Internal audit

“Internal audit requirement” in ISO/IEC 20000-1 is straightforward on paper but easy to under-build in reality. Clause 9.2 is not asking for a one-off checklist exercise. It expects an ongoing audit program that gives leadership reliable information about whether the SMS conforms to requirements and is effectively implemented and maintained. That means you need coverage across your SMS processes, not just incident and change, and you need evidence that audits lead to correction and improvement rather than sitting in a folder.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat internal audit as an operational control with inputs (audit plan, criteria, evidence), activities (interviews, sampling, control testing), outputs (findings and reports), and outcomes (corrective actions closed, systemic fixes verified). Your auditors do not need to be a separate department, but they must be competent and sufficiently independent from the work being audited to produce credible results.

If you manage third parties that deliver parts of your services, internal audits are also where you verify that supplier controls and service commitments are actually embedded in your SMS and operating as designed.

Regulatory text

Requirement (excerpt): “The organization shall conduct internal audits at planned intervals to provide information on whether the service management system conforms to requirements and is effectively implemented and maintained.” ¹

Operator interpretation (what you must do):

• Planned intervals: You must define an audit schedule (risk-based is fine) and follow it, or document justified changes.
• Conforms to requirements: Your audits must test conformity against applicable ISO/IEC 20000-1 requirements and your own SMS requirements (policies, process descriptions, service commitments).
• Effectively implemented and maintained: You must test operation in practice (records, tickets, logs, approvals, monitoring) and confirm the SMS continues to work over time, not just “exists.”

Plain-English interpretation of the internal audit requirement

Internal audit is your structured way to prove two things:

1. Design is right: the SMS is documented, complete, and aligned to requirements.
2. Execution is real: teams follow the SMS, controls operate, and issues get corrected and stay corrected.

Audits that only review documents usually fail the “effectively implemented” part. Audits that only sample tickets without mapping to requirements usually fail the “conforms” part. Your program must do both.

Who it applies to (entity and operational context)

This applies to any organization operating an ISO/IEC 20000-1 service management system, including:

• Internal IT service organizations supporting the business.
• External service providers delivering services to customers.
• Hybrid models where critical service components are provided by third parties (cloud, managed services, SaaS), because your SMS still needs to control and govern those dependencies.

Operationally, it applies across SMS scope: service portfolio, service level management, incident/request, problem, change/release, configuration management, capacity/availability/continuity, information security controls as they intersect with service management, and supplier management where suppliers affect service delivery.

What you actually need to do (step-by-step)

1) Define your audit program (the “system” for auditing)

Create an internal audit procedure or standard that defines:

• Audit objectives: confirm SMS conformance and effectiveness ¹.
• Scope rules: what’s in scope (SMS scope statement) and how you include supplier-managed components.
• Roles/responsibilities: audit owner, auditors, process owners, approvers.
• Independence rules: auditors cannot audit their own work or direct responsibilities for the process being audited.
• Methods: interviews, walkthroughs, record sampling, control tests, observation.
• Finding types and severity model: nonconformity, observation, opportunity for improvement (keep it simple but consistent).
• Corrective action linkage: every nonconformity must route into corrective action tracking with an owner and verification.

Practical tip: Write “audit criteria” explicitly for each audit. Criteria should include the ISO clause(s) and your internal SMS documents that implement them.

2) Build a risk-informed audit plan and schedule

Create an annual (or rolling) audit plan that covers:

• All SMS processes over time.
• Higher-risk services and processes more frequently (major incidents, high change volume, customer-impacting SLAs, sensitive data handling, heavy third-party reliance).

Include, per planned audit:

• Audit scope (process/service/organizational unit).
• Audit criteria (ISO clauses + internal requirements).
• Planned timing window.
• Assigned auditor(s).

What exams look for: evidence that audits happen “at planned intervals” and that the plan isn’t ignored when operations get busy ¹.

3) Ensure auditor competence and independence

You need auditors who can:

• Understand ISO/IEC 20000-1 requirements at a requirement-testing level.
• Trace requirements into your SMS documentation and into operational records.
• Ask process questions that reveal whether the control is real.

Document:

• Auditor qualifications (training, experience, internal competency assessment).
• Independence checks (simple conflict statement per audit is enough).

4) Execute audits with evidence-based testing

For each audit, prepare an audit plan and then test in three layers:

Layer A: Requirement mapping

• Map relevant ISO requirements to your SMS process documents.
• Confirm process interfaces (incident-to-problem, change-to-release, CMDB dependencies, supplier escalation).

Layer B: Design review

• Validate the procedure exists, is approved, and has defined inputs/outputs, roles, and records.

Layer C: Operating effectiveness testing

• Sample real artifacts: tickets, approvals, post-incident reviews, change records, meeting minutes, SLA reports, monitoring alerts.
• Verify timeliness and completeness against your own process requirements.
• Test exceptions: look for bypass paths (emergency changes, manual overrides, supplier “we handle it” situations).

Supplier/third party angle: Where a third party performs a control step (monitoring, backups, incident response), your audit should verify you have governance evidence (reports, attestations, review minutes, escalation records) that shows the SMS still manages that activity.

5) Report results and drive corrective action

Your audit report should include:

• Scope, criteria, dates, auditor names.
• Summary of what was tested.
• Findings with clear requirement references.
• Evidence references (ticket IDs, document names, report dates).
• Corrective action requests for nonconformities.

Then:

• Log corrective actions in a centralized tracker.
• Require root cause analysis for systemic issues.
• Set closure criteria: “fix implemented + evidence + verification.”
• Perform follow-up verification and document it.

6) Feed management review and continual improvement

Internal audit outputs should inform management about:

• Control weaknesses that threaten service commitments.
• Recurring themes (process non-adherence, tooling gaps, training gaps).
• Supplier-related issues affecting service quality.

Even if you already do management review, explicitly include internal audit results as an input so the SMS shows it is “maintained,” not static ¹.

Required evidence and artifacts to retain

Keep artifacts in a way that is searchable and tied to scope.

Minimum set (typical):

• Internal audit policy/procedure and audit program charter.
• Audit plan and schedule showing planned intervals ¹.
• Audit plans per engagement: scope, criteria, agenda, sampling approach.
• Auditor competency records and independence attestations.
• Working papers: checklists, interview notes, sampling sheets, screenshots/exports.
• Audit reports with findings and requirement references.
• Corrective action log: owner, actions, evidence, verification notes, closure approval.
• Follow-up audit evidence for prior nonconformities (closure validation).
• Evidence of management visibility (management review minutes or action summaries referencing audit results).

Common exam/audit questions and hangups

Expect these, and prepare your evidence bundle accordingly:

• “Show me your audit schedule and which audits actually occurred.”
• “How did you determine audit frequency and scope?”
• “How do you ensure auditors are independent from the area audited?”
• “Show one finding end-to-end: discovery → corrective action → verification.”
• “How do audits confirm effectiveness, not just documentation?”
• “How are supplier-managed service components covered in the SMS and audited?”

Hangups that trigger deeper scrutiny:

• Repeated findings across audits with weak corrective action.
• Audits performed but not reported, or reported without evidence references.
• “Audits” that are really operational meetings without criteria or testing.

Frequent implementation mistakes and how to avoid them

Mistake: Treating internal audit as a document review.
Fix: Require operating effectiveness testing every time (tickets, approvals, monitoring, records) and document sampling results.

Mistake: No clear audit criteria.
Fix: List audit criteria explicitly: ISO clauses plus internal procedures and service commitments.

Mistake: Auditors auditing their own processes.
Fix: Create a simple independence rule and keep a rotation roster.

Mistake: Findings don’t link to corrective action.
Fix: Make corrective action logging mandatory for nonconformities, and require verification evidence before closure.

Mistake: Over-scoping the first year.
Fix: Start with the highest-risk processes and mature coverage iteratively, while still maintaining a planned schedule across the SMS scope.

Enforcement context and risk implications

No public enforcement cases were provided in the available source catalog. Practically, weak internal audit creates second-order risk: problems persist unnoticed, service failures repeat, and you lose the evidence trail that proves the SMS is maintained. For external service providers, that can translate into failed customer audits, certification risks, and contractual friction when customers ask for assurance.

A practical 30/60/90-day execution plan

First 30 days (stand up the mechanism)

• Confirm SMS scope and list in-scope processes/services.
• Draft internal audit procedure: scope, independence, methods, reporting, corrective action workflow.
• Build an audit universe: processes, services, key third parties supporting delivery.
• Select and train auditors; document competence and independence approach.
• Publish an initial audit schedule with prioritized audits and defined criteria ¹.

Next 60 days (run audits and prove follow-through)

• Execute initial audits on high-risk processes (typically incident/request, change/release, and supplier management where it affects service outcomes).
• Produce audit reports with evidence references.
• Open corrective actions for nonconformities and assign owners.
• Start follow-up verification on quick fixes; document closure evidence.

Next 90 days (normalize and integrate into governance)

• Expand audit coverage to remaining SMS processes and key services.
• Perform follow-up audits/verification for earlier findings and document effectiveness.
• Summarize audit outcomes and recurring issues for management review inputs.
• Refine the audit plan based on what findings reveal (process maturity, supplier dependencies, tooling gaps).

Daydream (practical fit without extra overhead)

If you are coordinating audits across multiple teams and third parties, Daydream can serve as the system of record for the audit plan, working papers, evidence requests, and corrective action tracking. The main benefit is operational: one place to map requirements to tests, attach evidence, and show closure verification without rebuilding spreadsheets each cycle.

Frequently Asked Questions

How often do we need to run internal audits to meet ISO/IEC 20000-1 Clause 9.2?

The clause requires audits at “planned intervals,” but it does not set a specific frequency ¹. Set a schedule you can execute consistently, and adjust based on risk and performance history.

What’s the difference between auditing “conformance” and “effectiveness”?

Conformance checks whether your SMS meets requirements and your own documented rules. Effectiveness checks whether people actually follow those rules and whether the controls work in real operations, shown through records and outcomes ¹.

Can process owners perform internal audits?

Avoid having people audit their own work or direct responsibilities for the audited process. You can use cross-functional auditors, internal assurance staff, or trained personnel from other teams to maintain independence.

Do we need a formal internal audit report for every audit?

Yes in practice, because you need consistent evidence of what was audited, what criteria were used, what was found, and what actions were taken. A lightweight template is fine if it contains scope, criteria, results, and evidence references.

How should we audit third parties that deliver parts of the service?

Audit your SMS controls over the third party: governance, monitoring, escalation, performance reviews, and how supplier outputs feed your incident/change processes. You are proving your SMS remains effective even when delivery is shared.

What evidence is most persuasive to external auditors or certification bodies?

A clear audit schedule, completed audit reports with traceable evidence, and corrective actions that are verified to closure. Auditors also respond well to requirement-to-test traceability because it shows disciplined coverage ¹.

Footnotes

1. ISO/IEC 20000-1:2018 Information technology — Service management