Operational Resilience Audit

Internal vs External OR Auditing: Roles, Responsibilities and Ethics

While internal and external auditors contribute to assessing and strengthening operational resilience, their roles, responsibilities, and ethical considerations differ significantly.

Hence, it is helpful to understand the differences in roles, responsibilities and ethical considerations between IA and EA.

Internal Auditors (IA)

Roles of IA

• Independent assurance provider. Evaluating the effectiveness of existing resilience programs and controls within the organization.
• Risk consultant. Collaborating with business units to identify and mitigate operational risks impacting resilience.
• Process improvement advocate. Proposing recommendations to enhance OR posture and optimize processes.
• Change agent. Driving improvements in risk management culture and awareness across the organization.

Responsibilities of IA

• Conducting risk assessments and audits focused on operational resilience.
  Testing controls and processes designed to mitigate identified risks.
• Evaluating the adequacy and effectiveness of resilience plans and preparedness.
• Reporting findings and recommendations to management and relevant stakeholders.
• Monitoring and measuring the effectiveness of implemented improvements.

Ethical Considerations of IA

• Maintaining independence and objectivity: Avoiding undue influence from management or bias towards specific outcomes.
• Confidentiality: Protecting sensitive information obtained during audits while ensuring adequate reporting for oversight purposes.
• Competence and professional diligence: Continuously updating knowledge and skills to perform audits effectively and adhere to professional standards.
• Acting in the organisation's best interests: Balancing adherence to regulations with supporting the organization's long-term sustainability and ethical conduct.

External Auditors (EA)

Roles of EA

• Independent opinion provider: Offering an external perspective on the organization's overall risk management and resilience posture.
• Regulatory compliance assurer: Verifying adherence to relevant regulations and standards impacting operational resilience.
• Stakeholder assurance provider: Building confidence for investors, creditors, and other stakeholders regarding the organization's resilience capabilities.

Responsibilities of EA

• Conducting audits focused on specific regulatory requirements or contractual obligations related to operational resilience.
• Assessing the design and effectiveness of controls based on agreed-upon procedures.
• Reporting findings and opinions to relevant stakeholders, potentially including public disclosure.
• May not delve as deeply into operational details as internal auditors.

Ethical Considerations of EA

• Maintaining independence and objectivity. Avoiding conflicts of interest and undue influence from clients or regulators.
• Professional scepticism. Maintaining a critical questioning stance ensures audit conclusions are based on accurate and sufficient evidence.
• Confidentiality. Protecting sensitive information obtained during audits while fulfilling reporting requirements to designated parties.
• Communication and transparency. Communicating limitations and uncertainties associated with their audit findings and opinions.

Key Differences

• Focus.  Internal auditors focus on broader operational resilience within the organisation, while external auditors may have a narrower scope dictated by regulations or contracts.
• Reporting. Internal auditors report primarily to management and internal stakeholders, while external auditors report to their clients and potentially publicly.
• Depth of engagement. Internal auditors typically understand the organisation's internal workings and may conduct more in-depth assessments.
• Impact. Internal auditors directly impact internal change and improvement within the organisation, while external auditors provide assurance and may trigger regulatory consequences.

Collaboration and Coordination

While their roles and responsibilities differ, effective operational resilience relies on collaboration and coordination between internal and external auditors.

• Sharing information and insights. Internal auditors can provide external auditors valuable context and understanding of the organisation's operations and risk landscape.
• Joint assessments. In some cases, collaborative audits can leverage the strengths of both parties for a more comprehensive evaluation.
• Mutual respect and understanding. Recognising the value each type of auditor brings to building a robust operational resilience framework.

By understanding internal and external auditors' different roles, responsibilities, and ethical considerations, organisations can effectively leverage their combined expertise to assess and strengthen their operational resilience posture.

	Please feel free to send us a note if you have any of these questions.

Roles and Responsibilities of Operational Resilience Auditors

Operational resilience auditors ensure organisations can withstand disruptions and maintain critical operations. Their responsibilities involve diverse tasks, requiring a unique blend of technical expertise, communication skills, and problem-solving abilities.

Here is a breakdown of their key roles and responsibilities:

Assessment and Evaluation

• Identify and assess potential threats.   
  • Analyse various sources to understand internal and external factors that could disrupt critical operations.
    
    
• Evaluate existing resilience programs. 
  • Assess the effectiveness of existing controls, plans, and processes in mitigating identified risks.
    
    
• Perform risk assessments. 
  • Utilise various methodologies (e.g., scenario-based, data-driven) to quantify the likelihood and impact of potential disruptions.
    
    
• Conduct audits and investigations.
  • Analyse documentation, interview stakeholders, and test controls to evaluate program effectiveness and identify vulnerabilities.

Planning and Implementation

• Develop and recommend improvements. 
  • Based on their findings, propose enhancements to existing programs, controls, and processes.
    
    
• Collaborate with stakeholders. 
  • Engage with business units, risk management teams, and senior leadership to understand needs and ensure aligned recommendations.
    
    
• Develop and implement audit plans. 
  • Design the scope, objectives, and methodologies for conducting operational resilience audits.
    
    
• Manage and lead audit teams. 
  • Build, train, and motivate teams with diverse skill sets to achieve audit objectives effectively.

Communication and Reporting

• Communicate effectively. 
  • Present audit findings and recommendations clearly and concisely to various stakeholders, tailored to their needs and knowledge level.
    
    
• Prepare audit reports. 
  • Draft comprehensive and actionable reports documenting findings, conclusions, and recommendations, adhering to relevant standards and regulations.
    
    
• Facilitate discussion and action. 
  • Collaborate with stakeholders to address concerns, answer questions, and implement agreed-upon actions.

Continuous Improvement and Development

• Monitor and update assessments.
  • Keep updated with evolving threats, regulatory changes, and industry best practices, and refine assessments and recommendations accordingly.
    
    
• Stay informed about emerging trends. 
  • Learn and adapt continuously to new technologies, techniques, and methodologies in operational resilience auditing.
    
    
• Share knowledge and expertise. 
  • Contribute to the profession's development by sharing best practices, participating in professional organisations, and mentoring others.

Additional Responsibilities and Specific Role

• Third-party risk assessments. 
  • Evaluate the resilience of critical vendors and suppliers.
    
    
• Regulatory compliance audits. 
  • Ensure adherence to relevant regulations impacting operational resilience.
    
    
• Information security audits. 
  • Assess the cybersecurity posture of systems and controls related to operational resilience.

Summing Up ...

Overall, operational resilience auditors are critical in protecting organisations from disruptions and ensuring business continuity.

They require a comprehensive skill set, critical thinking abilities, and the ability to effectively communicate complex information to diverse stakeholders.

As the field evolves, their responsibilities will continue to adapt and expand, requiring continuous learning and development to address emerging challenges and effectively contribute to organisational resilience.

	Please feel free to send us a note if you have any of these questions.

These Operational Resilience Audit (ORA) courses are designed with ORA and ancillary professionals operating globally.

Courses are available in 1, 2 and 4 (modules) days and are divided into three levels of competencies.

At the end of each course, participants are assessed through assessments or examinations to ascertain their level of competency. They can look forward to receiving an internationally recognised ORA certification through any of our ORA certification courses.

So, which level would be best for you? Perhaps the table below might help

Find Out More ...

Attend ORA Course
Name of Course	OR Expert Auditor	OR Auditor	OR Planner
Course Code	ORA-400/ 5000	ORA-300	ORA-200
Competency Level	Know-Do-Manage	Know-Do	Know
Course Fees (Singapore Dollar)
Blended Learning	$3,850	$2,400	$1,650
Hybrid Learning	$4,150	Online Only	Online Only
Certification Application and Eligibility
Certification Eligibility
Certification Type	Operational Resilience Audit Expert	Operational Resilience Audit Specialist	Operational Resilience Certified Planner
Certification Application Fee	SGD 150	SGD 75	SGD 50
OR Body of Knowledge	8 of 15 OR BoK	4 of 15 OR BoK	Not Required
Year of Experience	> Three years	> One year	Not Required

More Information About Operational Resilience ORA-5000 [ORA-5] or ORA-300 [ORA-3] Course

To learn more about the course and schedule, click the buttons below for the ORA-3 Blended Learning ORA-300 Operational Resilience Audit Implementer course and the OR-5 Blended Learning ORA-5000 Operational Resilience Audit Expert Implementer course.

	If you have any questions, click to contact us.

Operational Resilience Audit Learning Roadmap

Operational Resilience Audit Certification Level Vs Expertise Level and Competency Level

Operational Resilience Audit Competency Level Vs Training Requirement

Linking closely to the Operational Resilience Body of Knowledge or OR BoK, there are two building blocks to support our participants' learning journey. 

One is the Competency Level or CL, and the other is the Level of Expertise or Expertise Level.

 

Expertise Level

All training syllabi within BCM Institute have been designed to assist professionals in upgrading their competency using the "Know", "Do", and "Manage" level of expertise.

This applies to the Operational Resilience (OR) domains respective areas, including the Operational Resilience Audit (ORA).

 

For professionals who want to be acknowledged for their fundamental understanding of operational resilience. It usually includes personnel who are involved in the OR project or programme but are led by a designated OR professional (For example, the Operational Resilience Coordinator at the department or division level and for senior management being led by the Organisation Operational Resilience Coordinator))

 

For professionals who would like to be acknowledged for their understanding and training of the intricacies and maintenance of their organization's plans, be it for OR or ORA. To obtain any of the disciplines’ (OR or ORA) Specialist certification, one has to have at least one year of experience in the discipline of choice, pay an application fee and pass the relevant qualifying examination.

 

Professionals tasked to oversee and manage the organisation’s program and plans would like to know how to plan, implement, and sustain the program. They will be given the Expert certification only upon passing the appropriate qualifying Expert examination and demonstrating to the Certification Review committee that they have at least three years of experience and paying an application fee.

Comparison Between Expertise, Competency and Certification Level

 

Competency Level	Expertise Level	Course Level	Certification Level (OR)
1	Know	Foundation	Certified Planner
2	Do	Intermediate	Audit Specialist
3	Manage	Advanced	Audit Expert

 The Competency Level (CL) is a set of building blocks for BCM Institute's training and certification requirements. Each subject domain is broken into three distinct levels:

1. Foundation (CL 1)
2. Intermediate (CL 2)
3. Advanced (CL 3)

The breakdown for each of the domains for ORA [Operational Resilience Audit] are CL 1ORA, CL 2ORA and CL 3ORA

	Expertise Level	Know	Do	Manage
Domain (Discipline)	Course Code	Competency Level (with Code)
Operational Resilience Audit	ORA	CL 1 ORA	CL 2 ORA	CL 3 ORA

The arrangement of the tiers represents the increasing specificity and specialization of the operational Resilience (OR) and Operational resilience audit (ORA) skills and knowledge content.

Find out more about Blended Learning ORA-5000 [ORA-5] & ORA-300 [ORA-3]
	Please feel free to send us a note if you have any of these questions.

Operational Resilience Audit Planning Step

Summarise Findings

Detailed Steps to Summarise Findings When conducting an operational resilience audit, the findings and recommendations are crucial in guiding the organization's efforts to enhance its resilience capabilities. The following are detailed steps for summarising key findings and developing actionable recommendations: Summarise Key Findings Identify Strengths Analyse Weaknesses Prioritise Findings Develop Actionable Recommendations Provide Clear Guidance Align with Industry Best Practices Emphasise Continuous Improvement Consider Resource Constraints Validate Recommendations Document Findings and Recommendations Present Findings and Recommendations Summarise Key Findings Review all the identified gaps, vulnerabilities, and non-compliance issues from the audit. Summarise the key findings clearly and concisely, focusing on the most significant operational resilience areas. Provide a balanced view that includes both strengths and weaknesses observed during the audit. Identify Strengths Highlight the organisation's existing strengths related to operational resilience. These could include well-defined critical business services, robust incident response protocols, effective communication channels, or a culture of continuous improvement. Acknowledge these strengths to ensure a balanced perspective and encourage the organisation to build upon its capabilities. Analyse Weaknesses Provide a detailed analysis of the weaknesses and areas of concern identified during the audit. Articulate these weaknesses' root causes and potential consequences, emphasizing their impact on critical business functions, operations, and the organization. Prioritise Findings Prioritise the identified weaknesses based on the organisation's potential impact, likelihood, and risk appetite. Consider the criticality of the affected functions, the severity of potential disruptions, and the organization's overall objectives. This prioritisation will help focus efforts on addressing the most critical areas first. Develop Actionable Recommendations Based on the identified weaknesses and prioritised findings, develop actionable recommendations to enhance operational resilience. Ensure each recommendation is specific, measurable, achievable, relevant, and time-bound (SMART). Tailor the recommendations to address the organisation's specific context and capabilities. Provide Clear Guidance Provide clear guidance for each recommendation on how to implement it effectively. Include step-by-step instructions, necessary resources, and suggested timelines. Clarify the roles and responsibilities of key stakeholders involved in implementing the recommendations. Align with Industry Best Practices Ensure that the recommendations align with recognized industry best practices for operational resilience. Consider relevant standards, frameworks, or guidelines such as ISO 22301, NIST Cybersecurity Framework, or industry-specific standards. Align recommendations with industry best practices enhances their credibility and effectiveness. Emphasise Continuous Improvement Highlight the importance of a culture of continuous improvement. Encourage the organisation to view operational resilience as an ongoing process, not a one-time exercise. Emphasise the need for regular review, testing, and updating of plans, procedures, and capabilities to address emerging risks and changes in the business environment. Consider Resource Constraints Consider the organization's resource constraints, both in terms of budget and personnel. Develop recommendations that are realistic and feasible within the available resources. Prioritise recommendations that have a significant impact while considering resource limitations. Validate Recommendations Validate the recommendations with key stakeholders, including senior management and subject matter experts. Incorporate their feedback to ensure the recommendations are practical, achievable, and aligned with the organisation's strategic goals. Address any concerns or questions raised during the validation process. Document Findings and Recommendations Document the key findings, strengths, weaknesses, and actionable recommendations clearly and organised. Use appropriate formatting, headings, and subheadings to enhance readability. Include supporting evidence, examples, and references to relevant audit data and industry best practices. Present Findings and Recommendations Prepare a comprehensive report or presentation to communicate the findings and recommendations to senior management, relevant stakeholders, and the audit team. Articulate the purpose, methodology, key findings, and recommended actions. Use visuals, charts, and graphs to enhance understanding and highlight key points. By following these detailed steps, the findings and recommendations of an operational resilience audit can provide valuable insights and guidance for the organization to enhance its resilience capabilities effectively. Operational Resilience Audit Planning Steps Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

	Please feel free to send us a note if you have any of these questions.