Auditing Business Continuity Management

Audit Objective, Scope and Criteria

Written by Moh Heng Goh | Sep 18, 2020 7:01:27 AM

Determine Audit Objectives

An Audit Objective is the defined purpose or aim of the BCM Audit process or activity. In reviewing a BC Plan, the BCM Audit objectives are to decide whether:

  • The organization’s current and likely future business environment have been addressed in the BC strategy.
  • The BC Plan has been regularly maintained to reflect the changes been made given the following business changes in:

  • The composition of the organization’s BC team.
  • Hardware and software configurations.
  • The Business processes.
  • The economic environment.
  • The BC Plan has been regularly tested and exercised to the agreed BCM readiness level within the organization

Determine Audit Scope

The Audit Scope determines the extent and range of the activities and the period (months or years) of records that are to be subjected to a BCM Audit examination. These are some of the considerations:

  • What is the level of compliance with the requirements?
  • Is this audit for the entire or a specific area within the organization?
  • What are the elements, physical locations and organizational activities that are to be audited within a specified time frame?
  • What scope and depth of the BCM Audit should be included in the design to meet the Client’s specific information needs?
  • Which standards or documents within the Auditee's system or environment should be specified?
  • What is deemed as sufficient objective evidence that adequately demonstrate that the Auditee’s BCMS and operations are effective?
  • What is the amount of resources that is required for the BCM Audit to meet its intended scope and depth?

A successful BCM Audit is one that stays within the agreed scope. Often, the Client must be informed of the scope before the start of any audit.

Determine Audit Criteria

The Audit Criteria is a set of policies, procedures and requirements against which audit evidence is compared. These are samples of audit criteria.

 

Categorization of Audit Criteria

Numerical Categori-zation

Conclusion on Audit Criteria

Definition of Conclusion

1

Well Controlled

Well managed, no material weaknesses noted; and Effective.

2

Controlled

Well managed, but minor improvements are needed; and effective.

3

Moderate Issues

It has moderate issues requiring management focus based on at least one of the following two criteria:

Control weaknesses, but exposure is limited because likelihood of risk occurring is not high; or,

Control weaknesses, but exposure is limited because the impact of the risk is not high.

Sample Audit Criteria and Key Evidences/ Observations

Criteria #

Audit Criteria

Conclusion on Audit Criteria

Examples of Key Evidence/ Observation

1.1

Key documents properly articulate the linkages between the program and business unit’s objectives and priorities.

1

The program clearly links the BCM Program and business unit’s objectives.

1.2

A plan has been developed to periodically re-assess the BCM program design and adjusted as required.

1

Periodic evaluations of the Program are planned and conducted. The evaluations have resulted in changes to the design of the Program.

1.3

Expected results are clearly defined, and a plan to measure and demonstrate results is followed.

1

Expected results are included in the BCM Program. Management conducts surveys of recipients and uses the data to demonstrate results.

1.4

Available resources (e.g. human resource, tools) and competencies are reviewed and match those required to deliver the BCM program.

1

The resources required for the BCM program are identified and have been made available. BCM program has low staff turnover, relevant training, and an effective performance management process.

 

 

Resource

Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.

Extracted from "Stage 1: Audit Planning and Preparation"

 

Singapore Government Funding for BCM-8530 Course

The next section applied to Singaporean and Singapore permanent residents.  Click button "Government Funding Available" to find out more about the funding that is available from the Singapore government.  This include the CITREP+, SkillsFuture Credit and UTAP.

 

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org