You may please look for all mentioned below during internal audit.. in addition to Annex A controls..
List of assets (with owners, threats, controls and vulnerabilities) available?
Access controls defined? (Authorization forms)
Information labelling carried out?
Security Incidents monitored?
Security events monitored?
Backup integrity monitored?
Risk assessment methodology defined?
Risk assessment covers all the assets?
Risk assessment study documents available?
Additional Control Records maintained?
Test records maintained? (mainly for System admin)
SoA Prepared and complete?
Employee Training records available with respect to ISMS?
Internal audit Plan and Audit reports maintained?
Risk Mitigation plan available?
Competency Matrix available?
Training effectiveness records available?
Roles and Responsibilities defined?
Department specific procedures documented?
(mainly HR / Admin/ System admin / MR related)
BCP and management Process available?