Roles and Responsibilities in a BCM Audit

Introduction

As an independent function, an audit can play a very constructive and important role in the conception, development, implementation, and testing phases of the organization’s BCM program. It is quite important therefore that audit has an active role in the program.

Assisting the Executive Management in protecting the assets of the organization has been a traditional role of Auditors through their work of assessing and testing the adequacy of internal controls of assets protection. In the context of internal controls, the BCM program amounts to one of the elements of internal controls that Auditors are interested in reviewing. This automatically dictates that Auditors become actively involved.

Figure 3-1 summarizes the various functions and roles that the Auditor, Reviewer, and Planner (Organization BCM Coordinator) can play, as well as some of the ways in which the Auditor can contribute to enhancing the effort, and to provide support through their access to the Executive Management, all the way to the Board of Directors.

Figure 3.1: Roles of Auditors, Reviewers, and Planners

Involvement in BCP Development

It is often asked, “What role should an Auditor play during the BCP implementation?” This chapter attempts to answer that question by suggesting some ways an Auditor can add value to the BCM program.

Keep in mind that the appropriate level of participation should be aligned with the organization’s overall audit plan, the availability of appropriate audit resources and the existence and maturity level of the organization’s BCM program. 

Usually, a routine BCM Audit is conducted only when a BC project is completed, and the audit has an existing, developed and standardized audit program. However, I would strongly recommend that Auditors participate in the BCP development processes itself, that is, to get involved in the action and be part of the development team, and work closely with the Organization BCM Coordinator and offering his/her independent professional advice with the view of contributing to the effectiveness of the BC Plan.

I strongly recommend that the organization’s audit approach should be fully integrated with the BCM Planning Methodology, as this is a business, technology, and operational issues. Auditors’ participation may cover the entire program or may be limited to one or more of the specific areas of development.

Auditors are in a unique position of having access to related initiatives across the organization. They also have unique access to the Executive Management, the Audit Committee and the Board of Directors. These attributes should be explored and tapped as a benefit to any BCM program.

Benefit of Auditors’ Involvement

Leveraging the Auditors and their audit process in the BCM program makes sense as it helps to review what are needed and required by the standard. It is not just to comply with the BCM standard but also to determine how the existing organization processes could be implemented. Being involved in the BC planning implementation has the following advantages as the auditor can:

• Act as an independent observer of the BCM Planning Methodology and advice on areas which need to be done but not carried out or on areas which are not properly carried out. The Auditor, by his/her overview of the business operations of the organization, can act as a bridge between all business functions.
• Give suggestions to the BC project team in business areas which are interdependent but may not have been considered during planning, such as business risks which may have been overlooked; and on factors to consider when suggesting alternative strategies.
• Ensure that internal controls are adequately built into the recovery procedures of the critical business operations at the alternate sites so that assets can continue to be protected under recovery mode. It ensures security is not compromised and there is accountability for work done.
• Ensure that the business units do not negotiate for lesser controls at the alternate site just because business expediency is given priority as this could be at the expense of security. Unless the Auditor is involved and keeps tab of the developments, it may be too late or too costly to insist subsequently that procedures be amended given
• Give assurance to the Executive Management periodically on the progress of the BCP and highlighting, on a timely basis, issues which the Auditor feels need their attention and approval if these have not been addressed adequately by the BCP teams.
• Advise the BC project planning team or the BCM Program Office to be more careful in ensuring that matters are adequately looked into and resolved lest it escalates. Issues can be identified for discussion and review.
• Monitor the business units’ participation in the BC project and BCM program and provide the Executive Management with ongoing progress reports.

Auditor Can Add Value

Often many Organization BCM Coordinators are hesitant to befriend the Auditors because of their prior experience of the Auditor’s traditional “critique and report” role. This traditional role may be deemed as an adequate contribution to the organization’s BCM program, but the auditor’s contribution can and should be enhanced.

As a BCM practitioner, I view Auditors as my allies in the BCM Planning Methodology. An Auditor is capable of providing much more value during the process rather than just through the “after the fact” exceptions report, which then appears to most in the organization as attempts to find fault on the BCM Planning Methodology instead of being a part of it.

There are several specific areas where Auditors can add value, and I clearly see their role in helping to:

• Build a business case for BCM.
• Act as catalysts to securing the Executive Management’s commitment and obtaining funding.

Build a Case for BCM

This evolution from IT disaster recovery (DR) to business continuity has shifted the emphasis from the recovery of system resources to resumption and continuity of the business process. Corresponding to this movement, ownership and funding of the BCM program would be shifting from technology management to the individual business managers.

Some organizations continue to focus on IT DR plans as one of the key plans. During such sessions, Auditors can assist in “educating” the Executive Management that it is a business issue rather than just IT recovery.

Often, Auditors have the opportunity to communicate the need for a BCM program to the Executive Management. Auditors must emphasize the risks of not:

• Being ready and able to recover and continue the organization’s critical business functions.
• Complying with regulatory requirements.
• Meeting contractual obligations and agreed to service level agreements.
• Providing an adequate level of BCM awareness within the organization.

Also, this is what internal and external auditors should perform

Internal Auditor

An Internal Auditor should:

• Compile information throughout the organization on risks and potential threats to facilities and business processes, encountered during their necessarily close examination of these areas during other scheduled audits. Furthermore, the Auditor can often incorporate the review of BC elements into their audit plans.
• Share BCP benchmarking data and leading practices across business units and functions in different locations.

External Auditor

The External Auditor may have information in the BCM Program or BC Plans, strategies and practices for organizations within an industry grouping, which may be helpful for an organization’s BCM efforts.

The knowledge will help to build a business case for BCM if the organization is still hesitating to move forward.

Resource

Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.

Extracted from "Roles and Responsibilities in a BCM Audit"

Singapore Government Funding for BCM-8530 Course

The next section applied to Singaporean and Singapore permanent residents.  Click button "Government Funding Available" to find out more about the funding that is available from the Singapore government.  This include the CITREP+, SkillsFuture Credit and UTAP.

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

	Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org