Guest Blog: Auditing Business Continuity

his week we have a guest Blog written by Glenn Smith. In this Glenn gives some insight into auditing using his considerable experience of auditing against ISO 27001, ISO 22301, ISO 14001 and ISO 9001. Over to Glenn:

Most of us have heard the word audit but do we really understand what the objectives and benefits of an audit are?

To start with let us define an audit

'an audit is an evaluation of a person, organization, system, process, enterprise, project or product against a product or performance specification, sets of rules or an agreed or approved way of doing thing'

So why go to all that effort and audit?

1. Certification requirement. If you have or need to have an accreditation to a British standard (BS), International Standard (ISO) or other national standard, then the requirement to complete an audit of your performance against the criteria set out in the Standard will be obligatory. This will be particularly true of any management standard.
2. Other regulatory or governance requirement. Here the need to audit may not be part of the requirement, however, knowing that you are compliant with your regulators, stakeholders or even customer's requirements to complete business could be a key success factor. The last people you want to be aware of any failings are those that keep you in business.
3. Audits should be considered as part of a management system i.e. not to be thought of in isolation and a chore to be completed. They are an independent review of the organisation's current performance against the agreed criteria. Whether using an internal resource or external the audit should be an objective unbiased review.
4. Using the third party the audit process gives you access to industry/sector expertise.

So what's an audit really consist of?

Firstly it has to have a purpose, check against compliance, gap analysis against a standard, check for improvement.....within that purpose then each audit should have a scope i.e. how much of the organisation is being looking at and a set of defined objectives.

Audits should also be planned. Typically –

• An opening meeting with all the players, inc senior management, to explain the audit, the process and outcomes
• Overview meeting with senior management
• Documentation review
• Interviewees with key players
• Walk about including talks to other players as found
• Conclusion meeting to confirm audit results

To benefit the organization, an internal audit service needs to be professional and provide real value to an organisation. Its aim is to help ensure that the entity continues to meet the requirements of the standard/regulation/governance/stakeholder or customer need, and most importantly that the management systems really do benefit the organisation and that they are not seen as a bureaucratic overhead. This is done this by using auditors who understand how a business works, the Standard, industry requirements, being pragmatic and how a management system can support a business.

Using Standards, supported by audit allows companies to publically demonstrate the quality of what they do and deliver to their customers; and internally help to embed best practice into an organization of any size.

Look on auditing as an opportunity to learn and improve your business, not a test of what you can get away with!