What is the purpose of the internal audit report in ISO 20000?

Most of us like to know when we did something well. It’s even better if it comes in writing. On the other side, if something is not as it should be – there are a lot of arguments as to why it needs to be documented. It’s the same with your ISO 20000-based Service Management System (SMS) – compliance as well as non-compliance with the standard should be evaluated and results documented.

Of course, we can wait until the surveillance audit takes place, but it’s not as easy as that. ISO 20000 requires that internal audits be performed on a regular basis. So, you’ll have to check the compliance of your SMS with the standard. And, you’ll need to document the findings. This internal audit is the mechanism I just described.

What is it?

Besides the fact that the internal audit must be well planned, the standard requires that you record the results of the internal audit. That’s where the internal audit report comes into play. The internal audit report is, basically, the document where findings of the internal audit are recorded.

The internal audit report protects the value that the internal audit creates. This sounds complex, but it’s not. Namely, the internal audit will detect what was done well or what was done incorrectly. It will also detect nonconformities according to the standard’s requirements as well as opportunities for improvement. All of these elements could get lost if they are not documented in an orderly fashion and followed up on.

The content

The standard doesn’t set direct requirements for the internal audit report’s content. But, because the standard sets requirements for the internal audit, one can infer the content of the report. The internal audit has to check:

  • the compliance of the SMS with the standard,
  • whether the SMS fulfills the service requirements, and
  • whether the SMS is effectively implemented.

You can see that the internal audit report has to encompass all aspects of the SMS (i.e., functional and standard-, service-, and customer-related).

The following items are usually found in internal audit reports:

  • General data – dates of the audit and report, person responsible for the audit, etc.
  • Scope of the internal audit – what was audited
  • Improvement recommendations – meaning, no nonconformities, but something could be done better that it is now
  • Nonconformities identified – the most important part of the internal audit report

There is no prescribed or one-template-fits-all document, but it’s important that the internal audit report contains all relevant data that leads to eliminating the nonconformity or implementing the improvement recommendation. So, you are free to adapt it to your business.

What’s the use?

Compared to the report of the certification audit (issued by the certification body), the internal audit report includes an internal view on the SMS. Of course, it confirms that the SMS has fulfilled all ISO 20000 requirements (or, maybe not), but it also provides recommendations for improvements where the SMS fulfills the requirements of the standard, but something could be done better. In essence, the internal audit challenges how the implemented standard underpins the business activities of the company.

For example, you can have incident management implemented according to the standard, and nothing is missing, so you could assume that everything is OK. But, the internal audit reveals that your staff involved in incident management communicates very poorly (using techie language) with non-technical users. So, the level of understanding is almost zero. Users are keen to contact the Help Desk. If you check only incident management, you would get the impression that the process is OK and the company does not have any issues in that area. But, looking around – there are places for improvement.

So, besides checking compliance with the standard and taking a critical look at the application of the SMS on daily activities, the internal audit report is used in management review and should be communicated to all interested parties. That means that the internal audit report should be used by everyone in the organization (not only top management at the management review meeting) who is affected by the SMS’s (non) efficiency.

It’s your tool, anyway

The internal audit and related internal audit report should not be just a bureaucratic step in the lifecycle of your SMS. If you take a business view and use of the SMS, stay positive during the audit, and have improvement in mind while writing the report – there should be fewer people who would find themselves pointed out (in a negative way) in the report.

Additionally, if you write your internal audit report in a positive and easy-to-understand tone, you create a constructive tool that will be used by the organization to become more efficient, as well as more user- and service-oriented. Having that in mind, the internal audit will turn from being a “necessary evil” into a “hidden weapon” that your competition may not have.

Click here to see a free preview of an  Internal Audit Report template to see what such a record contains.

Advisera Branimir Valentic
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.