BCMS-Internal-Auditor-Course-ppt [Autosaved].ppt

Committed to Systems
Internal BCMS Auditor Course
COMS

What is ISO Audit?
1
Types of Audits
Certification
2
Principles of audit
3
Agenda
4 Audit stages
6 Introduction Controls
5
Audit scenerios

What is ISO Audit & what it includes?

Course Structure
• Tutorial sessions
• Practical exercises
• Quiz
• Examination

Concepts & Principles
of Auditing

Audit
Systematic, independent and documented
process for obtaining audit evidence and
evaluating it objectively to determine the extent
to which audit criteria are fulfilled.
ISO 9000:2015

Audit terms definition
• . Auditee

Definition: The organization being audited.
(Clause 3.7 of ISO 19011:2018)
• . Client

Definition: The organization or person requesting an audit.
(Clause 3.8 of ISO 19011:2018)
• 4 Audit Criteria

Definition: A set of policies, procedures, or requirements used as a reference
against which objective evidence is compared.
(Clause 3.2 of ISO 19011:2018)

• . Objective Evidence

Definition: Data supporting the existence or verity of something. It can be qualitative or
quantitative and is gathered during the audit.
(Clause 3.3 of ISO 19011:2018)
• . Audit Programme

Definition: Arrangements for a set of one or more audits planned for a specific timeframe
and directed towards a specific purpose.
(Clause 3.4 of ISO 19011:2018)
• . Audit Plan

Definition: A description of the activities and arrangements for an audit.
(Clause 3.5 of ISO 19011:2018)

Audit Scope

Definition: The extent and boundaries of an audit, such as
locations, functions, activities, and processes to be audited.
(Clause 3.6 of ISO 19011:2018)
. Audit Team

Definition: One or more auditors conducting an audit, supported if
needed by technical experts or observers.
(Clause 3.9 of ISO 19011:2018)
Auditor

Definition: A person with competence to conduct an audit.
(Clause 3.10 of ISO 19011:2018)
. Risk-Based Thinking in Audits

Definition: Consideration of risks and opportunities relevant to
achieving the audit objectives and ensuring a focused and efficient
audit process.
(Implied within ISO 19011's approach to planning and conducting
audits)

Objective Evidence
• Data supporting the existence or verity of
something – ISO 9000:2005
• May be obtained through
- Records
- Observation
- Measurement or test
- Stated or verbal
• Can be verified

Specified Requirements
• Organization system requirements
• Manuals
• Policies & Procedures
• ISO 22301 standard requirements
• Legal requirements-statutory, regulatory or
industry body

Audit Purpose
To collect objective evidence to permit an
informed judgement about the status and
effectiveness of the Business continuity
management system.

Principles of Auditing
Principles relating to auditors:
Ethical conduct
Fair presentation
Due professional care
Confidentiality
Principles relating to audit:
Independence
Evidence-based approach
Risk based thinking

Principles of Auditing
Ethical Conduct A • Trust, integrity, confidentiality, discretion
Fair Presentation
A
• Audit findings and conclusions are accurate and truthful
Due Professional
Care A
• Exercise care according to the confidence placed in
them by their clients
• Competence is essential
Independence P • Auditors are independent of the activities being audited
and are free from bias or conflict of interest
• Conclusions will be objective and based only on audit
evidence
Evidence-Based
Approach P
• Audit evidence is based on samples
of information
• Conclusions are verifiable
Risk based
thinking p
emphasizes identifying and assessing risks,
evaluating the adequacy of controls, and ways
to mitigate risks and enhance opportunities

Conformity vs. Compliance
Conformity:
• Fulfillment of a
requirement
• Nonconformity can lead
to suspension or
revocation of registration
• Voluntary
Compliance:
• Fulfillment of
legal/statutory
requirements
• Noncompliance can lead
to fines/incarceration
• Mandatory

Types of Audit
• Internal audits are
conducted by, or
on behalf of an
organization
(audit client) itself.
• External provider
audit;
• Other external
interested party
audit.
• Certification
and /or
accreditation
audit;
• Statutory,
regulatory and
similar audit.

Other Types of Audit
• Pre-assessment
• Certification
• Surveillance
• Process
• Product

Reasons for Internal Audits
• Requirement of all management system
standards
• Source of information for use by management
• Powerful tool for continual improvement through:
• Employee involvement
• Communication
• Employee awareness, etc.

Benefits of Auditing
• Verifies conformity to requirements
• Increases awareness and understanding
• Provides a measurement of effectiveness
of the system to management
• Reduces risk of system failure
• Identifies improvement opportunities
• Precipitates the corrective action cycle
• Precipitates the preventive action cycle

Audit Process - Overview
Key Stages in the Internal Auditing process
PERC
Closing
Reporting
Execution
Planning

Overview of typical audit activities
Initiating the audit
Conducting document review
Preparing, approving &
distributing the audit report
Completing the audit
Conducting audit follow up
1. Planning for the audit
2. Exeution/Conducting
the audit
3. Reporting the audit
4. Corrective action &
follow-up 21
Preparing for the on-site audit
activities
Conducting on-site audit activities

Initiating the audit
-Appoint the audit team
leader
- defining audit objectives,
scope & criteria
- determining the feasibility
of the audit
- selecting the audit team
- establishing initial contact
with the auditee
Conducting
document review
- reviewing relevant
management system
documents, including
records, and
determining their
adequacy with respect
to audit criteria.
Preparing for
the on-site
audit activities
- preparing the
audit plan
- assigning work to
the audit team
- preparing work
documents
Planning the Audit
1
22

- conducting opening meeting
-communication during audit
-roles and responsibilities of guides and observers
-collecting and verifying information
-generating audit findings
-preparing audit conclusions
-conducting closing meeting
2
23

Audit Planning &
Preparation

Audit Planning
• Audit Schedule
• Audit Checklist

Audit Schedule
Audit Schedule is based on :
• Frequency of audit (as mentioned in procedure)
• Processes/ area to be audited
• Duration of audit
• Qualified internal auditors
• Audit Team to have applicable technical expertise
• Independence of audit team (Cross functional audit)

Audit Schedule-1
P = Planned A = Additional
Processes J F M A M J J A S O N D
Marketing P P
P P
P A P
P P
IT Technology P A
System
Administration
P
HR A P
Administration P

Audit Schedule - 2
Day 1
Time Processes Auditors
1000 – 1300 Software Dev A & B
Real Estate Dev C & D
1400 - 1700 BPO E & F
Educational Portal G & H
Day 2
1000 – 1300 Executive Search I & J
IT K & L
1400 - 1700 HR M & N
Administration O & P
cc : To all Department Heads and Auditors

Checklists
Checklist or Aide Memoir s a systematic set of questions/
prompts about the auditee’s IMS system, which enable the
auditor to maintain a consistent approach, and to ensure
that no important points are missed.
A checklist should not be a list of questions to ask the
auditee. It is simply a “prompt” for aspects of the system
which require review

Checklists
Checklists may be :
• Generic
Or
• Tailored

Check-lists
 Aide memoire
 Concise
 Avoid tick sheets or standard
 Should not take over audits
 Useful for new auditors
 Helps in time management
 Can update or add on during course of audit
 Can evolve over time.
31

Checklists- Benefits
A well constructed aide memoir will help to:
• Keep audit objectives clear
• Provide evidence of audit planning
• Maintain audit pace and continuity
• Reduce auditor bias
• Reduce workload during audit

Why Use Check-lists?
 Ensures continuity and depth of audit
 Ensures all relevant aspects are covered
 Gives structure to interviews
 Provides help if stuck
 More professional.
33

Checklist Drawbacks
Checklists tend to lose value if they are:
• Tick (√) lists
• Questionnaires
• Too focused
• Inflexible
Prepare them as aides-memoir

Checklists Preparation - Inputs
• Company Policies and Procedures
• Process information
• Customer requirements
• Applicable legal requirements
• Codes of practice
• Management priorities
• Previous incidents and accidents
• Previous audits reports
• Known problems

Sample Checklist Format
Process/Deptt: Auditee:
Auditor/s: Date:
S.No. Requirements Standard Clause
No.
Objective Evidence

Clause 4: Context of the Organization
4.1 Understanding the Organization and Its Context
1.Identification of Context
o
Has the organization identified external and internal issues
that are relevant to its purpose and that affect its ability to
achieve the intended outcomes of the BCMS?
o
Are the identified issues documented and periodically
reviewed?
o
How does the organization monitor changes in the identified
issues?
2.Evidence
o
Is there evidence (e.g., meeting minutes, risk analysis,
stakeholder reports) showing that the organization regularly
assesses its context?

4.2 Understanding the Needs and Expectations of Interested Parties
1.Identification of Interested Parties
o
Has the organization identified all relevant interested parties (e.g., employees,
customers, regulators, suppliers)?
o
Are their needs and expectations documented?
2.Requirements of Interested Parties
o
Has the organization determined which of these needs and expectations are
relevant to the BCMS?
o
How are these requirements incorporated into the BCMS processes?
3.Monitoring and Review
o
Are mechanBCMS in place to monitor and review changes in the needs and
expectations of interested parties?
4.Evidence
o
Is there documented evidence (e.g., stakeholder analysis, communication
logs) of compliance with this requirement?

4.3 Determining the Scope of the BCMS
1.Defining the Scope
o
Is the scope of the BCMS defined based on internal and
external issues and the requirements of interested parties?
o
Does the scope consider the organization’s legal,
regulatory, and contractual obligations?
2.Boundaries of the BCMS
o
Are the boundaries and applicability of the BCMS clearly
established (e.g., organizational units, locations, activities)?
o
How does the organization justify exclusions, if any, from
the scope?
3.Evidence
o
Is there a documented statement of the BCMS scope (e.g.,
in the BCMS manual or policy)?

4.4 Business Continuity Management System
1.Establishment of the BCMS
o
Has the organization established, implemented, maintained, and
continually improved a BCMS?
o
Are the processes and interactions required for the BCMS clearly
defined?
2.Integration with Business Processes
o
Is the BCMS integrated with the organization’s broader business
processes and strategy?
o
Are key roles and responsibilities for the BCMS defined?
3.Continual Improvement
o
Are mechanBCMS in place to ensure continual improvement of the
BCMS?
4.Evidence
o
Is there documented evidence (e.g., process maps, roles and
responsibilities matrices, performance monitoring data) supporting the
implementation of the BCMS?

Audit Execution

Auditor’s role
• Various roles of an auditor:
• A catalyst
• Management instrument
• An interface with
• suppliers
• customers
• colleagues
• A ‘consultant’ (NOT 3rd Party)

Some Attributes of a Good Auditor
Open
minded
Diplomatic
Decisive
Perceptiv
e
Observan
t
Tenaciou
s
Self-
reliant
Ethical
Any
More?

Auditor Qualification
Auditors must be competent in –
• Reasoning of nonconformities
• Evaluating effectiveness of corrective
action

Managing Communications
• Put auditee at ease
• Ask questions and listen
• Have the appropriate body language
• Smile and show eye contact
• Avoid interruptions
• Avoid sarcastic & condescending remarks
• Give praise and feedback
• Acknowledge and show interest
• Be tactful and polite
• Show patience and understanding
• Thank the auditee on completing the audit

Personality Types
• The Everything is Absolutely Fine
• Stick to the Bare Facts
• Detail, Detail, Detail
• I Always Have the Right and Best Answer

Managing Communications
• Effective communication
• Questioning
• Listening
• Body Language

Resolving Differences
• Types of conflict
• Dealing with conflict

Conduct of the Audit
• Meet the auditee
• Explain what you want to see
• Sampling audit
• Investigate to the depth necessary
• No problems found, move on
• Don’t keep on auditing until problems are
found

Sampling
Why ?..............Reduces time and
costs
• Sample/ sample frame
• Representative
• Random
• Chosen by the auditor
• Permission sought

Audit Execution
The Audit Process
Gathering information
Validating the findings
Evaluating the findings

Internal Auditing Techniques
Audit Methods

Conduct on-Site Audit Activities
• Conduct opening meeting
• Communicate during the audit
• Explain roles and responsibilities
of participants
• Collect and verify information
• Generate audit findings
• Prepare audit conclusions
• Conduct closing meeting

BCMS-Internal-Auditor-Course-ppt [Autosaved].ppt

Opening Meeting
• Hold opening meeting with auditee top management and those
responsible for processes audited
• Meeting may be informal
• Chaired by team leader
• Audit team present
• Purpose is to confirm all prior arrangements

The Audit Triangle
57
Observe
(See what they actually do)
Question
(Ask them what they do)
Check
(Confirm evidence of conduct)

Collecting & Verifying information
Sources of information
Collecting by appropriate
sampling and verifying
Evaluating against audit
criteria
Reviewing
Audit conclusions
Audit Evidence
Audit Findings

Auditing Process – Techniques to Obtain Audit
Evidence
Interview:
oPersonnel that manage, perform, and verify activities;
oAlso ensure they are responsible for the activity being audited;
oListen carefully to responses.
Observe:
o Identity, status, condition, processes, equipment, activities, environment, and
people.
Listen:
o Information from relevant authority and that it is verifiable.

Sources of Information
• Interviews
• Documents (procedures, instructions,
specifications, etc)
• Records
• Data Summaries (analysis and performance)
• Reports (customer feedback, supplier ratings)
• Databases
• Observations (of activities and conditions)

Conducting Interviews
Interviews are an important means of collecting information
and should be carried out in a manner adapted to the
situation and the person interviewed
• May start with asking the auditee
to describe the work
• Avoid misleading questions
• Listen carefully & make notes
• Summarize the results of interview
& discuss with auditee

Questions
• Open questions
- Encourage auditee to speak
• Probing questions
• Closed questions
Questions should be asked like a funnel – starting
with open questions and ending with closed
questions

Questioning Techniques
• Hypothetical
• Obvious
• Answered
• Repetitive
• Non-verbal

Open Questions
Six friends (To gather information) R, Kiplings Elephant
child
• Who (does it)
• What (is done)
• Where (is it done)
• Why (is it done)
• When (does it get done)
• How (is it done; often is it done)
And seventh friend (For verification)
• Show me

7 Tips for Interviewing
• Use appropriate types of question
• Adopt a logical approach
• Follow a natural sequence
• Actively listen to what is being said
• Use silence appropriately
• Seek clarification, where necessary
• Verify responses, where necessary

Documents
• Policy & Objectives
• Plans
• Policies and procedures / instructions
• Specifications/ drawings
• Contracts/ Orders
• Licenses/ permits
Review documents which describe activities, plans,
controls,
Strategies and tests

Records
Records are evidence of an activity performed
• Test records
• Training records
• Performance monitoring records
• Audit Report
• Management Review – Minutes of Meetings
• Non-conformance records
• Customer Satisfaction records
• Vendor performance evaluation records
and ……………………………

Observations
Observations of :
• Activities being performed
• Housekeeping
• Condition of infrastructure and
hardware
• Work environment

Control of the Audit
• Checklist is a servant not a master
• Audit the complete scope
• If potential audit trails appear, decide:
• disregard
• note for later
• follow up immediately
• Might affect the sample size
• Might affect the audit programme

Notes
Recording the objective evidence:
• Admissible statements (Quotes and statements)
• Document / Record numbers and issue/revision
levels
• Identifiers (Product identification)
• Surroundings
• Name of auditee or preferably job titles
• Issues which may impact other functions

Mental Notes
•Workload
•Employee behaviour
•Management approach
•Organization culture
•Reactions

Notes
• Notes is an evidence of the professionalism
of the auditor
• Evidence of sample size and observation
• Should be legible & retrievable
• Shall be an input to the audit report
• May be used for further investigation &
subsequent audits

Verify Facts
• Discuss concerns with auditee
• Auditee may provide correct information
• Record all the evidence in detail
• Establish why a nonconformity or otherwise & who
(preferably by job title)
• Audit focus must be on conformity and effectiveness,
not on finding nonconformities
Therefore, auditors must be competent in –
• Reasoning of nonconformities
• Evaluating effectiveness of corrective action

Good Practices
• Ask the right person - the person with the responsibility for
what it is you are auditing
• Don’t talk down or be rude/ sacarstic
• Ensure questions are clear and understood - avoid jargon,
use plain and simple language, rephrase the question if not
understood.
• Do not confuse, ask one question at a time.
• Allow time for auditee to answer any questions you ask
• Do not take sides, stay impartial, do not jump to conclusions;
always look for the evidence
• Be polite at all times, regardless of any provocation you may
encounter

Handling Difficult Situations
• Time Wasting
• Discrimination
• Hostility
• Avoidance
• Finger -
pointing
 Undermining
 Deception
 Obstruction
 Usurping
Control
 Flattery

EXAMPLES
Cannot find
document
Uncooperative
Noisy environment
Long
telephone
calls
Unprepared
Constant
interruptions
Provocation
Long-winded
auditees
Interdepartmental or
personality conflicts
Diversionary
tactics
Language
Boastful
Called
away
Volunteered
information
Handling Difficult Situations

What to Look for during Internal
Audit?
78
Conformance
Effectiveness
Improvement
3 key aspects of process

Conformance Auditing
79
BCMS
Manual
Procedure
Activities Records

Conformance
 Conformance is the basic principle.
 Compare the actual activities against the audit criteria.
In other words, “do what have written and recorded
down what you have done.”
80
What shall
be done
What is
actually done
VS

Process Audits
81
Why?
(target, measurement &
improvement)
With Who?
(responsibility,
competency)
OUTPUT
INPUT PROCESS
HOW?
(procedures & methods of
controls)
With What?
(equipment, material
resources)
4 Questions about a Process
•WHO – responsibility, authority and competencies required
•WHAT – kinds of resources needed to perform the process
•WHY – objective/target for the process, plus measurement & improvement
•HOW – controls method to achieve desired results

Audit
Reporting

Nonconformity
• Non fulfilment of a requirement
• Specified requirements:
• Company policies and procedures
• ISO 22301 standard requirements
• legal requirements
• Contractual agreements

Nonconformity
• The objective of internal audit is to assess the status
of the System from the point of view of adequacy of
documents (Intent), compliance and effectiveness.
• Non conformities could arise out of two reasons:
- System deficiencies
- Human slip ups
Internal audits should be aimed at
identifying system deficiencies

Reporting Categories
Categories such as Non-conformance or Non-
compliance represent a “non-fulfilment of a specified
requirement”, and for many organisations are given the
highest priority when determining corrective actions.
A lower priority is often given to Observations or Areas
Requiring Attention. These findings are recognised as
being of lower risk to the organisation.

Minor Non-conformance
• Violation or failure to meet a requirement of the
standard
• Any minor lapse in the system
• Examples
- Training not planned for two employees from
Customer Care Department
- Background verification not done for x,y & z
employee prior to hiring

Major Non-conformity
• Complete absence or total breakdown of any clause
of the standard(s)
• Complete non-compliance of company policy or
procedure
• Non-compliance of legislative requirement
• A number of nonconformities leading to system
breakdown
• Examples
- Management Review has not been conducted
since more than a year.
- Business continuity Policy not defined

Consider the Seriousness
Three questions to be answered
1. What could go wrong if the nonconformity remains
uncorrected?
2. What is the likelihood of such a thing going wrong?
3. How likely is it to be detected if it did go wrong?
A nonconformity with moderate consequences but
High probability could be a Major
A nonconformity with serious consequences but
with negligible probability could be a Minor

Observation
Observation or Opportunity for Improvement (OFI)
is a situation where there is a weakness where there is
not enough evidence for a nonconformity/issue, but if
allowed to remain, could result in a nonconformity/issue

CLEAR
CONCISE
SUPPORTED BY EVIDENCE
BASED ON FACTS
Non-Conformance

Writing Statements of
Nonconformity
• Use auditee’s terminology
• Make it retrievable
• Must be factual
• Make it complete
• Make it concise

Documentation of audit findings
Audit Execution – Audit Findings
o Positive finding
o Observation
o Nonconformity
• Minor
nonconformity
• Major
nonconformity

Audit Reporting
Audit Execution – Audit Findings
Audit Finding
Audit findings must be recorded so
that are reproduceable and should
include objective evidence to support
findings.
Recording Non Conformance
•Factual observation (What)
•Identified location (Where)
•Established criteria (Why & how)
•Person involved (where
unavoidable) Who?

Writing Statements of Nonconformity

Nonconformity Statement (1)
An organization operates in the financial sector and has implemented a
BCMS. During the audit, it was discovered that the organization failed to
identify regulatory authorities as an interested party and had not
considered specific compliance requirements in its business continuity
planning.

Nonconformity:
The organization did not identify all relevant interested parties and their
needs as against clause 4,2 of ISO 22301
o
Clause Violated: 4.2 (Understanding the Needs and Expectations of
Interested Parties).

Corrective Action:
o
Update the stakeholder analysis to include all relevant regulatory
authorities.
o
Conduct a review of applicable compliance requirements related to
business continuity.
Integrate these requirements into the BCMS and ensure periodic review

Nonconformity Statement (2)
Incomplete Scope Definition
Case Study:
A manufacturing organization’s BCMS only covered operations at its headquarters, excluding
critical manufacturing facilities without justification. This was discovered during an external audit.

Nonconformity:
The organization failed to define a comprehensive and justifiable BCMS scope by not including
critical manufacturing facilities and justification for exclusions as required by ISO 22301 clause 4.3
o Clause Violated: 4.3 (Determining the Scope of the BCMS).

Corrective Action:
o Reassess and redefine the scope of the BCMS, ensuring it includes all critical facilities.
o Conduct a risk assessment for the excluded sites to determine their impact on business
continuity.
•Update and communicate the new scope document to all relevant stakeholders

• Case Study 1: Weak Physical Access Controls
• Scenario: During an internal audit, it was observed that server rooms were left unlocked, and unauthorized personnel
had access to sensitive areas.
• Non-Conformity Statement: Physical access controls to sensitive locations were insufficient, compromising the
confidentiality, integrity, and availability of information assets contrary to Clause 7,5 8,3 and 8,4,3
• ### Actionable Measures:
• - Implement secure access control systems for sensitive areas (e.g., server rooms).
• - Train staff on physical security protocols and enforce compliance.
• - Conduct regular checks and audits to ensure sensitive areas are secured at all times.
• - Document and address risks identified during internal audits.
• These controls ensure compliance with ISO 22301 and enhance organizational resilience.Periodically review
physical security measures.

Insufficient Testing of Business Continuity Plans
Case Study:
An audit of a logistics company revealed that while business continuity plans were
in place, they had not been tested in the last 18 months, contrary to the
organization's procedures requiring annual testing.

Nonconformity:
The organization failed to conduct regular testing of its business continuity plans
contrary to clause 8.5 of ISO 22301
o
Clause Violated: 8.5 (Exercise and Testing).

Corrective Action:
o
Develop a schedule for regular testing of business continuity plans.
o
Conduct an immediate test of the plans and document the results.
Implement a tracking system to ensure future tests are carried out on time

Ethos of Auditing
• Positive approach
• Aim to help improve system
• Don’t look for blame
• Aid identification of solutions

Audit Report
• Date
• Process/Area of Audit
• Auditor(s)
• Auditee
• NCR
• Root cause
• Proposed Corrective Action
• Corrective Action taken
• Verification of effectiveness of corrective action
• Review

Reporting
After Audit Report is generated , Auditor
• Submits report to auditee
• Gets auditee to agree on nonconformance
• Agrees dates for corrective action
• Ensures that action is taken effectively

Audit Closing

Preparing Audit Conclusions
Audit team confer prior to the closing meeting:
• Scheduling of the audit plan
• To plan for closing meeting
• Purpose is to:
 Review audit findings and other information
 Agree on audit conclusions
• To prepare the audit report and
recommendations If included in audit plan, to
discuss audit follow-up

Audit Report
Prepare, Approve & Distribute
1. Audit reference
2. Client and Auditee details
3. Audit team details
4. List of auditee representatives
5. Objectives, scope, and criteria
6. Audit plan – dates, places, areas
audited and timing
7. Summary of audit process
8. Audit Summary
9. Uncertainty due to sampling

Audit Report
Prepare, Approve & Distribute
10.Nonconformity reports
11.Recommendation
12.Obstacles encountered
13.Any areas in audit scope not covered
14.Any unresolved issues between the auditee and
team
15.Confirmation that audit objectives accomplished
16.Confidentiality statement
17.Distribution list

Audit Report
Distribution
• Issue within agreed time period
• If delayed, provide reasons and agree on new issue date
• Report must be dated, reviewed, and approved
as per
procedures
•Distribute to recipients designated by audit client
•Report is property of audit client
•Recipients and audit team must respect the confidentiality
of the report

Completing the Audit
•Audit is complete when all activities in audit plan
have been carried out and audit report is distributed
•Maintain or dispose of audit documents based on
contractual,
regulatory, and audit program procedures
•Maintain confidentiality of audit documents,
information, and report
•Notify audit client and auditee ASAP if
disclosure of audit information is required.

Closing Meeting
•Hold closing meeting to present audit findings and conclusions
•Cover situations encountered during audit that may decrease
reliance on audit conclusions
•Discuss and resolve diverging audit findings and conclusions
•Keep a record if not resolved
•Provide recommendations for improvement where specified by
audit objectives
•Keep minutes and attendance records
•Will normally be informal for internal audits

Completing the Audit
Conducting the Follow-up
•Audit conclusions may require corrective, preventive, or
improvement actions
•Auditee decides and carries out these actions within agreed
timeframe
•These actions are not part of the audit
•Audit team number should verify completion and effectiveness of
actions taken
•This verification may be part of a subsequent audit
•Maintain independence in subsequent audit activities

Conducting Audit Follow-up
The auditor is responsible for :
Identifying the nonconformance
and
Closing the nonconformance

Conducting Audit Follow-Up
At the conclusion of the follow up audit, the auditor must
make a conclusion as to the completion and effectiveness
of the previously proposed corrective actions :
 Has the action been taken and has it been effective?
 Has the action not been taken or is it incomplete?
 Has the action been taken but is ineffective?

Follow-up Action
Receive NCR
Identify Root Cause
Corrective action plan prepared
Evaluates response
Implements plan
Evaluates effectiveness
Revises plan if necessary
Documents the changes
Verifies implementation & effectiveness
Auditee
Auditee
Auditee
Auditor
Auditee
Auditee
Auditee
Auditee
Auditor
Records
made
of
all
actions
taken

Corrective Action Analysis Using the 5 Whys Technique
Nonconformity: There is no documented evidence that employees have
been trained on the organization’s Business continuity Policy.
Clause Violated: ISO 22301:2022 Clause 7.2 (Competence)
5 Whys Analysis
1.Why was the nonconformity identified?
Employees were unaware of the Business continuity Policy requirements.
2.Why were employees unaware of the policy requirements?
Training sessions on the policy were not conducted for all staff.
3.Why were training sessions not conducted?
The training program for new and existing staff was not formally scheduled.
4.Why was the training not scheduled?
There was no clear assignment of responsibility for organizing the training.
5.Why was responsibility for training not assigned?
The BCMS implementation team failed to define and document training
responsibilities as part of the BCMS processes.

Corrective Action Plan
Immediate Action:
o
Organize and deliver an emergency training session for all
employees on the Business continuity Policy.
o
Circulate the policy document via email and provide an
acknowledgment form for all employees to confirm receipt
and understanding.
Root Cause Addressed:
o
Update the BCMS documentation to include specific roles
and responsibilities for organizing training programs.
o
Develop a formal training schedule to ensure all staff
receive training on BCMS policies and procedures at
onboarding and during annual refreshers.

Preventive Action:
o
Establish a monitoring process to verify that all employees attend scheduled training and
complete acknowledgment forms.
o
Incorporate a competency evaluation into performance reviews to ensure staff understand
and comply with BCMS requirements.
Responsible Party:
o
The BCMS Manager is responsible for updating the BCMS documentation and monitoring
training compliance.
o
The HR Department will maintain training records and schedules.
Timeline:
o
Emergency training: Completed within 2 weeks.
o
Updated BCMS documentation and training schedule: Completed within 1 mth

Nonconformity:
Backup data for critical systems is not tested periodically to verify its integrity and
recoverability.
Clause Violated:
ISO 22301:2022 Clause 8.5 (Exercise)
5 Whys Analysis
1.Why was the nonconformity identified?
No evidence exists to demonstrate that backups are tested periodically for integrity
and recoverability.
2.Why are backups not tested periodically?
There is no defined procedure for scheduling and conducting backup testing.
3.Why is there no defined procedure?
The BCMS documentation does not include a policy or process for backup testing
requirements.
4.Why does the BCMS documentation lack a process for backup testing?
The backup testing requirement was overlooked during the BCMS risk assessment
and implementation phase.
5.Why was the requirement overlooked during the risk assessment?
The risk assessment team did not involve IT administrators with expertise in
system backup and recovery when defining BCMS controls.

Corrective Action Plan
Immediate Action:
o
Conduct an immediate test of the backup system to
verify data integrity and recoverability.
o
Document the results and address any failures
identified during the test.
Root Cause Addressed:
o
Update the BCMS documentation to include a
formalized procedure for periodic backup testing.
o
Define roles and responsibilities for scheduling and
conducting these tests.
o
Revise the BCMS risk assessment process to
ensure the involvement of all relevant stakeholders,
including IT administrators, when identifying
controls

Preventive Action:
o
Implement automated reminders for periodic backup testing.
o
Assign specific personnel to oversee compliance with the
backup testing schedule.
o
Provide training for the IT team and BCMS committee on the
importance of backup testing and the process for conducting
and documenting it.
Responsible Parties:
o
BCMS Manager: Update BCMS documentation and ensure
compliance with backup testing procedures.
o
IT Department: Conduct backup testing, document results,
and maintain compliance records.
Timeline:
o
Conduct immediate backup testing: Within 1 week.
o
Update BCMS procedures and complete stakeholder training:
Within 1 month.

• Clause 4: Context of the Organization

Audit Focus Points:

Identification and documentation of internal and external issues affecting
Business continuity (Clause 4.1).

Identification of interested parties and their needs/expectations, particularly
legal, regulatory, and contractual obligations (Clause 4.2).

Proper definition and documentation of the BCMS scope, reflecting
boundaries and applicability (Clause 4.3).

Consistency between the scope and the organization's business objectives.

 Clause 5: Leadership

Focus Points:

Top management’s commitment to the BCMS, including leadership
support, resource allocation, and accountability (Clause 5.1).

Establishment and communication of an Business continuity policy
that aligns with strategic objectives (Clause 5.2).

Assignment of roles, responsibilities, and authorities for Business
continuity, ensuring clarity and competence (Clause 5.3).

Clause 6: Planning

Focus Points:
o
Identification of risks and opportunities related to Business continuity,
ensuring they are properly documented and assessed (Clause 6.1.1).
o
Development and implementation of a risk assessment process aligned
with the organization’s risk acceptance criteria (Clause 6.1.2).
o
Properly documented and actionable Business continuity objectives,
with measurable targets and timeframes (Clause 6.2).
o
Evidence that risk treatment plans effectively mitigate identified risks,

• Clause 7: Support

Focus Points:
o
Availability of sufficient resources for BCMS
implementation and maintenance (Clause 7.1).
o
Competence of personnel involved in BCMS operations
and evidence of training programs (Clause 7.2).
o
Awareness among employees of their responsibilities
regarding BCMS policies and objectives (Clause 7.3).
o
Internal and external communication mechanBCMS for
Business continuity issues, including documented
communication processes (Clause 7.4).
o
Control and adequacy of BCMS documentation and its
updates (Clause 7.5).

• Clause 8: Operation

Focus Points:
o
Proper execution of risk treatment plans and operational controls
(Clause 8.1).
o
Documentation and evidence of Business continuity processes
aligning with planned outcomes.
• Procedures for responding to Business continuity incidents,
including containment, investigation, and remediation

• Clause 9: Performance Evaluation

Focus Points:
o
Implementation and effectiveness of monitoring, measurement,
analysis, and evaluation methods for BCMS performance (Clause
9.1).
o
Evidence of regular and impartial internal BCMS audits, including
reports and corrective actions (Clause 9.2).
o
Management reviews of the BCMS to ensure continued alignment
with business and Business continuity objectives (Clause 9.3).

• Clause 10: Improvement

Focus Points:
o
Effectiveness of corrective actions to address
identified non-conformities, including root cause
analysis (Clause 10.1).
o
Continuous improvement initiatives for BCMS
processes and controls (Clause 10.2).

• General Auditor Actions Across Clauses

Evaluate Documentation: Ensure all required policies, procedures, and records
are in place and regularly updated.

Check for Evidence: Verify implementation with objective evidence such as
meeting minutes, training records, SoA, risk assessments, and incident logs.

Interview Personnel: Confirm understanding and application of BCMS processes
among employees.

Assess Compliance: Confirm compliance with legal, regulatory, and contractual
requirements.

Review Corrective Actions: Validate that previous audit findings have been
adequately addressed.

• Importance of Clause-Specific Focus
• By addressing each clause systematically, the
auditor ensures that the BCMS not only complies
with ISO 22301:2022 requirements but also
effectively protects the organization's information
assets. This approach highlights weaknesses,
strengthens security postures, and facilitates
continuous improvement

Thank You
Working Together For Better Environment.

BCMS-Internal-Auditor-Course-ppt [Autosaved].ppt

More Related Content

Similar to BCMS-Internal-Auditor-Course-ppt [Autosaved].ppt (20)

More from JustinNickaf3 (20)

Recently uploaded (20)

BCMS-Internal-Auditor-Course-ppt [Autosaved].ppt

Editor's Notes