Conduct the Audit
Once the opening meeting is completed and it is time to start the first meeting with the Auditee, arrive and meet the executive Auditee. This internal representative will be assigned to the assigned business unit manager.
Expectation of Auditor During Conduct of Audit
As an Auditor, you are expected to:
- Explain what you want to see/do
- Investigate to a necessary depth
- Satisfy the sample requirement
- Do not over-sample
- Do not assume wrong exists
- Move on to the next business unit.
While conducting the audit the Auditor may want to observe the following
Learning Useful Audit Tips
- Use your audit checklist as your guide
- Document audit trails as it begins to appear
- You will make many observations.
- Make the following decisions:
- Disregard
- Note for later follow-up
- Follow-up now
- Call in a team
- Request for a technical expert
- Seek assistance from related parties
These are additional guidance to Auditors on:
- Asking questions
- Phrasing questions
- Taking notes
- Practising good audit behaviour
Asking Questions
These are some of the questioning techniques that are used during a typical interview:
- Clear: This question is usually simple and unambiguous.
- Closed-ended: These usually result in a “Yes” or “No” answer.
- Open-ended: This questioning approach will result in a long answer being provided.
- Probing: These specific questions are used for finding details
Phrasing of Questions
The techniques for the phrasing of each question usually start with the 4 “Ws”: Who, What, When and Where. However, questions phrased with “Why”, “How” and “Elaborate” tend to provide better answers. .
Taking Notes
It is important to take notes constantly throughout the audit as they make a good reference. The notes can be used for investigation for both the present and at a later stage of the audit. These notes can also be shared with the other Auditors and be referred to in future audits.
Auditors are strongly encouraged not to rely on or trust their memory when documenting evidence. Taking notes requires the writer to have the content recorded legibly, retrievable from the system, and be as specific as possible, with citation of examples.
The notes should be copious and must-have reference or document numbers, dates, and serial numbers. For the notes to be used as objective evidence, they should have the following:
- Statements that should be admissible
- Dates
- Document numbers
- Item Identifiers
- Locations and Places
- Revision information
- Names
- Designations of Auditees
Practising Good Audit Behavior
Here are some good and bad auditing practices and behaviors that Auditors should constantly be aware of.
Summary of Good and Bad Audit Practices
Good Auditing Practices |
Undesirable Auditing Behaviour |
Talk to the right people |
Give subjective opinions |
Speak clearly and simply |
Ask too many unnecessary questions |
Learn to use local terminology and language |
Ask leading questions |
Look at the person in the eyes when interviewing |
Appear to understand when you do not know |
Do not talk down to anyone |
Taking sides during an audit |
Show the Auditees that you are their friends |
Provide Auditees with insufficient time to answer |
Be unemotional and impartial. |
Provoke an argument |
Do not get excited or fix the blame |
Criticize individuals |
Avoid interrupting an Auditee. |
Do not thank the Auditee |
Find the facts and present them |
Attempt to answer your questions |
Rephrase your question if the Auditee does not seem to know what you are asking. |
Hide non-conformance until the report is presented |
Figure 5-1: Summary of Good and Bad Audit Practices
The Auditors should also avoid known pitfalls and difficulties such as expectation gaps arising from the local environment, cultural divergence, or the lack of specialist expertise.
Document Audit Activities and Findings
Working Papers are documentary evidence obtained from the Auditees. The content of the papers is analyzed so as to achieve an audit conclusion. Audit working papers provide the basis for the findings and audit recommendations to be reported. Audit working papers are a key part of the evidence used by Auditors in arriving at the BCM Audit conclusions and recommendations.
Workpaper Reference
This is the content of a typical set of working papers, or sometimes referred to in short as wallpaper.
Table of Content for Workpaper
Section |
Description of Workpaper |
A |
Audit Program |
B |
Survey Planning Memorandum |
C |
Audit Assignment and Independence Statement |
D |
Engagement Letter and Notification |
E |
Opening Meeting |
F |
Interviews (planning/survey phase only) |
G |
Flowcharts |
H |
Internal Control Questionnaire |
I |
Relevant Standardized Audit Program (with observations notes and comments) |
J |
Risk Assessment Internal Control Evaluation |
K |
Finding Development Sheets |
L |
Background Information |
M |
Fieldwork Standardized Audit Program |
N |
Introduction Purpose and Scope (Draft) |
Figure 5.2: Table of Content for Workpaper
Review and Analyze Audit Findings
This chapter outlines the methods of analysis that an Auditor can use to arrive at a well-founded audit opinion. As an Auditor, the understanding and review of this chapter will allow one to evaluate the audit findings and to avoid time-consuming details when reviewing the BCM Planning Methodology. The steps to be taken are to:
- Visualize the Auditee’s narrative.
- Group the interviewee's narrative by BCM area (The seven-phase within the BCM Planning Methodology).
- Identify gaps in the audit plan that have not been addressed in interviews.
- Request clarification as appropriate to complete the data gathering process
Auditors can find a list of commonly overlooked areas (Appendix 8) as a reference guide. The Auditor is strongly recommended to categorize the findings using the phases within the BCM Planning Methodology.
Keep Auditees Informed
In addition to practices and behaviours, managing the Client or Auditees is a constant demonstration of openness and trust. These are some of the approaches to achieve that goal:
- Review findings regularly with Auditees.
- Inform Auditee before any rumours about your observations reach them.
- Keep the findings and recommendations constructive.
- Demonstrate professionalism throughout the audit.
- Locate and talk to all the right people and include the appropriate personnel.
- Be precise, attentive and responsive.
- Create rapport with Clients
BCM Audit Areas
One approach for identifying areas to audit is to use the BCM Planning Methodology and divide each phase according to individual BCM audit areas.
In a typical BCM audit, each phase of the BCM Planning Methodology can be used as a BCM area for audit. The detailed information for each phase can be found in the BCM book series. Please refer to pages 125 to 128 for a brief summary of each book. The cross-referencing table is as shown in Figure 5-4.
No/Bok 10 |
BCM Planning Methodology |
Reference to BCM Book Series |
1 |
Project Management |
Managing Your Business Continuity Planning Project (2nd Ed) |
2 |
Risk Analysis and Review |
Analyzing and Reviewing the Risks for Business Continuity Planning |
3 |
Business Impact Analysis |
Conducting Your Impact Analysis for Business Continuity Planning (2nd Ed) |
4 |
Business Continuity Strategy |
Developing Business Continuity Strategy for Your Business Continuity Plan |
5 |
Plan Development |
Implementing Your Business Continuity Plan |
6 |
Testing and Exercising |
Testing and Exercising Your Business Continuity Plan (2nd Ed) |
7 |
Program Management |
Managing and Sustaining Your Business Continuity Management Program |
Figure 5-4: Cross Referencing of Content of BCM Planning Methodology with BCM Book Series.
Manage Administrative Overheads
Having highlighted the audit fieldwork process, one challenge commonly faced by the Auditor is the failure to take into account the administrative overhead, logistics overhead and additional time buffers for clarification of information gathered. The latter is often under-estimated as a significant percentage of audit time will have to be allotted to "housekeeping" tasks such as status meetings or interim reporting to stakeholders.
Summary
The effective and efficient execution of a BCM Audit Fieldwork is the result of the adoption of the audit plan during the execution of the BCM Audit. The careful evaluation of findings and clear formulation of recommendations must be strictly adhered to at this stage.
Resource
Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.
Extracted from "Conduct the Audit"
Singapore Government Funding for BCM-8530 Course
The next section applied to Singaporean and Singapore permanent residents. Click the button "Government Funding Available" to find out more about the funding that is available from the Singapore government. This includes the CITREP+, SkillsFuture Credit and UTAP.
Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]
Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org |