Tip

Business continuity plan auditing best practices

Business continuity (BC) plan audits provide a systematic way to evaluate how business processes are being managed, particularly in light of a company's business objectives. They are accepted by senior

    Requires Free Membership to View

management as a true test of how the company is being managed and, in particular, help identify areas that need improvement.

More on disaster recovery planning and management
Exploring Microsoft Windows clustering and high-availability tools in disaster recovery

Acquiring key personnel to maintain and update your disaster recovery plan

How to prepare and plan for a pandemic disaster

More on disaster recovery planning and management

If you plan to audit an existing business continuity plan, the process can be time-consuming unless you do good up-front planning. This is true of any audit. An effective business continuity audit requires a structured audit framework and access to a qualified staff to generate high-quality results. This article provides a framework based on the British Standards Institution's BS 25999, Part 2, plus relevant supporting activities to make the audit a success. Auditing business continuity programs and their associated plans and documentation against a measurable benchmark provides assurance that the program is consistent with established industry practices and controls.

An internal audit work program does the following: delineates the work to be performed, supplies the work paper references (information used in the course of the audit, such as plan documents and results of exercises), identifies the person who performed the audit and who approved it, and includes applicable summary notes needed for clarification.

For a general audit guide, use table or spreadsheet formats such as those available in Microsoft Word or Excel. In the table, locate individual audit steps down the left-hand column of your analysis document. The auditor initials/approvals, and any summary notes will be represented by subsequent columns, creating a matrix or table-like effect for your program.

Your business continuity audit should follow the flow and methodology of a typical risk-based internal audit engagement. In terms of methodology, most internal audits generally follow an iterative series of steps that address the following:

  1. Understand and document the processes and procedures of the function or area being audited.
  2. Define the objectives of the area or function being audited.
  3. Define the risks or threats to the achievement of those objectives.
  4. Understand the controls in place to mitigate the risks to an acceptable level.
  5. Test the controls for adequate design and operating effectiveness and/or quantify the impact of control weaknesses or gaps.
  6. Report findings and offer recommendations for control and/or operating efficiency improvements.
  7. Monitor and report managerial mitigation efforts for control weaknesses identified that were outside of management's risk tolerance level.

These activities generally fall into one of four stages typically associated with the internal auditing process: planning, fieldwork, reporting, and follow-up. Aligning the activities within your business continuity audit program with these categories and steps will ensure successful completion of the audit process.

Activities and tests performed throughout a business continuity audit can deviate from the original plan based on the results of your audit work. Don't be afraid to modify your efforts as long as you are consistent with your overall audit objectives. And always communicate your activities to management.

Audit worksheet based on BS 25999, Part 2

To help you conduct a meaningful business continuity audit, the following table provides examples of key activities to audit. The table was adapted from BS 259990, Part 2, which is widely regarded as a useful audit tool.

Control

Result of Audit

Comments

Auditor

Approved by

Business Continuity Management System (BCMS)

 

 

 

 

Develop, implement, maintain, improve and document a BCMS.

 

 

 

 

Identify the products and services covered by the BCMS.

 

 

 

 

Ensure senior management support for business continuity management through creation of policies.

 

 

 

 

Identify and secure resources needed for the BCMS.

 

 

 

 

Identify and document BCM roles, responsibilities and needed skills.

 

 

 

 

Designate a person to oversee the BCMS program.

 

 

 

 

Install BC in the organization's culture

 

 

 

 

Establish activities to raise awareness of the business continuity program.

 

 

 

 

BCMS documentation and records

 

 

 

 

Document the plans, policies, business impact analysis (BIA), risk analyses and other relevant information.

 

 

 

 

Implementing and operating the BCMS

 

 

 

 

Conduct a BIA to identify the company's most critical business activities, potential threats to them, the financial, operational and competitive impacts of a disruption, and how the company should address the threats.

 

 

 

 

Conduct a risk assessment to identify and understand the threats and vulnerabilities.

 

 

 

 

Determine how the company can address the identified risks, e.g., accept them, ignore them and/or obtain insurance.

 

 

 

 

Business continuity strategies

 

 

 

 

Create strategies for recovery and response of business-impacting events, emergency response, management of external and internal relationships, vendor management and supply chain management.

 

 

 

 

Business continuity and related plans

 

 

 

 

Develop and document process-level plans to recover from identified incidents, ensure that plans have detailed contact lists, support business objectives, contain roles and responsibilities and identify primary and alternate recovery locations.

 

 

 

 

Develop and document emergency management plans, incident response plans, facility management plans and other process-level documents.

 

 

 

 

Exercising, maintenance and review

 

 

 

 

Ensure that the business continuity program and its associated documents are current through periodic exercising, maintenance, review and auditing.

 

 

 

 

Management review

 

 

 

 

Ensure that senior management has regular opportunities to review and approve the business continuity program.

 

 

 

 

Establish a process for updating and improving the program and its associated plans through change management or other approved techniques.

 

 

 

 

Establish a program of corrective action and continual improvement to the program/plans.

 

 

 

 

Creating a high-quality business continuity audit program takes practice and patience. However, if you follow the guidelines and advice noted in this article, you'll find yourself far ahead of the knowledge curve and well on your way to conducting a successful audit.

About this author: Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.


 

This was first published in November 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.