How to create an ISO 20000 internal audit checklist

Implementation and management of an ISO 20000-based Service Management System (SMS) has many challenges. But, sooner or later, organizations overcome them. One element of the SMS that companies must always keep their eyes on is the internal audit.

Since the SMS encompasses IT services from their design and creation (i.e., transition) to the management, improvement, and retirement, there is no doubt that this includes many processes, related activities, roles and responsibilities, documents and records. The internal audit covers all I mentioned above. If you are given the responsibility to set up an internal audit, with all that is required – that wouldn’t look like a simple job. But, it doesn’t need to be complicated, either. First of all, ISO 20000 has clear requirements for the internal audit, and, secondly, an internal audit checklist can make the internal audit much easier. So, let’s see what the requirements are for the internal audit, and then how to handle the internal audit checklist.

The requirements

ISO 20000 is, when we talk about the internal audit, pretty much straightforward. The internal audit must be conducted at regular intervals. Regular intervals would mean at least once a year. Or, maybe after some significant change in the SMS. If you have implemented some other ISO standard, e.g., ISO 27001, ISO 9001, or ISO 14001 – then you have faced the same requirement; that is, the internal audit is mandatory and you have the procedure up and running, i.e., you can use it to fulfill ISO 20000 requirements.

So, let’s see what the standard requires, related to the internal audit. The SMS and the services should:

  • fulfill the requirements in ISO/IEC 20000-1
  • fulfill the service requirements and the SMS requirements identified by the service provider
  • be effectively implemented and maintained

In line with above requirements, the internal audit should confirm that ISO 20000 is implemented and that the service does what was required. It sounds simple, but it’s not. There are a lot of elements that need to be checked before you can say it is compliant. One additional, important requirement is that the internal auditor can’t audit their own work. This means that the internal auditor can’t be the same person who implemented the SMS. Medium or bigger organizations have people working only on audits (sometimes part of the Quality Management System), and you can use them as an independent party to do the internal audit. Or, you can use someone from outside the company. Smaller companies will have to find someone who is not involved in the SMS or use an external party to perform the internal audit. Whoever does it, they need to check the state of the SMS – the organization itself is (highly) interested in getting a realistic picture. That’s putting even more importance on the audit.


Creating the list

The audit checklist is actually a set of questions the internal auditor will ask to check whether ISO 20000 requirements are fulfilled, i.e., whether the processes are functional. Since processes go deep in daily activities, it’s important that they add value. Questions in your internal audit checklist should be focused on efficiency of the processes. For example, you need to monitor and report about your services’ performance. But, are there any improvement initiatives coming out of this? What actions are taken after the report is generated?

Since ISO 20000 requires that all requirements are implemented, you should take advantage of that fact. Meaning, list all requirements from the standard and look for evidence that requirements are fulfilled. But, when you do that, try to look for the value created. Meaning, it’s not enough to create an incident record (with all required information) – you should also do something with that information. For example, monitor resolution of incidents and compare resolution times with requirements in the Service Level Agreement (SLA). Create monthly reports of all incidents and analyze the data. That will give you ideas about where improvements are needed, sometimes in the services themselves, but sometimes in the team or in the process.

The content

The audit checklist should have a simple form, ideally a column-based form that contains the following columns:

Reference – this is the ISO 20000 standard clause.

Content – this is what you are looking for, i.e., requirements of the standard.

Evidence – this is the column where the auditor will make remarks about evidence or people who were interviewed, record name, etc.

Compliance – usually in Yes/No format, that’s the “verdict” regarding the company’s fulfillment of a certain requirement.

Since ISO 20000 has 256 “shall’s,” meaning what must be fulfilled, it’s hard to expect that list will be short. Whatever the length of the list, it’s important that the list covers all requirements and checks the usability of the SMS. A well-prepared list will make your internal audit a much easier and transparent job.

That’s not the end

Once you are done with the audit, a report with the findings should be created. Such report should also include a short list with nonconformities. Nonconformities can be (and it’s advisable to do so) graded (major, medium, minor). What management looks for is a table with nonconformities. Based on that, they will judge the efficiency of the SMS and (usually) the work of the people involved in the SMS. (See this free online tool for handling nonconformities.)

Besides the fact that the internal audit checklist will take care that nothing gets forgotten, it will also give you the opportunity to continuously keep working on the efficiency of the SMS. In the end, your services will materialize and, consequently, your customers will enjoy those improvements. And, customers appreciate that and they know how to show their appreciation.

Use this free  ISO 20000 Gap Analysis Tool to check your internal audit compliance with the ISO 20000 requirements.

Advisera Branimir Valentic
Author
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.