BC Planning (BCP) is similar to any other business activity, which is critical to the success and continuation of an organization. Hence, BCP is an activity, which is subject to audit.
Auditors should view BCP to be equally as sensitive as security regarding critical business risk areas. When Auditors audit the BCP activity, they want to determine whether the activity is being properly carried out and whether the BC Plan is comprehensive, current and has been appropriately tested. Knowing what the Auditors look for will not only ensure a smoother audit, it will also improve the overall BC Plan implementation and upkeep.
The process of building a business case for implementing a BCP project is critical to the success of the BC Plan. This is where the Auditor’s reporting on the lack of the BC Plan will help to support the justification for an organization’s BC initiative.
The goal of a BCM Audit is to collect objective evidence to permit an informal judgment about the status of the:
Recent pressure on public accountants and regulatory compliance to assess whether businesses they audit are a “going concern” gives them greater cause to investigate BCPs. These external Auditors will likely focus on documented evidence that an adequate plan exists and has been successfully tested.
Further, some regulated industries (See http://en.bcmpedia.org/wiki/Standards), are subject to regulatory requirements to maintain an adequate, proven and tested BC Plan. In any case, the organization’s Internal Auditors should have a comprehensive audit program to provide evidence that the plan has been thoroughly reviewed and any weaknesses noted have been or are being corrected.
Auditing brings benefits to the organization as it:
Also, it also offers an excellent opportunity for organizations to:
It is important when reading this book, to remember that it aims to serve as a guide to the reader who is:
The major differences are that if an audit is conducted internally, familiarity with the information and knowledge about the Auditees reduces the introductory formality, and certain formalities are minimized.
First Party Audit is for organizations auditing themselves for internal purposes. This audit need not only be conducted in-house as it can also be carried out by an external organization.
Second Party Audit is an external audit which is usually performed by the customers or by any other party on the organization’s behalf. It can also be done by any external party that has an interest in the "Auditee" organization.
Third Party Audit is performed by independent external organizations to determine whether or not an organization complies with the standard. Third Party Auditors are commonly referred to as registrars or certification bodies.
In this book, this type of audit, called Certification Audit, will be introduced. It entails auditing an organization before the organization embarks on a BCM certification audit. The Auditors, led by a Lead Auditor, will inspect and certify the organization against a BCM standard.
The content of this book also provides and show the application of the principles and methodologies for reviewing and auditing a BC Plan. Based on my practical experience as both as an Auditor (public accounting firm) and Reviewer (internal and external BCM Consultant within organizations) of BC Plans and BCM programs, I have prepared and included a series of easy-to-use BCM Questionnaires which can be easily tailored to be used as Standardized Audit Programs. This is to assist persons without prior audit experience in BCM to perform audits of specific business units’ and corporate-wide BC Plans or BCM program.
When conducting a BCM Audit, there is a need to understand the sub-types of the audit. The four sub-types are as shown in Figure 2.1.
Figure 2.1: Audit Sub-Types
This audit requires the Auditor to verify that the organization has complied with the standard. An example is to check that the number and types of exercises are conducted on the schedule as approved by the Executive Management.
It is useful to note that all audits are in compliance with a requirement.
In a system audit, the emphasis is on the “theory.” An example is to review the management program requirement for updating of the BC Plan documentation.
This audit requires the Auditor to review the practice. An example is to confirm that the Business Impact Analysis process is conducted under the organization’s guidelines and also the BCM standard.
The audit of the product results in the breakdown of the final product. An example is a review of whether an entire service to be delivered by the alternate site provider is by the contractual and service level agreement.
As part of the Third Party Audit, BCMS is often mentioned. BCMS is a Management System for Business Continuity Management (BCM). This Management System is a set of interrelated or interacting elements that organizations use to implement BCM policies and to achieve BCM objectives. The components of a BCMS include the BCM policy, a management review, the planning, the implementation and a performance assessment as well as provision for continuous improvement.
The entire BCM Audit Process involves the following phases
This chapter summarizes the justification for a BCM Audit and the expectations of the audit deliverables. It also describes the types and sub-types of audits. It examines the roles that the Auditor should play to meet these expectations. Finally, it introduces the step of a typical BCM Audit process.
Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.
Extracted from "Auditing BCM Activity"
The next section applied to Singaporean and Singapore permanent residents. Click button "Government Funding Available" to find out more about the funding that is available from the Singapore government. This include the CITREP+, SkillsFuture Credit and UTAP.
| Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org |