO. Over each 12-month cycle the programme covers all clauses (4–10) and all applicable Annex A controls of ISO/IEC 27001:2022 (per the Statement of Applicability) and, for the AIMS, all applicable Annex A controls of ISO/IEC 42001 (per the AIMS Statement of Applicability).
  • The programme is risk-based: areas with higher risk, recent incidents, significant change, or prior findings are audited earlier and/or more frequently.
  • At least one full internal audit covering the ISMS and AIMS is completed before each external certification audit and at least annually thereafter.
  • The programme states, for each planned audit: scope, criteria, method, auditor, and schedule.

Conducting an audit

  1. Plan. The auditor confirms scope, criteria (the standard clause/control, the relevant policy, and applicable legal/contractual requirements from the Legal & Regulatory Register), and method (document review, interview, evidence sampling, technical inspection).
  2. Examine. The auditor gathers objective evidence — sampling records from the registers, Vanta tests, tickets, and signed artifacts — and tests whether each control is designed and operating as documented.
  3. Record findings. Each finding is classified:
    • Major nonconformity — a control is absent, or a systemic failure means the requirement is not met.
    • Minor nonconformity — an isolated lapse that does not amount to systemic failure.
    • Opportunity for improvement (OFI) — conforms, but could be strengthened. Each finding records the criterion, the evidence, and the affected area.
  4. Report. The auditor issues a written Internal Audit Report (see below).

Internal Audit Report — required content

Each audit produces a report containing: audit scope and criteria; auditor and independence basis; dates; method and sample; a list of findings with classifications and evidence; a conformity statement per area; and recommended corrective actions. Reports are stored in the Internal Audit reports area of the evidence library and tabled at the next ISMS Management Review.

Handling findings

  • Every nonconformity is raised as a corrective action under the Corrective Action & Continual Improvement Procedure, with an owner, root-cause analysis, and a due date.
  • Major nonconformities are escalated to the CISO and CEO at the time of identification and must have a corrective-action plan before the next management review.
  • Open findings and their status are a standing agenda item at every ISMS Management Review until closed and verified.

Records

  • Audit programme (annual).
  • Per-audit plans and Internal Audit Reports — retained for 6 years.
  • Corrective-action records linked to each finding.
See the Records Retention Schedule.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0June 13, 2026Initial internal audit procedure (ISMS + AIMS; independence model).Cameron WolfeIshan Jadhwani