Sample: Audit Plan

Version 2.0

This work is licensed under a Creative

Commons Attribution 4.0 International
License.
www.fiitsm.eu

Sample: Audit Plan

Table of Contents
1. Introduction & Context....................................................................................... 1
2. General information........................................................................................... 1
3. Audit activities................................................................................................... 3
4. Audit criteria...................................................................................................... 6
5. Document control............................................................................................ 12

FitSM was originated by the FedSM project a project co-funded by the European
Commission under contract number 312851.

Sample: Audit Plan

1. Introduction & Context

This document specifies the audit plan for a service management audit to be
conducted on behalf of ACME in June 2016. The audit plan has been created
under consideration of the Guidelines for management systems auditing
according to EN ISO 19011:2011. Audit activities will follow this approach.
The main goal of this audit consists of a baseline assessment of the current
basic/core service management system (SMS) at the ACME head office in Taos in
the context of delivering IT services to customers with no specific further
limitations in scope.
This audit plan shall cover all relevant information for the audit, reflecting in
particular planned on-site audit activities and requirements, allowing both the
audit team and the auditee to prepare for the audit.
NOTE: This audit plan may be subject to changes after its release / distribution.

2. General information
Audit
objectives

Baseline assessment of the

management system (SMS).

current

basic/core

service

Identification
of
nonconformities
and
opportunities
for
improvement with respect to effectiveness, efficiency and overall
organizational maturity, plus definition of follow-up actions.
Audit scope

SMS of ACME at site Taos to deliver IT services to customers.

Audit criteria relate to the following topic areas:
Topic area 1: General requirements for a service management
system

Focus
o
o
o

on:
Top Management Commitment & Responsibility
Documentation
Scoping,
Planning,
Implementing,
Monitoring/Reviewing and Continually Improving
Service Management
Requirements based on FitSM-1 (Edition 2015 Version
2.0), Clause 5

Topic area 2: Process-specific requirements

Focus
o
o
o
o
o
o
o
o

Page 1

on:
Service Portfolio Management (SPM)
Service Level Management (SLM)
Service Reporting Management (SRM)
Service Availability & Continuity Management
(SCAM)
Capacity Management (CAPM)
Information Security Management (ISM)
Customer Relationship Management (CRM)
Supplier Relationship Management (SUPPM)

Version 2.0

Sample: Audit Plan

Audit client

o Incident & Service Request Management (ISRM)

o Problem Management (PM)
o Configuration Management (CONFM)
o Change Management (CHM)
o Release & Deployment Management (RDM)
o Continual Service Improvement Management (CSI)
Requirements based on FitSM-1 (Edition 2015 Version
2.0), Clause 6

ACME
Represented by: Jane Doe
FITSM Consulting Inc.

Auditing
company
Audit team

Represented by: Jack Smith

Lead auditor: Jack Smith

Auditee
Language

Co-auditor: Emma Harris

(see audit client)
Audit plan (this document): English
Interviews: English

Dates
places

and

Audit report: English

Date: Monday, 6 June 2016
Time: 9:00-17:45
Audit location: ACME head office, Taos

Page 2

Version 2.0

Sample: Audit Plan

3. Audit activities
This schedule may be subject to changes on short notice.
Date, time
05/06/2016
9:00-17:45

Activities
On-site audit activities:
verification of evidence
interviews)

opening meeting, collection and

(including documentation review,

Details:
9:00-9:30
Opening meeting
Participants:

Jack Smith (Lead auditor)

Emma Harris (Co-auditor)
Martin Jones (ACME Technical Director; SMS Owner; Process
Owner of all ITSM processes)
Jane Doe (SMS Manager, Process manager CSI)
Carla Stalling (Process Manager SPM, SLM, SRM, CRM)
Frederick Avery (Process Manager SUPPM, SCAM, CAPM)
Jerome Blank (Process Manager ISM, Chief Security Officer)
Paulina
Husted (Process Manager ISRM, PM)
Michael Maltese (Process Manager CONFM, CHM, RDM)
Rita Larriva (Senior staff member at ACME Service Desk)
John Smith (Manager Document Control)

9:30-10:00
Top Management Commitment & Responsibility
Participants:

Jack Smith (Lead auditor)

Emma Harris (Co-auditor)
Martin Jones (SMS Owner, Process Owner of all ITSM
processes
Jane Doe (SMS Manager)

10:15-11:00
Documentation
Scoping, Planning, Implementing, Monitoring/Reviewing
Continually Improving Service Management
Continual Service Improvement Management (CSI)

Page 3

Version 2.0

and

Sample: Audit Plan

Participants:

Jack Smith (Lead auditor)

Emma Harris (Co-auditor)
Martin Jones (SMS Owner, Process Owner of all ITSM
processes)
Jane Doe (SMS Manager, Process Manager CSI)
John Smith (Manager Document Control)

11:15-11:45
Service Portfolio Management (SPM)
Participants:

Jack Smith (Lead auditor)

Emma Harris (Co-auditor)
Martin Jones (SMS Owner, Process Owner of all ITSM
processes)
Jane Doe (SMS Manager)
Carla Stalling (Process Manager SPM, SLM, SRM, CRM)

11:45-12:30
Service Level Management (SLM)
Service Reporting Management (SRM)
Participants:

Jack Smith (Lead auditor)

Emma Harris (Co-auditor)
Jane Doe (SMS Manager)
Carla Stalling (Process Manager SPM, SLM, SRM, CRM)

12:30-13:30
Lunch break
13:30-14:00
Service Availability & Continuity Management (SCAM)
Capacity Management (CAPM)
Participants:

Jack Smith (Lead auditor)

Emma Harris (Co-auditor)
Jane Doe (SMS Manager)
Frederick Avery (Process Manager SUPPM, SCAM, CAPM)

14:00-14:30

Page 4

Version 2.0

Sample: Audit Plan

Information Security Management (ISM)
Participants:

Jack Smith (Lead auditor)

Emma Harris (Co-auditor)
Jane Doe (SMS Manager)
Jerome Blank (Process Manager ISM, Chief Security Officer)

14:45-15:00
Customer Relationship Management (CRM)
Supplier Relationship Management (SUPPM)
Participants:

Jack Smith (Lead auditor)

Emma Harris (Co-auditor)
Jane Doe (SMS Manager)
Carla Stalling (Process Manager SPM, SLM, SRM, CRM)
Frederick Avery (Process Manager SUPPM, SCAM, CAPM)

15:00-15:45
Incident & Service Request Management (ISRM)
Problem Management (PM)
Participants:

Jack Smith (Lead auditor)

Emma Harris (Co-auditor)
Jane Doe (SMS Manager)
Paulina
Husted (Process Manager ISRM, PM)
Rita Larriva (Senior staff member at ACME Service Desk)

16:00-16:45
Configuration Management (CONFM)
Change Management (CHM)
Release & Deployment Management (RDM)
Participants:

Jack Smith (Lead auditor)

Emma Harris (Co-auditor)
Jane Doe (Internal ITSM consultant, ITSM project lead)
Michael Maltese (Process Manager CONFM, CHM, RDM)

17:15-17:45
Closing remarks

Page 5

Version 2.0

Sample: Audit Plan

Participants:

Jack Smith (Lead auditor)

Emma Harris (Co-auditor)
Martin Jones (ACME Technical Director; SMS Owner, Process
Owner of all ITSM processes)
Jane Doe (SMS Manager)
Carla Stalling (Process Manager SPM, SLM, SRM, CRM)
Frederick Avery (Process Manager SUPPM, SCAM, CAPM)
Jerome Blank (Process Manager ISM, Chief Security Officer)
Paulina
Husted (Process Manager ISRM, PM)
Michael Maltese (Process Manager CONFM, CHM, RDM)
Rita Larriva (Senior staff member at ACME Service Desk)
John Smith (Manager Document Control)

4. Audit criteria
All audit criteria are based on the FitSM-1 (Edition 2015) standard for lightweight
IT service management and relate to the following topic areas:

GR: General requirements for a service management system

PR: Process-specific requirements

Process / category
Top Management Commitment &
Responsibility

R. #
GR-1.1

Top management responsibilities

Top Management Commitment &

Responsibility

GR-1.2

Service management policy

Documentation
Overall SMS

Page 6

GR-2.1

Specification
Top management of the organisation(s) involved in the
delivery of services shall show evidence that they are
committed to planning, implementing, operating,
monitoring, reviewing, and improving the service
management system (SMS) and services. They shall:
Assign one individual to be accountable for the
overall SMS with sufficient authority to exercise
this role
Define and communicate goals
Define a general service management policy
Conduct management reviews at planned
intervals
The service management policy shall include:
A commitment to fulfil customer service
requirements
A commitment to a service-oriented approach
A commitment to a process approach
A commitment to continual improvement
Overall service management goals
The overall SMS shall be documented to support effective
planning. This documentation shall include:
Service management scope statement (see
GR3)
Service management policy (see GR1)
Service management plan and related plans

Version 2.0

Sample: Audit Plan

Documentation

GR-2.2

Processes

Documentation

GR-2.3

Process outputs
Documentation

GR-2.4

Document control

Defining the Scope of Service

Management

GR-3.1

(see GR4)
Documented definitions of all service management
processes (see PR1-PR14) shall be created and
maintained. Each of these definitions shall at least cover
or reference:
Description of the goals of the process
Description of the inputs, activities and outputs
of the process
Description of process-specific roles and
responsibilities
Description of interfaces to other processes
Related process-specific policies as applicable
Related process- and activity-specific
procedures as required
The outputs of all service management processes (see
PR1-PR14) shall be documented, and the execution of
key activities of these processes recorded.
Documentation shall be controlled, addressing the
following activities as applicable:
Creation and approval
Communication and distribution
Review
Versioning and change tracking
The scope of the SMS shall be defined and a scope
statement created.

Scope statement
Planning Service Management
(PLAN)

GR-4.1

A service management plan shall be created and

maintained.

Service management plan

Planning Service Management
(PLAN)

GR-4.2

The service management plan shall at minimum include

or reference:
Goals and timing of implementing the SMS and
the related processes
Overall roles and responsibilities
Required training and awareness activities
Required technology (tools) to support the SMS
Any plan shall be aligned to other plans and the overall
service management plan.

Service management plan required

contents

Planning Service Management

(PLAN)
Alignment of plans / integrated
approach
Implementing Service Management
(DO)
Alignment of plans / integrated
approach
Monitoring and Reviewing Service
Management (CHECK)

Page 7

GR-4.3

GR-5.1

The service management plan shall be implemented.

GR-6.1

The effectiveness and performance of the SMS and its

service management processes shall be measured and

Version 2.0

Sample: Audit Plan

evaluated based on suitable key performance indicators
in support of defined or agreed targets
Assessments and audits of the SMS shall be conducted
to evaluate the level of maturity and compliance

Key performance indicators

Monitoring and Reviewing Service
Management (CHECK)

GR-6.2

Assessments and audits

Continually Improving Service
Management (ACT)

GR-7.1

Nonconformities and deviations from targets shall be

identified and corrective actions shall be taken to prevent
them from recurring

Identification of nonconformities
Continually Improving Service
Management (ACT)

GR-7.2

Improvements shall be planned and implemented

according to the Continual Service Improvement
Management process (see PR14).

Planning and implementing

improvements
Service Portfolio Management

PR-1.1

A service portfolio shall be maintained. All services shall

be specified as part of the service portfolio.

Maintaining the service portfolio

Service Portfolio Management

PR-1.2

Design and transition of new or changed services shall be

planned.

Planning service design and transition

Service Portfolio Management

PR-1.3

Planning service design and transition

aspects to be considered
Service Portfolio Management

PR-1.4

Understanding the organizational

setup
Service Level Management

PR-2.1

Plans for the design and transition of new or changed

services shall consider timescales, responsibilities, new
or changed technology, communication and service
acceptance criteria.
The organisational structure supporting the delivery of
services shall be identified, including a potential
federation structure as well as contact points for all
parties involved.
A service catalogue shall be maintained.

Maintaining a service catalogue

Service Level Management

PR-2.2

For all services delivered to customers, SLAs shall be in

place.

SLAs
Service Level Management

PR-2.3

SLAs shall be reviewed at planned intervals.

SLA reviews
Service Level Management

PR-2.4

Service performance shall be evaluated against service

targets defined in SLAs.

Evaluating service performance

Service Level Management

PR-2.5

For supporting services or service components provided

by federation members or groups belonging to the same
organisation as the service provider or external suppliers,
OLAs and UAs shall be agreed.
OLAs and UAs shall be reviewed at planned intervals.

OLAs and UAs

Service Level Management

PR-2.6

OLA and UA reviews

Service Level Management

PR-2.7

Performance of service components shall be evaluated

against operational targets defined in OLAs and UAs.

Evaluating performance of service

Page 8

Version 2.0

Sample: Audit Plan

components
Service Reporting

PR-3.1

Service reports shall be specified and agreed with their

recipients.

Specification of service reports

Service Reporting

PR-3.2

Specification of service reports

required contents
Service Reporting

The specification of each service report shall include its

identity, purpose, audience, frequency, content, format
and method of delivery.

PR-3.3

Service reports shall be produced. Service reporting shall

include performance against agreed targets, information
about significant events and detected nonconformities.
Service availability and continuity requirements shall be
identified taking into consideration SLAs.

Production of service reports

Service Availability & Continuity
Management

PR-4.1

Requirements based on SLAs

Service Availability & Continuity
Management

PR-4.2

Service availability and continuity plans shall be created

and maintained.

Plans
Service Availability & Continuity
Management

PR-4.3

Service availability and continuity planning shall consider

measures to reduce the probability and impact of
identified availability and continuity risks.

Plans aspects to consider

Service Availability & Continuity
Management

PR-4.4

Availability of services and service components shall be

monitored.

Monitoring
Capacity Management

PR-5.1

Service capacity and performance requirements shall be

identified taking into consideration SLAs.

Requirements based on SLAs

Capacity Management

PR-5.2

Capacity plans shall be created and maintained.

Plans
Capacity Management

PR-5.3

Capacity planning shall consider human, technical and

financial resources.

Plans aspects to consider

Capacity Management

PR-5.4

Performance of services and service components shall be

monitored based on monitoring the degree of capacity
utilisation and identifying operational warnings and
exceptions.
Information security policies shall be defined.

Monitoring
Information Security Management

PR-6.1

Information security policies

Information Security Management

PR-6.2

Information security controls

Information Security Management

PR-6.3

Reviews of security controls

Information Security Management

PR-6.4

Page 9

Physical, technical and organizational information security

controls shall be implemented to reduce the probability
and impact of identified information security risks.
Information security policies and controls shall be
reviewed at planned intervals.
Information security events and incidents shall be given
an appropriate priority and managed accordingly.

Version 2.0

Sample: Audit Plan

Information security events and
incidents
Information Security Management

PR-6.5

Access control
Customer Relationship Management

PR-7.1

Customer base
Customer Relationship Management

PR-7.2

Customer contact points

Customer Relationship Management

PR-7.3

Communication mechanisms
Customer Relationship Management

PR-7.4

Service reviews with the customers shall be conducted at

planned intervals.

Customer service reviews

Customer Relationship Management

PR-7.5

Service complaints from customers shall be managed.

Managing customer complaints

Customer Relationship Management

PR-7.6

Customer satisfaction shall be managed.

Managing customer satisfaction

Supplier Relationship Management

PR-8.1

Suppliers shall be identified.

Supplier base
Supplier Relationship Management

PR-8.2

Supplier contact points

Supplier Relationship Management

PR-8.3

For each supplier, there shall be a designated contact

responsible for managing the relationship with the
supplier.
Communication mechanisms with suppliers shall be
established.

Communication mechanisms
Supplier Relationship Management

PR-8.4

Supplier performance shall be monitored.

PR-9.1

All incidents and service requests shall be registered,

classified and prioritized in a consistent manner.

PR-9.2

Prioritization of incidents and service requests shall take

into account service targets from SLAs.

Prioritization based on service targets

Incident & Service Request
Management

PR-9.3

Escalation of incidents and service requests shall be

carried out in a consistent manner.

Escalation
Incident & Service Request
Management

PR-9.4

Closure of incidents and service requests shall be carried

out in a consistent manner.

Monitoring supplier performance

Incident & Service Request
Management
Registration, classification and
prioritization
Incident & Service Request
Management

Page 10

Access control, including provisioning of access rights, for

information-processing systems and services shall be
carried out in a consistent manner.
Service customers shall be identified.

For each customer, there shall be a designated contact

responsible for managing the customer relationship and
customer satisfaction.
Communication mechanisms with customers shall be
established.

Version 2.0

Sample: Audit Plan

Closure
Incident & Service Request
Management

PR-9.5

Access to relevant information

Incident & Service Request
Management

PR-9.6

Keeping users informed

Incident & Service Request
Management

PR-9.7

There shall be a definition of major incidents and a

consistent approach to managing them.

Major incidents
Problem Management

PR-10.1

Problems shall be identified and registered based on

analysing trends on incidents.

Problem identification
Problem Management

PR-10.2

Problems shall be investigated to identify actions to

resolve them or reduce their impact on the services.

Problem investigation
Problem Management

PR-10.3

Known errors and workarounds

Problem Management

PR-10.4

If a problem is not permanently resolved, a known error

shall be registered together with actions such as effective
workarounds and temporary fixes.
Up-to-date information on known errors and effective
workarounds shall be maintained.

Known error database

Configuration Management

PR-11.1

Configuration item (CI) types and relationship types shall

be defined.

CI type definitions
Configuration Management

PR-11.2

The level of detail of configuration information recorded

shall be sufficient to support effective control over CIs.

Appropriate level of detail

Configuration Management

PR-11.3

CMDB
Configuration Management

PR-11.4

Each CI and its relationships with other CIs shall be

recorded in a configuration management database
(CMDB).
CIs shall be controlled and changes to CIs tracked in the
CMDB.

Change control and tracking

Configuration Management

PR-11.5

The information stored in the CMDB shall be verified at

planned intervals.

Configuration verification
Configuration Management

PR-11.6

Before a new release into a live environment, a

configuration baseline of the affected CIs shall be taken.

Configuration baselines
Change Management

PR-12.1

All changes shall be registered and classified in a

consistent manner.

Registration and classification

Change Management

PR-12.2

All changes shall be assessed and approved in a

consistent manner.

Assessment and approval

Change Management

PR-12.3

All changes shall be subject to a post implementation

review and closed in a consistent manner.

Page 11

Personnel involved in the incident and service request

management process shall have access to relevant
information including known errors, workarounds,
configuration and release information.
Users shall be kept informed of the progress of incidents
and service requests they have reported.

Version 2.0

Sample: Audit Plan

Post implementation review
Change Management

PR-12.4

There shall be a definition of emergency changes and a

consistent approach to managing them.

Emergency changes
Change Management

PR-12.5

In making decisions on the acceptance of requests for

change, the benefits, risks, potential impact to services
and customers and technical feasibility shall be taken into
consideration.
A schedule of changes shall be maintained. It shall
contain details of approved changes, and proposed
deployment dates, which shall be communicated to
interested parties.
For changes of high impact or high risk, the steps
required to reverse an unsuccessful change or remedy
any negative effects shall be planned and tested.
A release policy shall be defined.

Acceptance of requests for changes

Change Management

PR-12.6

Change schedule
Change Management

PR-12.7

Fallback plans
Release & Deployment Management

PR-13.1

Release policy
Release & Deployment Management

PR-13.2

Release planning
Release & Deployment Management

PR-13.3

Release build and test

Release & Deployment Management

PR-13.4

Acceptance criteria
Release & Deployment Management

PR-13.5

Fallback plans
Release & Deployment Management

PR-13.6

The deployment of new or changed services and service

components to the live environment shall be planned with
all relevant parties including affected customers.
Releases shall be built and tested prior to being
deployed.
Acceptance criteria for each release shall be agreed with
the customers and any other relevant parties. Before
deployment the release shall be verified against the
agreed acceptance criteria and approved.
Deployment preparation shall consider steps to be taken
in case of unsuccessful deployment to reduce the impact
on services and customers.
Releases shall be evaluated for success or failure.

Monitoring releases for success

Continual Service Improvement
Management

PR-14.1

Opportunities for improvement shall be identified and

registered.

Identification and registration

Continual Service Improvement
Management

PR-14.2

Opportunities for improvement shall be evaluated and

approved in a consistent manner.

Evaluation and approval

5. Document control
Document ID
Document title
Definitive storage
location
Document owner
Version
Page 12

[Unique document identifier]

Audit plan Process and management system audit
based on FitSM-1 (Edition 2015)
n/a
Jack Smith (lead auditor)
1.0
Version 2.0

Sample: Audit Plan

Last date of change
Next review due date
Version & change
tracking

Page 13

2016-05-22
n/a
n/a

Version 2.0