Why Audit?
BC planning is similar to any other business activity that is critical to the success and continuation of an organization. BCP is an activity which is subject to audit.
Auditors consider BCP to be as sensitive as security in terms of critical business risk areas. When the Auditors audit the BC activity, they hope to find that the activity is being properly carried out and that the BC Plan is comprehensive, current and appropriately tested. Knowing what the Auditors are looking for will not only make for a smoother audit, it will help to improve the overall BC Plan.
The process of building a business case for implementing a BC Plan is critical to the success of the plan. This is where the Auditor’s report on the lack of BC Plan will help to support the justification for BC initiative.
What is BCM Audit?
This stage gives an overview of the entire BCM audit process. It includes the objectives with the detailed tasks and expected deliverables.
Objectives
Formulate a mechanism to audit the Business Continuity Plan:
- Plan and prepare audit
- Conduct audit fieldwork
- Review and discuss audit findings
- Provide audit reporting
Tasks
The tasks to be completed in the Audit component of the Program Management phase include:
- Conduct preliminary assessment and fact-finding
- Formulate audit plan
- Review the BC Plan process for compliance with methodology
- Evaluate the BIA and Recovery Strategy
- Check for compliance with policies and procedures
- Review and discuss audit observations with Management
- Issue of audit report
Expected Deliverables
The expected deliverables in a typical audit phase are:
- Audit plan
- Audit methodology
- Audit observations
- Audit report
Benefits of BCP Auditing
The auditing of the BC Plans:
- Provide justification and motivation to the Executive Management on the inadequacies of BC planning process within an organization
- Provide assurance with an independent and new perspective of the adequacy of the BC Plan
- Provide fresh ideas and approaches that may not been considered by the BC development team
- Eliminate the false sense of security that is derived from unaudited and potentially faulty planning assumptions
- Provide the Executive Management and all responsible parties with those areas that need enhancement, correction and areas previously omitted
- Motivate those responsible to carry out a more thorough job in anticipation of the BC Plan being audited subsequently
- Determine that the process for managing the BC program is adequately put in place
In addition, it also offers a good opportunity to:
- Evaluate the interactions among the preventive internal controls (or operational risk) program
- Include the testing of the various components of the BC Plan
- Observe the working relationships and interactions among various BC development groups that would be responsible for implementing the BC Plan
- Bring out deficiencies in the organizational and personnel areas for timely correction
What Does Audit Process Entail?
The entire BC audit process involves the following phases:
Phase 1: Audit Planning & Preparation
- Conduct preliminary assessment
- Conduct fact-finding
- Formulate audit plan
Phase 2: Audit Fieldwork
- Review the BCP process for compliance with methodology
- Evaluate the BIA and Recovery Strategy
- Check for compliance with policies and procedures, for example, frequency of exercise and maintenance of BC Plan
Phase 3: Audit Review & Discussion
- Review and discuss audit observations with the Executive Management
Phase 4: Audit Reporting
Conclusion
The detailed explanation for auditing and reviewing of BC Plan is further elaborated in the book, “Auditing and Reviewing of Business Continuity Plan” ISBN: 981-05-4300-X
Reference
Goh, M. H. (2021). Managing & Sustaining Your Business Continuity Management Program. Business Continuity Management Planning Series (3rd ed.). Singapore: GMH Pte Ltd.
Extracted from "Chapter 20: What is Audit?"
More Information About Blended Learning BCM-5000 [BL-B-5]
To know more about our blended learning program and when the next course is scheduled, feel free to contact our friendly course consultant colleagues via sales.ap@bcm-institute.org. They are the BL-B-3 Blended Learning BCM-300 ISO22301 BCMS Implementer and the BL-B-5 Blended Learning BCM-5000 ISO22301 BCMS Expert Implementer.