As an independent function, an audit can play a very constructive and important role in the conception, development, implementation, and testing phases of the organization’s BCM program. It is quite important therefore that audit has an active role in the program.
Assisting the Executive Management in protecting the assets of the organization has been a traditional role of Auditors through their work of assessing and testing the adequacy of internal controls of assets protection. In the context of internal controls, the BCM program amounts to one of the elements of internal controls that Auditors are interested in reviewing. This automatically dictates that Auditors become actively involved.
Figure 3-1 summarizes the various functions and roles that the Auditor, Reviewer, and Planner (Organization BCM Coordinator) can play, as well as some of the ways in which the Auditor can contribute to enhancing the effort, and to provide support through their access to the Executive Management, all the way to the Board of Directors.
Figure 3.1: Roles of Auditors, Reviewers, and Planners
It is often asked, “What role should an Auditor play during the BCP implementation?” This chapter attempts to answer that question by suggesting some ways an Auditor can add value to the BCM program.
Keep in mind that the appropriate level of participation should be aligned with the organization’s overall audit plan, the availability of appropriate audit resources and the existence and maturity level of the organization’s BCM program.
Usually, a routine BCM Audit is conducted only when a BC project is completed, and the audit has an existing, developed and standardized audit program. However, I would strongly recommend that Auditors participate in the BCP development processes itself, that is, to get involved in the action and be part of the development team, and work closely with the Organization BCM Coordinator and offering his/her independent professional advice with the view of contributing to the effectiveness of the BC Plan.
I strongly recommend that the organization’s audit approach should be fully integrated with the BCM Planning Methodology, as this is a business, technology, and operational issues. Auditors’ participation may cover the entire program or may be limited to one or more of the specific areas of development.
Auditors are in a unique position of having access to related initiatives across the organization. They also have unique access to the Executive Management, the Audit Committee and the Board of Directors. These attributes should be explored and tapped as a benefit to any BCM program.
Leveraging the Auditors and their audit process in the BCM program makes sense as it helps to review what are needed and required by the standard. It is not just to comply with the BCM standard but also to determine how the existing organization processes could be implemented. Being involved in the BC planning implementation has the following advantages as the auditor can:
Often many Organization BCM Coordinators are hesitant to befriend the Auditors because of their prior experience of the Auditor’s traditional “critique and report” role. This traditional role may be deemed as an adequate contribution to the organization’s BCM program, but the auditor’s contribution can and should be enhanced.
As a BCM practitioner, I view Auditors as my allies in the BCM Planning Methodology. An Auditor is capable of providing much more value during the process rather than just through the “after the fact” exceptions report, which then appears to most in the organization as attempts to find fault on the BCM Planning Methodology instead of being a part of it.
There are several specific areas where Auditors can add value, and I clearly see their role in helping to:
This evolution from IT disaster recovery (DR) to business continuity has shifted the emphasis from the recovery of system resources to resumption and continuity of the business process. Corresponding to this movement, ownership and funding of the BCM program would be shifting from technology management to the individual business managers.
Some organizations continue to focus on IT DR plans as one of the key plans. During such sessions, Auditors can assist in “educating” the Executive Management that it is a business issue rather than just IT recovery.
Often, Auditors have the opportunity to communicate the need for a BCM program to the Executive Management. Auditors must emphasize the risks of not:
Also, this is what internal and external auditors should perform
An Internal Auditor should:
The External Auditor may have information in the BCM Program or BC Plans, strategies and practices for organizations within an industry grouping, which may be helpful for an organization’s BCM efforts.
The knowledge will help to build a business case for BCM if the organization is still hesitating to move forward.
Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.
Extracted from "Roles and Responsibilities in a BCM Audit"
The next section applied to Singaporean and Singapore permanent residents. Click button "Government Funding Available" to find out more about the funding that is available from the Singapore government. This include the CITREP+, SkillsFuture Credit and UTAP.
Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org |