Manage Learn to apply best practices and optimize your operations.

Business continuity plan auditing best practices

Follow these guidelines and advice when auditing your business continuity plan to ensure a successful audit.

Business continuity (BC) plan audits provide a systematic way to evaluate how business processes are being managed,...

particularly in light of a company's business objectives. They are accepted by senior management as a true test of how the company is being managed and, in particular, help identify areas that need improvement.

More on disaster recovery planning and management
Exploring Microsoft Windows clustering and high-availability tools in disaster recovery

Acquiring key personnel to maintain and update your disaster recovery plan

How to prepare and plan for a pandemic disaster

More on disaster recovery planning and management

If you plan to audit an existing business continuity plan, the process can be time-consuming unless you do good up-front planning. This is true of any audit. An effective business continuity audit requires a structured audit framework and access to a qualified staff to generate high-quality results. This article provides a framework based on the British Standards Institution's BS 25999, Part 2, plus relevant supporting activities to make the audit a success. Auditing business continuity programs and their associated plans and documentation against a measurable benchmark provides assurance that the program is consistent with established industry practices and controls.

An internal audit work program does the following: delineates the work to be performed, supplies the work paper references (information used in the course of the audit, such as plan documents and results of exercises), identifies the person who performed the audit and who approved it, and includes applicable summary notes needed for clarification.

For a general audit guide, use table or spreadsheet formats such as those available in Microsoft Word or Excel. In the table, locate individual audit steps down the left-hand column of your analysis document. The auditor initials/approvals, and any summary notes will be represented by subsequent columns, creating a matrix or table-like effect for your program.

Your business continuity audit should follow the flow and methodology of a typical risk-based internal audit engagement. In terms of methodology, most internal audits generally follow an iterative series of steps that address the following:

  1. Understand and document the processes and procedures of the function or area being audited.
  2. Define the objectives of the area or function being audited.
  3. Define the risks or threats to the achievement of those objectives.
  4. Understand the controls in place to mitigate the risks to an acceptable level.
  5. Test the controls for adequate design and operating effectiveness and/or quantify the impact of control weaknesses or gaps.
  6. Report findings and offer recommendations for control and/or operating efficiency improvements.
  7. Monitor and report managerial mitigation efforts for control weaknesses identified that were outside of management's risk tolerance level.

These activities generally fall into one of four stages typically associated with the internal auditing process: planning, fieldwork, reporting, and follow-up. Aligning the activities within your business continuity audit program with these categories and steps will ensure successful completion of the audit process.

Activities and tests performed throughout a business continuity audit can deviate from the original plan based on the results of your audit work. Don't be afraid to modify your efforts as long as you are consistent with your overall audit objectives. And always communicate your activities to management.

Audit worksheet based on BS 25999, Part 2

To help you conduct a meaningful business continuity audit, the following table provides examples of key activities to audit. The table was adapted from BS 259990, Part 2, which is widely regarded as a useful audit tool.


Result of Audit



Approved by

Business Continuity Management System (BCMS)





Develop, implement, maintain, improve and document a BCMS.





Identify the products and services covered by the BCMS.





Ensure senior management support for business continuity management through creation of policies.





Identify and secure resources needed for the BCMS.





Identify and document BCM roles, responsibilities and needed skills.





Designate a person to oversee the BCMS program.





Install BC in the organization's culture





Establish activities to raise awareness of the business continuity program.





BCMS documentation and records





Document the plans, policies, business impact analysis (BIA), risk analyses and other relevant information.





Implementing and operating the BCMS





Conduct a BIA to identify the company's most critical business activities, potential threats to them, the financial, operational and competitive impacts of a disruption, and how the company should address the threats.





Conduct a risk assessment to identify and understand the threats and vulnerabilities.





Determine how the company can address the identified risks, e.g., accept them, ignore them and/or obtain insurance.





Business continuity strategies





Create strategies for recovery and response of business-impacting events, emergency response, management of external and internal relationships, vendor management and supply chain management.





Business continuity and related plans





Develop and document process-level plans to recover from identified incidents, ensure that plans have detailed contact lists, support business objectives, contain roles and responsibilities and identify primary and alternate recovery locations.





Develop and document emergency management plans, incident response plans, facility management plans and other process-level documents.





Exercising, maintenance and review





Ensure that the business continuity program and its associated documents are current through periodic exercising, maintenance, review and auditing.





Management review





Ensure that senior management has regular opportunities to review and approve the business continuity program.





Establish a process for updating and improving the program and its associated plans through change management or other approved techniques.





Establish a program of corrective action and continual improvement to the program/plans.





Creating a high-quality business continuity audit program takes practice and patience. However, if you follow the guidelines and advice noted in this article, you'll find yourself far ahead of the knowledge curve and well on your way to conducting a successful audit.

About this author: Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.


Dig Deeper on Disaster recovery planning - management