Why Do We Perform Audit?
BC Planning (BCP) is similar to any other business activity, which is critical to the success and continuation of an organization. Hence, BCP is an activity, which is subject to audit.
Auditors should view BCP to be equally as sensitive as security regarding critical business risk areas. When Auditors audit the BCP activity, they want to determine whether the activity is being properly carried out and whether the BC Plan is comprehensive, current and has been appropriately tested. Knowing what the Auditors look for will not only ensure a smoother audit, it will also improve the overall BC Plan implementation and upkeep.
The process of building a business case for implementing a BCP project is critical to the success of the BC Plan. This is where the Auditor’s reporting on the lack of the BC Plan will help to support the justification for an organization’s BC initiative.
Goal of BCM Audit
The goal of a BCM Audit is to collect objective evidence to permit an informal judgment about the status of the:
- Business Continuity Management System or in short, BCMS, which is a Management System for Business Continuity Management (BCM). A Management System is a set of interrelated or interacting elements that organizations use to implement policy and to achieve objectives.
- BCM Program, which is an on-going ordered list of BCM, planned activities to be followed. This is usually conducted after the implementation of a BCP project, and the organization is in the Program Management phase in the BCM Planning Methodology
Regulatory and Compliance Requirement
Recent pressure on public accountants and regulatory compliance to assess whether businesses they audit are a “going concern” gives them greater cause to investigate BCPs. These external Auditors will likely focus on documented evidence that an adequate plan exists and has been successfully tested.
Further, some regulated industries (See http://en.bcmpedia.org/wiki/Standards), are subject to regulatory requirements to maintain an adequate, proven and tested BC Plan. In any case, the organization’s Internal Auditors should have a comprehensive audit program to provide evidence that the plan has been thoroughly reviewed and any weaknesses noted have been or are being corrected.
Benefits of BCM Audit
Auditing brings benefits to the organization as it:
- Provides justification for the Executive Management to address the lack of a BCM Planning Methodology within an organization if there is one and the motivation to implement one.
- Provides assurance by giving a new and independent perspective of the adequacy of the BC Plan and BCM program.
- Provides fresh ideas and approaches that may not have been considered by the BC development team or BCM program office.
- Eliminates any false sense of security that may result from not being independently reviewed and from potentially faulty planning assumptions.
- Alerts the Executive Management and all responsible parties to those areas that are in need of enhancement and correction.
- Motivates those in positions of responsibility to carry out a more thorough job as they anticipate sub-sub-sequent audits.
- Determines whether the process for managing the BCM program has been adequately put in place
Also, it also offers an excellent opportunity for organizations to:
- Evaluate the interactions within the preventive internal controls (or operational risk) program
- Include the testing of the various components of the BC Plan.
- Observe the working relationships and interactions between various BC development groups responsible for implementing the BC Plan.
- Bring out deficiencies in organizational and personnel areas for timely correction
- Use it as a tool for continual improvement
- Correct non-conformity in the system and processes
- Help assure that on-going systems and processes are operating as intended and required
Types of Audits
It is important when reading this book, to remember that it aims to serve as a guide to the reader who is:
- An Internal Auditor of an organization.
- An External Auditor from a professional audit firm.
- A third party such as a BCMS Auditor.
The major differences are that if an audit is conducted internally, familiarity with the information and knowledge about the Auditees reduces the introductory formality, and certain formalities are minimized.
Internal Audit (First Party Audit)
First Party Audit is for organizations auditing themselves for internal purposes. This audit need not only be conducted in-house as it can also be carried out by an external organization.
External Audit (Second Party Audit)
Second Party Audit is an external audit which is usually performed by the customers or by any other party on the organization’s behalf. It can also be done by any external party that has an interest in the "Auditee" organization.
External Audit (Third Party Audit)
Third Party Audit is performed by independent external organizations to determine whether or not an organization complies with the standard. Third Party Auditors are commonly referred to as registrars or certification bodies.
In this book, this type of audit, called Certification Audit, will be introduced. It entails auditing an organization before the organization embarks on a BCM certification audit. The Auditors, led by a Lead Auditor, will inspect and certify the organization against a BCM standard.
The content of this book also provides and show the application of the principles and methodologies for reviewing and auditing a BC Plan. Based on my practical experience as both as an Auditor (public accounting firm) and Reviewer (internal and external BCM Consultant within organizations) of BC Plans and BCM programs, I have prepared and included a series of easy-to-use BCM Questionnaires which can be easily tailored to be used as Standardized Audit Programs. This is to assist persons without prior audit experience in BCM to perform audits of specific business units’ and corporate-wide BC Plans or BCM program.
Sub-types of Audit
When conducting a BCM Audit, there is a need to understand the sub-types of the audit. The four sub-types are as shown in Figure 2.1.
Figure 2.1: Audit Sub-Types
Compliance Audit
This audit requires the Auditor to verify that the organization has complied with the standard. An example is to check that the number and types of exercises are conducted on the schedule as approved by the Executive Management.
It is useful to note that all audits are in compliance with a requirement.
System Audit
In a system audit, the emphasis is on the “theory.” An example is to review the management program requirement for updating of the BC Plan documentation.
Process Audit
This audit requires the Auditor to review the practice. An example is to confirm that the Business Impact Analysis process is conducted under the organization’s guidelines and also the BCM standard.
Product Audit
The audit of the product results in the breakdown of the final product. An example is a review of whether an entire service to be delivered by the alternate site provider is by the contractual and service level agreement.
Business Continuity Management System
As part of the Third Party Audit, BCMS is often mentioned. BCMS is a Management System for Business Continuity Management (BCM). This Management System is a set of interrelated or interacting elements that organizations use to implement BCM policies and to achieve BCM objectives. The components of a BCMS include the BCM policy, a management review, the planning, the implementation and a performance assessment as well as provision for continuous improvement.
What Does BCM Audit Process Entails?
The entire BCM Audit Process involves the following phases
Stage 1: Audit Planning and Preparation
- Audit Preparation
- Audit Planning
Stage 2: Audit Fieldwork
- Pilot Fieldwork
- Audit Fieldwork
Stage 3: Audit Review and Reporting
- Reporting (Draft and Proposed)
- Reporting (Final)
Stage 4: Audit Follow-up
- Follow-up Audit
- Surveillance Audit (BCM Certification
Conclusion
This chapter summarizes the justification for a BCM Audit and the expectations of the audit deliverables. It also describes the types and sub-types of audits. It examines the roles that the Auditor should play to meet these expectations. Finally, it introduces the step of a typical BCM Audit process.
Resource
Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.
Extracted from "Auditing BCM Activity"
Singapore Government Funding for BCM-8530 Course
The next section applied to Singaporean and Singapore permanent residents. Click button "Government Funding Available" to find out more about the funding that is available from the Singapore government. This include the CITREP+, SkillsFuture Credit and UTAP.
Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]
Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org |