How to prepare for an ISO 20000 internal audit

An internal audit of your ISO 20000 Information Technology Service Management (ITSM) system is a useful management tool. Properly prepared and managed, the internal audit gives an overview of how the organization – and the IT services it delivers – are set up, managed, and improved. But, after spending months to implement ISO 20000, many people involved in the implementation think that the internal audit is just one more checkbox to be ticked before the “real” auditor comes.

Besides the fact that ISO 20000 (like other international standards) requires an internal audit as a mandatory step before the certification audit, the internal audit is an organization’s tool to assess the current state of their ITSM system. But, to be sure that the internal audit is efficient, there are a few steps that need to be taken care of.

Keep control

When we discuss the internal audit, companies usually have their own approach based on their size, the type of business they do, implementation of the service management system (SMS), etc. But, there are some steps that the majority of organizations need to consider while preparing for the internal audit:

1) Recruit and train your internal auditor – First of all, ISO 20000 prohibits auditors from auditing their own work, and for good reason. Therefore, you need to look for one or more people who are independent from the implementation project and educate them on how to perform an internal audit of the ITSM system. There are few options for that. It’s quite common for organizations to use their own employees who, on a part-time basis, perform the role of internal auditor. Then, there are companies that have their own internal auditors (particularly in larger organizations), and finally, there are companies that engage external parties for the internal audit.

2) Make it official – The standard requires a documented procedure for the internal audit with defined authorities and responsibilities. Also, the internal audit plan should be prepared, along with the time schedule of the audit. Afterward, the audit report and nonconformities must be documented. Although it seems bureaucratic, it’s actually quite useful because this way, everyone involved will know exactly what to do. Read the article ISO 20000 internal audit – What is it and why is it important? to learn more about the internal audit.

3) Prepare for the audit – “Homework” needs to be done before the audit, and the results of that preparation will be reflected in the internal audit checklist. Your internal auditors need to be familiar with the standard’s requirements, as well as the scope of the implementation. Additionally, they will need to have clear understanding about the IT services the company provides, the organizational setup, and the processes that support the services. In this way, they will have clear view of the relationship between the standard’s requirements and services you provide. Good preparation of your internal auditors includes a review of the results of previous internal and certification audits. Work done during the preparation will be checked once the internal audit starts. Read the article How to create an ISO 20000 internal audit checklist to see how to create the checklist for the internal audit.

4) Prepare your employees – This is one of the more difficult steps. Usually, employees see the audit as a management tool used to find mistakes in the way someone performs his job. Let’s be straight – there are many methods one could use to estimate someone’s efficiency, but the internal audit shouldn’t be one of them. Instead, the internal audit should be communicated and presented to your employees as an improvement tool, which is also how corrective actions should be presented.

5) Involve top management – All of the above mentioned about preparing your employees will be highly influenced by the top management’s approach to the internal audit. Top management needs to see the internal audit from the perspective of potential improvement (not as a tool for finding fault) and should be involved in approving internal audit-related documents (like the procedure and audit plan). They should also actively participate in results analysis (e.g., by reading the internal audit report and ensuring that corrective actions are implemented). In this way, employees will see that the internal audit is not used to find someone to blame, but to make positive progress in the company’s IT Service Management.

Regardless of whether you use an internal or an external auditor, all these steps need to be done. If you do use an external auditor to perform the internal audit for you, then you’ll need someone inside your organization to be his helping hand (e.g., to organize the people involved, to create awareness inside the organization and among its employees, to communicate and help the auditor with top management and their involvement, etc.).

Forget perfection

Everyone involved in the SMS has some responsibility for the internal audit. Top management should not see it as an overhead cost, but approach it seriously and put it on their regular agenda. SMS management needs to educate all involved employees and proactively manage preparation and execution of the internal audit. Later on, after the internal audit is finished, they need to manage all actions related to any nonconformities that were found. Employees should dedicate their time to actively participate and cooperate with auditors.

Nothing in the world is perfect. The same applies for the implemented SMS, too. Therefore, the internal audit is an excellent tool to detect imperfections (i.e., nonconformities) that could potentially harm the SMS and the IT services it supports. Your customers are the users of your services and, for sure, no one wants to put their satisfaction in danger.

To learn more about preparations for the internal audit, check out this book: ISO Internal Audit: A Plain English Guide.

Advisera Branimir Valentic
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.