{"id":6241,"date":"2016-06-07T18:07:34","date_gmt":"2016-06-07T18:07:34","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/20000academy\/?p=6241"},"modified":"2025-04-11T10:15:26","modified_gmt":"2025-04-11T10:15:26","slug":"iso-20000-internal-audit-what-is-it-and-why-is-it-important","status":"publish","type":"post","link":"https:\/\/advisera.com\/20000academy\/blog\/2016\/06\/07\/iso-20000-internal-audit-what-is-it-and-why-is-it-important\/","title":{"rendered":"ISO 20000 internal audit \u2013 What is it and why is it important?"},"content":{"rendered":"<p>Once implemented, <a href=\"https:\/\/advisera.com\/20000academy\/what-is-iso-20000\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 20000<\/a> sets requirements in order to continually improve your SMS (Service Management System). And, this is a never-ending story. But, to start improvements (or, sometimes, corrections), you need to start somewhere. The internal audit is one of the sources you can use. ISO 19011:2011 is the international standard that sets guidelines for auditing management systems. It\u2019s an excellent source of information needed for the internal audit. But, there are some requirements in the ISO 20000 standard itself that need to be fulfilled in order to get certified (see the article <a href=\"https:\/\/advisera.com\/blog\/2015\/06\/22\/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit\/\" target=\"_blank\" rel=\"noopener noreferrer\">The brain of an ISO auditor \u2013 What to expect at a certification audit<\/a>\u00a0to learn more about the auditor\u2019s approach). Consequently, there are also side effects of an internal audit.<\/p>\n<h2><strong>The Check phase, i.e., why?<\/strong><\/h2>\n<p>ISO 20000, like most of the standards, is based on the PDCA cycle (Plan-Do-Check-Act or Deming cycle). Basically, the Plan phase is where you define your SMS and plan all your activities and processes to be implemented. The Do phase is where you really implement what you planned. And then, in the Check phase, you have to make sure that your SMS is implemented and performing as planned. This is where your internal audit takes place.<\/p>\n<p>Before you started implementation, the <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=sms-related-documents&amp;doc=service-management-system-scope\" target=\"_blank\" rel=\"noopener\">SMS scope<\/a>, <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=sms-related-documents&amp;doc=service-management-system-policy\" target=\"_blank\" rel=\"noopener\">policy<\/a>, and <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=sms-related-documents&amp;doc=service-management-system-plan\" target=\"_blank\" rel=\"noopener\">plan<\/a> were set. Your management wants to be sure that the SMS is performing as agreed (which is described in the above-mentioned documents). There are two options for this task. One is measurement and \u00a0the other one is the internal audit. Let\u2019s focus on the internal audit. Basically, the internal audit should confirm that your SMS and the services it supports are fulfilling service requirements and are performing as agreed. Of course, the internal audit should also confirm that ISO 20000-1 requirements are fulfilled.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2><strong>Whom do you need?<\/strong><\/h2>\n<p>The <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=sms-related-documents&amp;doc=procedure-for-internal-audit\" target=\"_blank\" rel=\"noopener\">internal audit<\/a>\u00a0is a mandatory requirement of the standard. Therefore, the company must ensure that all requirements related to the internal audit are fulfilled. For that, there are two persons who are crucial for the internal audit to succeed.<\/p>\n<p>First of all, you need someone responsible for the internal audit, as such. This person will be responsible for:<\/p>\n<ul>\n<li>Creating an <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=sms-related-documents&amp;doc=annual-internal-audit-program\" target=\"_blank\" rel=\"noopener\">internal audit plan\/program<\/a>\u00a0\u2013 usually once a year, so we are talking here about an Annual Audit Plan.<\/li>\n<li>Appointing the auditor.<\/li>\n<li>Review of the results of the previous audit and follow-up actions.<\/li>\n<li>Analysis of the audit results and preparing a report for the management review meeting (a formal meeting with company\u2019s management) \u2013 this includes the audit report, list of nonconformities, and actions to be performed.<\/li>\n<li>Taking care that corrective actions are made without undue delay and that they eliminate the targeted nonconformity, i.e., their causes. Also, the timing of implementation needs to be followed and monitored.<\/li>\n<\/ul>\n<p>Another important person is the internal auditor. The standard doesn\u2019t set many requirements on auditors\u2019 characteristics \u2013 only objectivity and impartiality, i.e., auditors should not audit their own work. That means that the auditor can\u2019t be someone who implemented the SMS or is involved in the maintenance of it. But, from my experience, the auditor should be:<\/p>\n<ul>\n<li>Knowledgeable and experienced \u2013 in ISO 20000 and IT Service Management (ITSM), generally.<\/li>\n<li>Fair \u2013 although it sounds \u201ccheap,\u201d it\u2019s important that the auditor isn\u2019t on anyone\u2019s side, but tries to see things objectively.<\/li>\n<li>Analytical and collaborative \u2013 in such way the auditor will get deeper understanding of the situation and will be able to articulate findings, i.e., his opinion.<\/li>\n<\/ul>\n<p>These are just some of the auditor\u2019s characteristics. All social skill characteristics of the auditor are a huge advantage as well, e.g., ability to present (his opinion\/view or findings) or be a good listener\u2026 etc. But, the question is \u2013 where to find one? Well, if you are a smaller IT organization, it would be hard to satisfy the standard\u2019s requirement on auditor\u2019s impartiality. This means that you will have to look for an auditor outside the organization. Someone from quality management will be good enough to check whether the standard\u2019s requirements are fulfilled. Maybe there is an internal audit department inside the organization (which is hardly to be the case in smaller organizations). One possibility is to hire someone external. That will ensure impartiality, but it will also bring someone with experience in ISO 20000 and ITSM.<\/p>\n<h2><strong>And the benefits\u2026<\/strong><\/h2>\n<p>Besides that the internal audit is mandatory, it\u2019s an even better idea to gain as many benefits as possible. I have done internal audits and experienced that the auditee (organization that is audited) tries to gain as much as possible during the audit process. They saw the opportunity to hear someone else\u2019s experience and view on the same thing they do internally.<\/p>\n<p>Here are a few benefits of the internal audit:<\/p>\n<ul>\n<li>Know where you are \u2013 an objective and impartial internal audit will show you how good or bad your SMS is and your fulfillment of ISO 20000 requirements.<\/li>\n<li>Know what to do \u2013 during the audit you will detect many improvement points. Some of them will be officially noted (e.g., as corrective actions), but some of them will not be that obvious, but you will know what to do (e.g. standard\u2019s requirement is officially fulfilled, but something can be done more efficiently).<\/li>\n<li>Independence \u2013 people inside the organization have lots of information from the past; they know the organization and relationships between people, departments, etc. Performing an internal audit with, e.g., an external auditor (\u201ccool head\u201d) will give you an independent opinion and a lot of facts.<\/li>\n<li>Management involvement \u2013 internal audit\u00a0<a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=sms-related-documents&amp;doc=internal-audit-report\" target=\"_blank\" rel=\"noopener\">results<\/a>\u00a0are one of the inputs for the management review (also mandatory by the standard). In such way, you ensure that management is\u00a0<a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=sms-related-documents&amp;doc=management-review-minutes\" target=\"_blank\" rel=\"noopener\">involved<\/a>\u00a0in the SMS and service delivery.<\/li>\n<\/ul>\n<h2><strong>The moment of truth<\/strong><\/h2>\n<p>Once you perform the internal audit \u2013 you know where you are. Although some people (i.e., auditees) find the internal audit as \u201cchecking whether they perform their job correctly\u201d \u2013 it shouldn\u2019t be like that. The internal audit and the result it produces are prerequisites to take (improvement) action. Improvement actions should not be seen as something that serves the organization to satisfy their customers better. There are many opportunities inside the organization to improve. You just have to know which ones. The internal audit can give that answer.<\/p>\n<p><em>To implement ISO 20000 easily and efficiently, use our<\/em> <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 20000 Documentation Toolkit<\/a> <em>that provides step-by-step guidance for full ISO 20000 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Once implemented, ISO 20000 sets requirements in order to continually improve your SMS (Service Management System). And, this is a never-ending story. But, to start improvements (or, sometimes, corrections), you need to start somewhere. The internal audit is one of the sources you can use. ISO 19011:2011 is the international standard that sets guidelines for &#8230;<\/p>\n","protected":false},"author":32,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[535,534,125,366],"class_list":["post-6241","post","type-post","status-publish","format-standard","hentry","category-blog","tag-auditee","tag-auditor","tag-internal-audit","tag-iso-20000"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/6241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/comments?post=6241"}],"version-history":[{"count":2,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/6241\/revisions"}],"predecessor-version":[{"id":18235,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/6241\/revisions\/18235"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/media?parent=6241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/categories?post=6241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/tags?post=6241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}