Audit Is NOT a Four-Letter Word
By Donald L. Schmidt, CBCLA
When you hear about an upcoming audit, do you get that dreaded feeling that someone’s going to be looking for problems, questioning your judgement, or wasting your time? Maybe all three. I’ve worked in corporate environments and have had to overcome that impression and some resistance. As a consultant, engaged in auditing for clients, I have had some interesting experiences. One time, I was invited to sit in on an internal audit. It quickly became apparent that the auditor didn’t understand the questions he was asking. I’m sure the auditor was doing his best, but wouldn’t adding subject matter expertise to the audit team have resulted in a more informative audit? (That’s why I was there, but I don’t think the internal auditor was aware.)
What’s the purpose of auditing emergency management and business continuity programs? The purpose should be to determine whether business continuity management system (BCMS) or program objectives are being met. Safeguarding life, protecting assets (physical, technology, and information), minimizing business interruption, preventing environmental contamination, as well as protecting the organization’s image, financial standing, and relationships with stakeholders are the high-level goals.
A lot of planning, development, and implementation goes into achieving these goals and keeping pace with constant changes in the organization, its risk profile, and the availability and capability of resources to support the program. That’s why auditing is so essential—constant change and an ever-changing risk environment.
Do I have to?
Programs certified to ISO 22301 or NFPA 1600 are required to conduct periodic audits. “The organization shall determine opportunities for improvement and implement necessary actions to achieve the intended outcomes of its BCMS.” [ISO 22301:2019, 10.1.1]. “The entity shall maintain and improve the program by evaluating its policies, program, procedures, and capabilities using performance objectives.” [NFPA 1600:2019, 10.1]
Industries including financial services and healthcare are required to conduct audits, including audits of critical suppliers. Supply chain challenges over the past several years have demonstrated the need to identify vulnerabilities in the supply chain and to assess the resiliency of critical suppliers. Auditing informs this need. It is common today for customer-supplier contracts to specify that the customers have the right to audit a supplier’s resiliency. It’s best for those suppliers to conduct self-audits to identify any gaps before their important customers do.
What are the best practices?
Audits should have clear objectives that align with the objectives of the program or BCMS. Audit scope should include facilities and activities with the highest priority activities, most significant risk profile, or high value assets exposed.
Audit teams should consist of subject matter experts (SMEs) from throughout the organization. Audit leaders must ensure that the team includes the expertise required to accomplish audit objectives. Expertise in auditing is a must, and certification provides evidence of that. Knowledge of the industry, operations, risks, and controls is also very important. Core areas of expertise include risk assessment, loss prevention, hazard mitigation, security (physical, operational, and information), emergency management, business continuity, IT disaster recovery planning, crisis management, and crisis communications. Utilizing outside SMEs may be necessary.
What about standards?
One of the international standards (ISO 22301 or NFPA 1600) should be chosen as the criteria to evaluate the organization’s program or BCMS. Keep in mind that standards are written to be high-level, concise, and not overly prescriptive.
Standards reference laws, authorities, and other requirements that become part of the audit criteria. The audit team must have a good understanding of the chosen standard to determine whether the program or BCMS is conforming to the standard and compliant with applicable regulations. Need help determining which to choose, check out our audit FAQs.
What’s my next step?
Educate yourself. DRI International has two audit courses designed for business continuity professionals, risk managers, internal auditors, and consultants that audit business continuity management systems and programs. One is based on ISO 22301 and the other is based on NFPA 1600. These courses provide the foundation for auditing—the collection of evidence using interviews, reviewing documents, and surveying properties and the use of standards as criteria to evaluate each aspect of a program or management system.
Each course begins with the basics of auditing, developing an audit work plan, assembling a team, researching requirements, requesting documents for review, and scheduling site surveys and interviews. Lessons address each standard’s BCMS requirements, provide auditing techniques, and identify evidence of conformity. Interactive class activities involve hands-on auditing of a hypothetical company using the selected standard.
Author: Donald L. Schmidt is a Certified Business Continuity Lead Auditor and DRI instructor. He will be teaching BCLE AUD ISO 22301 online beginning on August 14 and the BCLE AUD NFPA 1600 course online beginning on November 27. He also authored: Business Continuity, Audit, and the Crucial Need for Assessment of Preparedness