Four tips for a successful business continuity audit

1. Alert the BC audit team

Advise your audit team that you are preparing a business continuity management system, business continuity (BC) plans and associated BC activities, such as assessments, business impact analyses, risk analyses, strategy definitions, training and awareness programs, exercises and maintenance. Even if you are focused solely on preparing a new BC plan or updating an existing plan, be sure the audit team knows about it. An alternative to a traditional internal audit team might be an IT audit team that has experience in auditing business continuity programs.

2. Study previous BC/DR reports

Carefully review any previous operational audits of business continuity and/or technology disaster recovery (DR) activities. Such reports can help frame a subsequent business continuity audit with useful historic information and areas for possible re-examination.

3. Provide the audit team with reference docs

Auditors can more easily prepare a business continuity audit program if they understand the controls to be reviewed and audited.

A good way for business continuity professionals to educate audit team members is to provide them with documentation that lends itself to the audit process, such as standards and regulations that are comprised primarily of control statements. Auditors can more easily prepare a business continuity audit program if they understand the controls to be reviewed and audited.

Useful documents include:

• The ISO 22301/22313 international business continuity standards
• The Business Continuity Institute's Good Practice Guidelines (2013 edition)
• The National Fire Protection Association's NFPA 1600 standard (2013 edition)
• The National Institute of Standards and Technology SP 800-34 on contingency planning for IT systems
• The ASIS International SPC.1-2009 organizational resilience standard
• The Federal Financial Institutions Examination Council Business Continuity Handbook (2015 edition)
• The Financial Industry Regulatory Authority Rule 4370
• ANSI/ASIS SPC.2-2014, Auditing Management Systems: Risk, Resiliency, Security and Continuity

In addition, seminars and training programs are available to BC professionals and auditors to provide guidance on auditing business continuity plans and related documents.

4. Create a business continuity audit program

Partner with your audit team to establish an audit program. Such a program should define the methodology, frequency, responsibilities, planning requirements and reporting activities. When preparing the program, be sure to define the scope of each audit, ensure that the auditors are suitably prepared and can be objective during their audit, distribute audit results to company management, and collect and retain relevant audit documentation and other evidence.

Work with your audit team to identify the relevant audit controls as applicable to a BCMS or whatever BC activities are being audited, review them against standards and regulations described previously, and assist them as appropriate with preparing their work papers.

Following completion of the audit and delivery of the audit report, be prepared to respond to the audit findings and recommendations, and note the time frames specified to correct any non-conformities.

Internal and external auditors can be highly valuable partners for business continuity professionals and their various programs.