Overview
Plan and execute internal audits of your Service Management System as required by ISO/IEC 20000-1:2011 Clause 4.5.4.2. This skill produces an annual audit program that covers all SMS clause areas (Clauses 4 through 9), individual audit engagement plans with methodology and audit questions, structured findings with severity classifications, and corrective action plans for every nonconformity.
Internal audits are the primary mechanism for verifying that your SMS is effectively implemented and maintained. Without a systematic audit program, nonconformities go undetected, processes drift from documented procedures, and certification auditors find surprises. This skill ensures your audit program is risk-based, your findings are classified consistently, and every nonconformity has a root cause analysis and corrective action with an assigned owner.
For a step-by-step walkthrough, see the ISO 20000 SMS workspace tutorial .
What It Covers
- Annual audit program – scope coverage plan ensuring all ISO 20000 clauses are audited, risk-based frequency, auditor pool with independence confirmation
- Engagement planning – objectives, scope, criteria, audit team, and schedule for each audit
- Audit methodology – document review, interviews, process observation, and evidence sampling approaches
- Finding classification – Major NC, Minor NC, Observation, and OFI with objective evidence for each
- Corrective action plans – root cause analysis, systemic corrective actions, responsible owners, target dates, and verification methods
- Audit reporting – executive summary, findings table, corrective action plan, and recommendations
Example Conversation
You: We need to set up our internal audit program for ISO 20000. We’ve had the SMS running for six months and haven’t done any audits yet.
Agent: I’ll help you create the audit program and plan your first engagement. Let me load your SMS context first – I can see your organization profile and service catalog. Let me start with the annual audit program.
Since this is your first audit cycle, I recommend auditing all clause areas within the first year with higher frequency for areas you consider higher risk. Which process areas are you most concerned about?
You: Incident management and change management have been the most problematic. We’ve had a few unauthorized changes and our incident resolution times are inconsistent.
Agent: I’ll set those as high-risk areas with quarterly audit frequency. The remaining areas will be audited semi-annually. For the auditor pool, ISO 20000 requires auditor independence – auditors must not audit their own work. Who is available to conduct audits?
You: We have three team leads who can cross-audit: Sarah (Service Delivery), James (Operations), and Priya (IT Security). Our SMS Manager David coordinates.
Agent: Good. I’ll assign them so no one audits their own area. Let me now plan the first audit engagement targeting Clause 8 (Resolution Processes) since incident management is your top concern.
For this engagement, I’ll define:
- Scope: Incident management and problem management (Clause 8)
- Criteria: ISO 20000-1 Clause 8 requirements, your incident management procedure, SLA targets
- Auditor: James (Operations) – independent from service delivery
- Method: Document review of incident records, interviews with service desk staff, sampling of 20 recent incidents
Shall I proceed with defining the audit questions for Clause 8?
You: Yes. Also, we already know that about 15% of changes last quarter were not properly authorized. Can you include a finding for that?
Agent: I’ll document that as a finding. Based on the evidence you described, here’s the classification:
NC-001 (Minor NC) – Clause 9.2 Change Management: 15% of changes in Q3 were implemented without documented CAB authorization. Evidence: change log analysis shows 12 of 80 changes lacked approval records. This is a partial conformity gap – the process exists but is not consistently followed.
For the corrective action, I need to understand the root cause. Why were these changes not authorized – was it emergency pressure, unclear process, or lack of enforcement?
You: Mostly developers pushing config changes directly without going through the change process. They say the CAB meeting schedule is too infrequent.
Agent: Root cause identified: CAB meeting frequency does not accommodate the pace of operational changes, leading staff to bypass the process. I’ll document a corrective action that addresses the systemic issue – for example, introducing a lightweight standard change pre-authorization for low-risk config changes, plus reinforcement training.
Let me now generate the full audit report and findings file, then validate… Running
audit_report_validator– all checks passed. Clause coverage complete, all findings have classifications and evidence, and the NC has a root cause and corrective action with target date.
Sample Output Excerpt
The skill produces an audit program document, an audit report, and a structured findings JSON file. Here is a representative excerpt from the findings file.
{
"audit_program": {
"cycle": "2025-2026",
"clause_coverage": {
"4": { "frequency": "semi-annual", "next_audit": "2025-07" },
"5": { "frequency": "semi-annual", "next_audit": "2025-09" },
"6": { "frequency": "quarterly", "next_audit": "2025-06" },
"7": { "frequency": "semi-annual", "next_audit": "2025-08" },
"8": { "frequency": "quarterly", "next_audit": "2025-06" },
"9": { "frequency": "quarterly", "next_audit": "2025-06" }
}
},
"findings": [
{
"id": "NC-001",
"clause": "9.2",
"classification": "Minor NC",
"title": "Unauthorized changes bypassing CAB approval",
"description": "15% of changes in Q3 2025 were implemented without documented CAB authorization.",
"evidence": "Change log analysis: 12 of 80 changes lacked approval records. Interviews confirmed developers push config changes directly.",
"root_cause": "CAB meeting frequency insufficient for operational change pace; no standard change pre-authorization mechanism.",
"corrective_action": "Implement standard change pre-authorization for low-risk config changes; conduct change management refresher training for all technical staff.",
"responsible": "James (Operations Lead)",
"target_date": "2025-07-15",
"verification_method": "Sample 30 changes post-implementation to confirm 100% authorization rate"
},
{
"id": "OFI-001",
"clause": "8.1",
"classification": "OFI",
"title": "Incident categorization consistency",
"description": "Incident categorization is applied but categories are inconsistently used across shifts.",
"evidence": "Review of 20 incidents showed 4 miscategorized entries (network issues logged as application faults).",
"corrective_action": "Update categorization guide with decision tree and examples; add to service desk onboarding.",
"responsible": "Sarah (Service Delivery Lead)",
"target_date": "2025-08-01"
}
]
}
Extension Tools
audit_report_validator
Validates audit-findings.json for ISO/IEC 20000-1:2011 Clause 4.5.4.2 compliance. Run after writing the audit findings file.
| Check | What It Validates |
|---|---|
| Clause coverage | All clause areas (4 through 9) are represented in the audit program |
| Finding completeness | Each finding has a classification, objective evidence, and corrective action |
| Classification validity | Classifications are one of: Major NC, Minor NC, Observation, OFI |
| NC corrective actions | Every nonconformity has a root cause analysis, responsible person, and target date |
| Audit program scope | The annual program covers all required SMS clauses |
Each finding reports ERROR or WARNING severity with a field reference and explanatory message.
Getting Started
Activate the ISO 20000 Internal Audit skill and describe where you are in your audit cycle – whether you need to create the annual program from scratch, plan a specific engagement, or document findings from an audit already conducted. The agent will adapt the workflow to your situation.
Have this information ready:
- Your SMS process areas and which ones you consider higher risk
- Available auditors and their areas of responsibility (for independence mapping)
- Any known issues or concerns you want the audit to investigate
- Previous audit reports, if this is not your first cycle
The completed audit findings feed directly into the CAPA register and management review inputs, closing the PDCA loop for your SMS.