PLANNING ISSUES
How to
Survive a
BCM Audit
By GEOFFREY WOLD,
CISA, CGEIT, CPA, CMA, CMC, CDP,
CSP, CFSA, CIRM
This article describes the approaches used for the vari- ous types of business continu- ity management (BCM) audits
and how audits impact the business continuity planner. It also describes the most
common weaknesses found in business
continuity plans. And lastly, it presents a
road map to prepare for a BCM audit.
BCM Audit Definition
The most general definition of an audit
is an evaluation of a person, organization,
system, process, project, or product. A
BCM audit is an independent evaluation
of the business continuity management
program or its components by internal or
external independent parties.
Types of Auditors
There are several types of auditors such
as internal auditors, external auditors, and
compliance auditors.
;Internal;auditors;are;employees;of;a
company;that;assess;and;evaluate
its;systems;of;internal;control.;A
business;continuity;plan;is;considered
to;be;an;important;component;of;an
internal;control;system.;To;maintain
independence,;they;present;their;reports
directly;to;the;board;of;directors;or;to
executive;management.
;External;auditors;are;independent;staff;of
an;auditing;firm;that;assess;and;evaluate
financial;statements;of;their;clients;or
perform;other;agreed;upon;evaluations
such;as;IT;Audits;that;may;also;address
the;business;continuity;plans;of;the
organization.
;Compliance;auditors;are;examiners
normally;from;a;regulatory;agency;such
as;FFIEC,;FERC,;DHS/FEMA,;JCAHO/
HIPAA,;and;others;depending;on;the
type;of;industry.
Reasons for the BCM Audit
There are many reasons for BCM
audits. The audit may be prompted by the
internal audit department, external audit
organization such as the CPA firm that performs the financial audit, or a regulatory
examiner. Another reason is it may be triggered by the results of an emergency event
or by the results of a test exercise. Board
and/or executive management may also
request an audit of the business continuity management program or components
thereof. In some cases a customer may
request a BCM audit such as customers of
service organizations.
Benefits of a BCM Audit
There are several benefits that can be
obtained as a result of a BCM audit. The
BCM audit provides an independent evaluation of the BCM program and identification of strengths and weakness of the
program. The audit can also reveal high
risks and associated mitigation strategies.
The results should include recommendations for BCM improvements and identification of “best BCM practices.”
BCM Standards, Guidelines, and
Frameworks
The BCM planner may have several
questions for the BCM auditor regarding
the pending audit such as: what standard
will be used for the BCM audit? There are
several BCM standards, guidelines, and
frameworks that are used for developing
BCM plans including:
;Disaster;Recovery;Institute;International
(DRII)
;Business;Continuity;Institute;(BCI)
;COBIT;–;Control;Objectives;for
Information;and;Related;Technology
;ISO;17799/27000;Series
;National;Fire;Protection;Association;1600
(NFPA;1600)
;BS;25999;(British;Standards;Institute)
;Various;state;statutes;and;regulatory
requirements
Legal and Regulatory
Requirements
Both the BCM planner and the BCM
auditor should have a solid understanding
of the applicable legal standards and regu-
lations and of the organizations making
the rules.
Scope of BCM Audits
It is advisable for the BCM planner to
inquire and understand: What is the scope
of the BCM audit? This understanding will
help the BCM planner to better prepare the
materials needed by the BCM auditor for
the audit. The scope could include some or
all of the items listed below:
;Business;continuity;management
program;and;BCM;policy
;Enterprise;BCM,;IT;disaster;recovery
plan,;and/or;business;unit/department
BCPs
;Supporting;plans;(i.e.,;emergency;plan,
crisis;management;plan,;pandemic;plan,
