A key activity of a business continuity management system (BCMS) is the process of reviewing and improving the...
business continuity program.
Your organization's internal audit department, and alternatively, an external audit firm, can help you perform such reviews. But on the assumption that the internal/external audit team is unfamiliar with the nuances of business continuity and its many components, the following tips are helpful for collaboration on a business continuity audit.
1. Alert the BC audit team
Advise your audit team that you are preparing a business continuity management system, business continuity (BC) plans and associated BC activities, such as assessments, business impact analyses, risk analyses, strategy definitions, training and awareness programs, exercises and maintenance. Even if you are focused solely on preparing a new BC plan or updating an existing plan, be sure the audit team knows about it. An alternative to a traditional internal audit team might be an IT audit team that has experience in auditing business continuity programs.
2. Study previous BC/DR reports
Carefully review any previous operational audits of business continuity and/or technology disaster recovery (DR) activities. Such reports can help frame a subsequent business continuity audit with useful historic information and areas for possible re-examination.
3. Provide the audit team with reference docs
A good way for business continuity professionals to educate audit team members is to provide them with documentation that lends itself to the audit process, such as standards and regulations that are comprised primarily of control statements. Auditors can more easily prepare a business continuity audit program if they understand the controls to be reviewed and audited.
Useful documents include:
- The ISO 22301/22313 international business continuity standards
- The Business Continuity Institute's Good Practice Guidelines (2013 edition)
- The National Fire Protection Association's NFPA 1600 standard (2013 edition)
- The National Institute of Standards and Technology SP 800-34 on contingency planning for IT systems
- The ASIS International SPC.1-2009 organizational resilience standard
- The Federal Financial Institutions Examination Council Business Continuity Handbook (2015 edition)
- The Financial Industry Regulatory Authority Rule 4370
- ANSI/ASIS SPC.2-2014, Auditing Management Systems: Risk, Resiliency, Security and Continuity
In addition, seminars and training programs are available to BC professionals and auditors to provide guidance on auditing business continuity plans and related documents.
4. Create a business continuity audit program
Partner with your audit team to establish an audit program. Such a program should define the methodology, frequency, responsibilities, planning requirements and reporting activities. When preparing the program, be sure to define the scope of each audit, ensure that the auditors are suitably prepared and can be objective during their audit, distribute audit results to company management, and collect and retain relevant audit documentation and other evidence.
Work with your audit team to identify the relevant audit controls as applicable to a BCMS or whatever BC activities are being audited, review them against standards and regulations described previously, and assist them as appropriate with preparing their work papers.
Following completion of the audit and delivery of the audit report, be prepared to respond to the audit findings and recommendations, and note the time frames specified to correct any non-conformities.
Internal and external auditors can be highly valuable partners for business continuity professionals and their various programs.
Ten steps for a business continuity audit activity
- Prepare the audit plan, which includes the audit scope, audit approach and schedule
- Review and summarize information gathered for the audit, such as BCMS/BC plan documentation, questionnaires, business impact analysis reports, risk reports and previous audit documents
- Identify gaps in existing documentation and update the information as appropriate
- Review and apply standards, regulations, legislation and good practice documents to validate preliminary findings and prepare audit work papers
- Identify audit controls and prepare work papers that reflect BC metrics established and defined by standards groups, regulators, legislators and others
- Following the business continuity audit interviews and discovery, prepare a draft audit opinion report for discussion with interested parties in your organization
- Complete a final audit report that includes results of discussions and recommended actions
- Complete an action plan and time frame to remediate audit findings and recommendations
- Ensure that the action plan to remediate audit findings is implemented within the agreed-upon time frame
- Schedule the next audit
Widely used BC/DR standards
Business continuity planning can enhance a corporate governance plan
BC activities can identify shortcomings in your strategic plan