Rothstein Home: Your Source for Disaster Recovery, Business Continuity Books, Service Level Agreements & More Rothstein: Management Consulting Services Rothstein: Business Survival Newsletter Rothstein: Original Feature Articles Rothstein: Disaster Recovery Forum Rothstein: Today's Industry News Rothstein: Links to Industry Web Sites Contact Rothstein Associates

Business Continuity Management: A New Challenge to the Auditor
A New Challenge to the Auditor

 Disaster Recovery & Business Continuity & Contingency Planning & Disaster Prevention Bookstore
Service Level Management & Service Level Agreements Bookstore

by  Rolf von Roessing

Auditing business continuity management (BCM) is rapidly becoming one of the most urgent issues throughout the audit community. Recent legislation and several regulatory initiatives have made it clear that financial and technology auditors must review business continuity (and not just IT disaster recovery) in much more detail than before. The events of 9/11/01, and the subsequent struggle for survival that many former World Trade Center tenants are undergoing, have heightened interest in topics such as disaster preparedness, preventative measures, recovery and restoration of the core business - in other words: how will the business continue to function if a major event occurs that may impact financial stability and the existence of the company as a whole?

       In the US, standards like NFPA 1600 (National Fire Protection Association), HIPAA and the discussion about homeland security have put BCM on the audit agenda. In Britain and Europe, the Turnbull Report and various Codes of Corporate Governance are forcing auditors to quickly address an area previously neglected. In Eastern Europe, several national banks have adopted the ISO 17799 standard that mandates business continuity management for the financial sector. Germany introduced the Business Control and Transparency Act in 1998, enforcing the existence of corporate risk management and certain continuity-related controls for all listed companies.

       BCM audit is there to stay: in the global economy, most countries have adopted a "must-have" policy towards business continuity. This is sharply opposed to the traditional "nice-to-have" notion often entertained by senior managers, whose primary concern is to reduce cost and maximize quarterly earnings. As a result, it has been recognized that assurance is needed, and that adequate controls must be in place. BCM has become a vital part of the overall concept of corporate governance, independent review and compliance with good practices.

       It is now the auditor's responsibility to give due consideration to the concepts, plans and management processes that safeguard the survival of an organization under adverse conditions.

       In other words: BCM is a going concern issue and must be addressed accordingly.

BCM Audit: The Typical Setting
Conducting an audit of business continuity planning and management presents an unusual challenge to financial or IT auditors. While audit automation, CAATS (computer assisted audit tools) and other acronyms have found their way into traditional audit projects, the more technical fields of IT, facilities and business continuity have yet to develop a similar strategy for facilitating detailed audit steps. More often than not, it is even difficult to determine the scope of a review in terms of time and effort, considering that the knowledge required to do so is diverse and not easily obtained.

       More importantly, if the business continuity review is to take place within an annual financial audit program, there is often no room for budgetary, or indeed any other uncertainty with regard to the delivery of results. The auditor thus faces a challenging and complex task. Business continuity, as a local or regional activity, almost always requires the direct involvement of experts who can assist with technology, local regulations and interpretation of factual findings. Unfortunately, the number of experts is often limited, and published audit guides and programs are rare. The BCM auditor is therefore a project manager as well as an expert in the field, having to strike a balance between the task at hand and the overall constraints imposed by commercial thinking.

       For the business continuity expert, on the other hand, the general world of audit thinking may be an alien one. Designing a business continuity management process is a very different task from scrutinizing an existing set of plans and procedures, verifying them against predetermined standards, and delivering an audit opinion in a structured manner. To the BCM specialist, the main aim may be to "make it work," while the auditor must examine quite a significant number of other aspects.

Rolf von Roessing is head of eSecurity Services and head of BCM for Austria, Croatia, Slovakia, Slovenia for Ernst & Young Vienna. He is the author of the new book Auditing Business Continuity: Global Best Practices (2002, Rothstein Associates Inc.; ISBN 1-931332-15-0).

Back to Top

Site Map | The Rothstein Catalog on Disaster Recovery | The Rothstein Catalog on Service Level Books

Contact Us | Management Consulting Services | Business Survival Newsletter | Original Feature Articles

Disaster Recovery Forum | Today's Industry News | Links to Industry Web Sites | ‘Keep Me Posted’ | Privacy Policy

 

E-mail Rothstein Associates Inc.