What Stage 2 Is
Stage 2 is the implementation audit. The auditors verify that the SMS described in the documentation is actually operating as designed and is producing the required outputs. At Stage 1, the auditor reviewed the SMS design and asked "Is this documented correctly?" At Stage 2, the auditor observes, tests, and interviews to determine "Is this actually being done?" Stage 2 is typically conducted on-site and lasts 2–4 man-days depending on the scope size. For a small SMS covering one service and one location, two days may suffice. For a larger organization with multiple services and multiple locations, four days or more may be required. The Stage 2 audit involves document sampling, staff interviews, process observation, and triangulation (comparing what the procedure says, what staff say they do, and what the records show actually occurred).
Stage 2 Audit Structure
A typical Stage 2 unfolds as follows: Opening meeting (usually morning of day 1) where auditors confirm scope, explain the audit plan, and address logistical questions. Fieldwork (the bulk of the audit) where auditors sample documents, conduct interviews, and examine records. Daily briefings where the audit team and the organization's SMS team meet at the end of each day to discuss what has been found and clarify any issues. Closing meeting (usually afternoon of final day) where the audit team presents initial findings and next steps. A written audit report follows within 2–3 weeks.
The Opening Meeting
The opening meeting should include the SMS sponsor or top management representative (to show organizational commitment), the SMS coordinator, relevant process owners, and other key staff. The auditors will confirm the scope of the audit, walk through the audit plan (which practices will be audited when, who will be interviewed, what records will be sampled), confirm logistics (the audit room, access to systems, confidentiality), and set expectations for staff interviews. This is a good time to clarify any questions about the audit approach. A typical opening meeting lasts 30–45 minutes.
Fieldwork – What Auditors Examine
Clauses 4–7 and 9–10 Governance
Auditors interview the SMS coordinator and top management to understand the SMS governance structure, strategic intent, and resource allocation. They examine management review minutes to verify that required inputs (performance data, audit results, external environment, customer feedback, nonconformities, objective performance) are all being reviewed and that management decisions are documented. They review internal audit reports to assess whether audits are covering all clauses and whether findings are being addressed. They verify that SMS objectives are being measured and that progress is visible.
Clause 8 Practice Operation
For each Clause 8 practice (incident, problem, change, configuration, service level, availability, capacity, continuity, information security, budgeting, and supplier management), auditors sample records and interview the practitioners responsible for the practice. The sampling approach is not random; auditors often ask the organization for records and then select specific records to examine in detail.
Incident Management
Auditors typically sample 15–20 incident records from the last three months. For each record, they verify: Is the incident correctly classified (low, medium, high impact/urgency)? Is the escalation path correct? Is the SLA target and SLA status clearly recorded? Is the record complete from opening to closure? They ask the service desk team to describe a recent incident they handled, show the record, and explain how they followed the procedure. Inconsistencies between the procedure, what staff say, and what the records show are potential findings.
Problem Management
Auditors examine open and closed problem records. They verify that problems have been assigned root cause analysis (RCA is not "awaiting further investigation" indefinitely). They check the known error database to verify that known errors are documented and that the database is being used operationally. They ask the problem manager how reactive vs proactive problems are prioritized.
Change Management
Auditors sample 10–15 change records across different change types (normal, standard, emergency). For each, they verify: Is a documented change request present? Is a risk assessment completed? Is CAB approval documented? Is a post-implementation review (PIR) completed? They interview the change manager and a CAB chair about the CAB process. They ask how emergency changes are handled and whether they receive retroactive CAB review.
Configuration Management
Auditors test CMDB accuracy by selecting 5–10 configuration items and physically verifying their attributes (server specs, application version, license status, etc.) against the CMDB record. They verify that configuration item relationships are mapped (this application runs on that server; this service depends on that database). They check how the CMDB is updated after changes and whether CMDB data is kept current.
Service Level Management
Auditors review monthly service reports covering at least three months of operation. They verify that SLA performance is measured and reported. They examine a sample of SLA breaches to confirm that they were handled according to the SLA (breach notification, credit/compensation if applicable). They interview a customer relationship manager or service level manager about service reviews.
Customer Relationship
Auditors examine service review meeting minutes from the last 3–6 months. They verify that customers have been surveyed for satisfaction and that results have been analyzed. They check how complaints and escalations from customers have been handled.
Supplier Management
Auditors review supplier agreements (at least three) and verify that performance targets are documented and measurable. They examine performance scorecards or monitoring data showing that suppliers are being held accountable to their agreements.
| KEY CONCEPT | Auditors triangulate evidence: they don't just read documents, they ask staff if they follow them, and then they check records to verify. All three must align (document says X, staff say they do X, and records show X actually happened) for the auditor to find no nonconformity. |
Staff Interviews
Stage 2 always includes interviews with staff who operate the SMS. Auditors typically interview the SMS coordinator, process owners (service desk manager, change manager, problem manager, CMDB administrator, etc.), and individual practitioners (service desk agents, change implementers, etc.). The interviews are typically conversational; auditors ask questions like "Walk me through how you handle a high-priority incident" or "Show me a recent problem you worked on and explain how you approached the root cause analysis." Staff who can describe their work confidently, speak to the procedure, and show supporting records create confidence that the SMS is operational. Staff who are confused, defensive, or unable to reference their procedures and records create doubt.
Evidence Presentation
Organize all documented information and operational evidence in a way that auditors can retrieve items quickly. Create a master index or folder structure that auditors understand. Use naming conventions that are self-explanatory (e.g., "INC-2026-001-Classification.pdf"). Do not overwhelm auditors with thousands of documents; instead, provide a curated set and offer to retrieve additional documents if requested. If conducting an on-site audit, prepare a dedicated audit room with tables, computers with access to systems, internet connectivity, and printed copies of key documents. If conducting a remote audit, prepare a secure shared drive where auditors can access documents on demand.
Nonconformity Types at Stage 2
Stage 2 may result in major or minor nonconformities: A major nonconformity indicates that a fundamental SMS requirement is not being met. Examples: "No documented change approval process is evident; changes are implemented without documented approval" or "Incident records do not consistently show SLA status; the SMS is not measuring SLA performance." Major nonconformities must be resolved before the certificate can be issued. A minor nonconformity indicates an isolated gap. Examples: "One of 20 incident records sampled did not show escalation evidence" or "Problem manager was on leave for one month and did not review open problems." Minor nonconformities are typically resolved with a corrective action plan and evidence of closure submitted 4–8 weeks after the audit.
After Stage 2
The closing meeting summarizes any major nonconformities and preliminary minor findings. The organization typically has 4–8 weeks to develop corrective action plans and collect evidence of closure. The CB reviews closure evidence and issues a final certification decision. If no major nonconformities remain, the certificate is issued. The certificate is valid for three years, after which the organization must undergo recertification.
| IMPORTANT | Major nonconformities delay certification. If a major NC is raised, the CB will require a corrective action plan with closure evidence before issuing the certificate. This typically adds 4–8 weeks to the timeline. Avoid major NCs by ensuring comprehensive operational evidence before Stage 2. |
Stage 2 Audit Evidence Requirements by Clause
| Clause/Practice | Documents Examined | Staff Interviewed | Records Sampled |
|---|---|---|---|
| 4–7: Governance | Scope, SMP, policy, org chart, approved objectives | Top management, SMS coordinator, process owners | Management review minutes; internal audit report; 5–10 nonconformity records |
| 8.1: Incident Management | Incident procedure, SLA definitions, escalation matrix | Service desk team, incident manager | Sample 15–20 incident records; classify; verify SLA tracking |
| 8.2: Problem Management | Problem procedure, known error DB, RCA template | Problem manager, incident manager | Sample 10 problem records; verify RCA completeness; check KE database |
| 8.3: Change Management | Change procedure, CAB charter, risk template, PIR template | Change manager, CAB chair, business analyst | Sample 10–15 changes; verify approvals, risk assessment, PIR completion |
| 8.4: Configuration Management | CMDB procedure, CI classification, relationship rules | CMDB administrator, change manager | Physical verification of 5–10 CIs; test CMDB data accuracy; check update process |
| 8.5: Service Level Management | SLM procedure, monthly report template, metrics definitions | SL manager, service owner, customer rep | Monthly service reports (3 months); verify SLA metrics; check breach handling |
| 8.6: Availability Management | Availability procedure, monitoring tools config, targets | Availability manager, operations team | 3 months of availability reports; verify measurement accuracy; check trend analysis |
| 8.7: Capacity Management | Capacity procedure, forecasting method, tools used | Capacity manager, planning team | Capacity plans; utilization reports; trend forecasts; check forecast accuracy |
| 8.8: Continuity Management | Continuity plan, RTO/RPO definitions, backup schedule | Continuity coordinator, ops team | Backup verification records; restore test results; plan review evidence |
| 8.9: Information Security | Security policy, access control procedure, incident handling | Security officer, access control team | Access control records; security incident log; patch records; vulnerability scan results |
| 8.10: Budgeting and Accounting | Budget procedure, cost allocation method, invoice records | Finance manager, cost center owners | Monthly cost reports; budget vs actual; supplier invoices; cost allocation records |
| 8.11: Supplier Management | Supplier procedure, agreement templates, performance data | Supplier manager, operations team | Supplier agreements (3+); performance scorecards; review meeting minutes; SLA evidence |
| BITLION INSIGHT | Bitlion GRC provides an audit evidence organizer tool that helps organizations structure their documented information and operational records for rapid auditor retrieval, plus staff interview preparation guides with sample questions and recommended answers for each practice area. |