ISO 20000 & ITIL® Blog

ISO 20000 internal audit – What is it and why is it important?

Once implemented, ISO 20000 sets requirements in order to continually improve your SMS (Service Management System). And, this is a never-ending story. But, to start improvements (or, sometimes, corrections), you need to start somewhere. The internal audit is one of the sources you can use. ISO 19011:2011 is the international standard that sets guidelines for auditing management systems. It’s an excellent source of information needed for the internal audit. But, there are some requirements in the ISO 20000 standard itself that need to be fulfilled in order to get certified (see the article The brain of an ISO auditor – What to expect at a certification audit to learn more about the auditor’s approach). Consequently, there are also side effects of an internal audit.

The Check phase, i.e., why?

ISO 20000, like most of the standards, is based on the PDCA cycle (Plan-Do-Check-Act or Deming cycle). Basically, the Plan phase is where you define your SMS and plan all your activities and processes to be implemented. The Do phase is where you really implement what you planned. And then, in the Check phase, you have to make sure that your SMS is implemented and performing as planned. This is where your internal audit takes place.

Before you started implementation, the SMS scope, policy, and plan were set. Your management wants to be sure that the SMS is performing as agreed (which is described in the above-mentioned documents). There are two options for this task. One is measurement and  the other one is the internal audit. Let’s focus on the internal audit. Basically, the internal audit should confirm that your SMS and the services it supports are fulfilling service requirements and are performing as agreed. Of course, the internal audit should also confirm that ISO 20000-1 requirements are fulfilled.

Whom do you need?

The internal audit is a mandatory requirement of the standard. Therefore, the company must ensure that all requirements related to the internal audit are fulfilled. For that, there are two persons who are crucial for the internal audit to succeed.

First of all, you need someone responsible for the internal audit, as such. This person will be responsible for:

  • Creating an internal audit plan/program – usually once a year, so we are talking here about an Annual Audit Plan.
  • Appointing the auditor.
  • Review of the results of the previous audit and follow-up actions.
  • Analysis of the audit results and preparing a report for the management review meeting (a formal meeting with company’s management) – this includes the audit report, list of nonconformities, and actions to be performed.
  • Taking care that corrective actions are made without undue delay and that they eliminate the targeted nonconformity, i.e., their causes. Also, the timing of implementation needs to be followed and monitored.

Another important person is the internal auditor. The standard doesn’t set many requirements on auditors’ characteristics – only objectivity and impartiality, i.e., auditors should not audit their own work. That means that the auditor can’t be someone who implemented the SMS or is involved in the maintenance of it. But, from my experience, the auditor should be:

  • Knowledgeable and experienced – in ISO 20000 and IT Service Management (ITSM), generally.
  • Fair – although it sounds “cheap,” it’s important that the auditor isn’t on anyone’s side, but tries to see things objectively.
  • Analytical and collaborative – in such way the auditor will get deeper understanding of the situation and will be able to articulate findings, i.e., his opinion.

These are just some of the auditor’s characteristics. All social skill characteristics of the auditor are a huge advantage as well, e.g., ability to present (his opinion/view or findings) or be a good listener… etc. But, the question is – where to find one? Well, if you are a smaller IT organization, it would be hard to satisfy the standard’s requirement on auditor’s impartiality. This means that you will have to look for an auditor outside the organization. Someone from quality management will be good enough to check whether the standard’s requirements are fulfilled. Maybe there is an internal audit department inside the organization (which is hardly to be the case in smaller organizations). One possibility is to hire someone external. That will ensure impartiality, but it will also bring someone with experience in ISO 20000 and ITSM.

And the benefits…

Besides that the internal audit is mandatory, it’s an even better idea to gain as many benefits as possible. I have done internal audits and experienced that the auditee (organization that is audited) tries to gain as much as possible during the audit process. They saw the opportunity to hear someone else’s experience and view on the same thing they do internally.

Here are a few benefits of the internal audit:

  • Know where you are – an objective and impartial internal audit will show you how good or bad your SMS is and your fulfillment of ISO 20000 requirements.
  • Know what to do – during the audit you will detect many improvement points. Some of them will be officially noted (e.g., as corrective actions), but some of them will not be that obvious, but you will know what to do (e.g. standard’s requirement is officially fulfilled, but something can be done more efficiently).
  • Independence – people inside the organization have lots of information from the past; they know the organization and relationships between people, departments, etc. Performing an internal audit with, e.g., an external auditor (“cool head”) will give you an independent opinion and a lot of facts.
  • Management involvement – internal audit results are one of the inputs for the management review (also mandatory by the standard). In such way, you ensure that management is involved in the SMS and service delivery.

The moment of truth

Once you perform the internal audit – you know where you are. Although some people (i.e., auditees) find the internal audit as “checking whether they perform their job correctly” – it shouldn’t be like that. The internal audit and the result it produces are prerequisites to take (improvement) action. Improvement actions should not be seen as something that serves the organization to satisfy their customers better. There are many opportunities inside the organization to improve. You just have to know which ones. The internal audit can give that answer.

Use this free  ISO 20000 Gap analysis tool to check your conformity with ISO 20000.

Advisera Branimir Valentic
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.