A key activity of a business continuity management system (BCMS) is the process of reviewing and improving the business continuity program.
Your organization's internal audit department, and alternatively, an external audit firm, can help you perform such reviews. But on the assumption that the internal/external audit team is unfamiliar with the nuances of business continuity and its many components, the following tips are helpful for collaboration on a business continuity audit.
1. Alert the BC audit team
Advise your audit team that you are preparing a business continuity management system, business continuity (BC) plans and associated BC activities, such as assessments, business impact analyses, risk analyses, strategy definitions, training and awareness programs, exercises and maintenance. Even if you are focused solely on preparing a new BC plan or updating an existing plan, be sure the audit team knows about it. An alternative to a traditional internal audit team might be an IT audit team that has experience in auditing business continuity programs.
2. Study previous BC/DR reports
Carefully review any previous operational audits of business continuity and/or technology disaster recovery (DR) activities. Such reports can help frame a subsequent business continuity audit with useful historic information and areas for possible re-examination.
3. Provide the audit team with reference docs
Auditors can more easily prepare a business continuity audit program if they understand the controls to be reviewed and audited.
A good way for business continuity professionals to educate audit team members is to provide them with documentation that lends itself to the audit process, such as standards and regulations that are comprised primarily of control statements. Auditors can more easily prepare a business continuity audit program if they understand the controls to be reviewed and audited.
Useful documents include:
The ISO 22301/22313 international business continuity standards
The Business Continuity Institute's Good Practice Guidelines (2013 edition)
The National Fire Protection Association's NFPA 1600 standard (2013 edition)
The National Institute of Standards and Technology SP 800-34 on contingency planning for IT systems
The Financial Industry Regulatory Authority Rule 4370
ANSI/ASIS SPC.2-2014, Auditing Management Systems: Risk, Resiliency, Security and Continuity
In addition, seminars and training programs are available to BC professionals and auditors to provide guidance on auditing business continuity plans and related documents.
4. Create a business continuity audit program
Partner with your audit team to establish an audit program. Such a program should define the methodology, frequency, responsibilities, planning requirements and reporting activities. When preparing the program, be sure to define the scope of each audit, ensure that the auditors are suitably prepared and can be objective during their audit, distribute audit results to company management, and collect and retain relevant audit documentation and other evidence.
Work with your audit team to identify the relevant audit controls as applicable to a BCMS or whatever BC activities are being audited, review them against standards and regulations described previously, and assist them as appropriate with preparing their work papers.
Following completion of the audit and delivery of the audit report, be prepared to respond to the audit findings and recommendations, and note the time frames specified to correct any non-conformities.
Internal and external auditors can be highly valuable partners for business continuity professionals and their various programs.
Ten steps for a business continuity audit activity
Prepare the audit plan, which includes the audit scope, audit approach and schedule
Review and summarize information gathered for the audit, such as BCMS/BC plan documentation, questionnaires, business impact analysis reports, risk reports and previous audit documents
Identify gaps in existing documentation and update the information as appropriate
Review and apply standards, regulations, legislation and good practice documents to validate preliminary findings and prepare audit work papers
Identify audit controls and prepare work papers that reflect BC metrics established and defined by standards groups, regulators, legislators and others
Following the business continuity audit interviews and discovery, prepare a draft audit opinion report for discussion with interested parties in your organization
Complete a final audit report that includes results of discussions and recommended actions
Complete an action plan and time frame to remediate audit findings and recommendations
Ensure that the action plan to remediate audit findings is implemented within the agreed-upon time frame