Most of us prefer to avoid Internal Audit, don’t we?
But it’s an essential process, so here we consider (a) how to leverage the process to our advantage and, (b) provide links to examples of business continuity audit reports in big organisations.
BS25999 (and other standards) require a regular internal audit of the Business Continuity Management System. The audit should check that all the arrangements meet the required standard, are in line with the organisation’s business continuity policy and are being well maintained.
There are a number of courses available to Internal Auditors who want training or certification in business continuity auditing, though applying the general principles of auditing along with a good understanding of the standards may well be good enough for your organisation’s needs.
Leveraging Internal Audits To Your Advantage
How many of us avoid Internal Audit teams as much as we can?! Many of us consider Internal Audit a drain on our time, and get frustrated when they point out shortcomings we could have told them about ourselves if they’d asked nicely! And, let’s face it, opening ourselves up to an Internal Audit can be a little scary.
However, if you can bear to look at Internal Audit as your friends, you might see there is the potential for a different way with these teams. They might even be able to help you get your job done more efficiently.
First, let’s imagine that your own efforts in managing business continuity are being audited. Think about what you (not they!) want to achieve via the Audit. Are you short on resources, budget or effort from other areas of the organisation? Would it be helpful if Internal Audit said this instead of it coming from you? Can you help Internal Audit to come to these (truthful) conclusions?
Second, let’s imagine that Internal Audit want to look at some continuity plans in other areas of the organisation. Are you going to send them to look at some brilliant plans that conclude that Business Continuity is working brilliantly within the organisation? Or are you going to send them to a team that needs a little bit of an incentive to update or improve the plans in their area?
Third, let’s imagine that a supplier wants to see a report on the business continuity planning for your organisation. Is this something you could ask Internal Audit to do for you – and/or something you could tell Internal Audit you might have to use their report for?
Do have a think about how Internal Audit can help you, as well as how you can help your organisation. A little planning on your part might allow the audit process to assist you, rather than get in your way.
Here are some examples of business continuity audit reports that are publicly accessible on the internet. We believe these are mostly intentionally available, because they are public services or the organisations are happy for the public, and their suppliers, to see them).
We do, however, note that the last one is marked ‘confidential’. We’ve included it to remind you to remove protective markings on non-confidential documents, or to ensure that truly confidential documents aren’t uploaded to your website in an insecure manner!
- United Nations Business Continuity Audit Report
- Industry Canada Business Continuity Audit Report
- US Office of Internal Oversight Services Continuity Audit Report
- Gambling Commission Board Update
- National Drug Treatment Monitoring System Continuity Audit Report
- Mental Health Authority of Harris County Business Continuity Audit Report
- Glasgow Life
Over time these links may change, so do let us know if any of them are broken.
In the meantime, do you have any thoughts, tips or comments regarding business continuity and internal auditing, do share them below.
Subscribe - weekly news and a free course!