Auditing Business Continuity: Global Best Practices

$74.99

  • Contains a comprehensive, detailed business continuity audit plan
  • Includes sample audit report and work papers
  • An ideal resource for consultants or auditors, as well as internal business continuity planners
  • International in scope – includes country-specific guidelines

Description

Auditing Business Continuity: Global Best Practices, by Rolf von Roessing, presents a general methodology and a framework for auditing Business Continuity Management (BCM), for auditors, managers and consultants working in business continuity.

It has been endorsed by the Business Continuity Institute.

Business Continuity Management (BCM) is a complex field. It covers business issues and technology with a perspective on the entire enterprise. The business continuity manager, and the auditor, require a diversified set of skills and extensive knowledge to assess business continuity as a question of business survival. There has been a lot of confusion about the terms “business continuity,” “disaster recovery,” “IT security” and many other words attempting to describe the continuation of critical business processes under adverse circumstances. However, for the auditor these terms refer to one and the same notion: businesses should take adequate precautions to ensure that no going concern issues arise from crises or disasters.

Some companies decide to take a cautious stance with regard to continuing their operations come what may: they prefer to “err on the safe side” and rely on preventative measures. Other firms, perhaps in an industry where “speed to market” and competitive pressure require a faster pace, may prefer to reduce investments on prevention, while putting in place a robust crisis and disaster management mechanism. Both types of corporations nevertheless pursue the overall goal of business continuity, by either avoiding risks or disasters (if they can), or by making sure they can deal with these events.

In a sense, Business Continuity Management means “reading the future” or trying to safeguard an organization against unforeseen events.

Management is still forced to address precisely this issue, by carefully evaluating their options and then making an entrepreneurial decision about the acceptable level of remaining risk. To the auditor, it is important to understand how this decision has been reached and whether it can be justified from a financial, operational and managerial point of view. Neither the overly cautious nor the reckless manager will succeed in today’s market – the BCM auditor should provide a sounding board and an objective business partnership to the management of the company being reviewed.

Business Continuity Management Audit is therefore an important element of ensuring corporate survival.

The audit result incorporates issues of compliance, highlights weaknesses and provides reasonable recommendations to management, whose experience may be enhanced and improved by the auditor’s objective input from other corporations or industries. It is not to be confused with the much narrower field of IT audit. This book has been deliberately restricted to business continuity rather than IT continuity to highlight the all-important differences between the two.

The contents have been arranged around the Business Continuity Institute (BCI) / Disaster Recovery Institute International (DRII) Professional Practices for business continuity as well as other standards such as CobIT or ISO / IEC 17799. Some elements may look familiar to the experienced auditor who may still benefit from using this book as a reference manual or as an instructive tool for groups of auditors. This is intentional, as BCM and related audit questions should “fit in” with tools and models that are recognized and proven in the field.

A Rothstein Publishing Classic Book. 2002, 306 pages, ISBN 978-1-931332-15-6

Additional information

Weight 2 lbs
Dimensions 11 × 9 × 1 in

FOREWORD   

PREFACE

INTRODUCTION

HOW TO USE THIS BOOK 

SECTION I:  AUDIT GUIDELINES FOR BUSINESS CONTINUITY MANAGEMENT                                                                                                      

AUDIT FRAMEWORK, SCOPE AND PLANNING  3

Introduction       3

Audit Framework          7

Audit Scope          9

Audit Areas (Modules) and Planning      19

Example of Audit Framework, Scope and Planning Statement  22

Example of Individual Audit Program     28

SUMMARY     32

2 CONDUCTING THE AUDIT          33

Scheduling and Administration    33

Example of Interview Schedule and Administration          35

Interview Contents     37

Example of Interview Guidelines  41

Example of BCM Questionnaire      46

Pitfalls and Known Difficulties   47

SUMMARY     52

3 ANALYSIS  53

Summarizing Interview Results    54

Example of Interview Series Summaries 57

Example of Gap Analysis       64

Documentation  66

Methods     73

Analytical Example     75

Applying the Standardized Program     77

SUMMARY     80

4 REPORTING GUIDELINES          813

Structuring Report Contents      82

Example of Overall Report Structure 86

Miscellaneous Reporting Issues 91

Applying the Standardized Audit Program     92

SUMMARY     96

SECTION II: STANDARDIZED AUDIT PROGRAM           97

1  PROJECT INITIATION AND MANAGEMENT    98

1.1  Scope, Objectives and Format 98

1.2   Organizational BCM Integration     103

1.3 Financial Planning and BCM Budget 105

OVERVIEW CHAPTER 1 AUDIT ITEMS     108

  1. RISK MANAGEMENT AND EVALUATION 109

2.1 Risk Identification, Loss Potentials, Vulnerabilities 109

2.2 Risk Analysis Methodologies and Tools    111

2.3 Risk Evaluation and Control  114

OVERVIEW CHAPTER 2 AUDIT ITEMS     118

3  BUSINESS IMPACT ANALYSIS ACTIVITIES    119

3.1      A comprehensive business impact analysis has been performed.       119

3.2      A list of prioritized business processes exists.      120

3.3      All vendors, suppliers, and third-party companies that are relied upon have a business continuity plan. 121

3.4      An adequate level of business interruption insurance is established.    122

3.5      Business process interdependencies are defined. 123

3.6      Maximum tolerable downtimes (MTDs) are established on the basis of financial and operational impacts of a disruption to normal business operations.            124

3.7      Maximum times in alternative operations (MTAs)  for all business processes are defined and documented.        125

OVERVIEW CHAPTER 3 AUDIT ITEMS     126

4 EMERGENCY RESPONSE AND OPERATIONS 127

4.1 Command and Control     127

4.2  Response Steps       132

OVERVIEW CHAPTER 4 AUDIT ITEMS     138

5 BCM STRATEGY   139

5.1 Strategy Requirements  139

5.2 BIA Alignment           142

5.3 Outsourcing / Insourcing Issues       144

5.4 Enterprise-wide Strategy         146

OVERVIEW CHAPTER 5 AUDIT ITEMS     149

6 DETAILED BUSINESS CONTINUITY PLANNING         150

6.1 Plan Development Requirements       150

6.2 Recovery Management and Control Requirements     153

6.3 Format and Structure of Plan Components       157

6.4 Operational Planning     160

6.5 Detailed Implementation 185

6.6 Plan Distribution and Control           188

OVERVIEW CHAPTER 6 AUDIT ITEMS     191

7 TRAINING AND AWARENESS    193

7.1 Business Continuity Awareness         193

7.2 BCM Training and Awareness   194

OVERVIEW CHAPTER 7 AUDIT ITEMS     196

8 MAINTENANCE AND EXERCISE 197

8.1  Plan Testing 197

8.2  Plan Maintenance 203

OVERVIEW CHAPTER 8 AUDIT ITEMS     208

9 PUBLIC RELATIONS AND COMMUNICATIONS           209

9.1 Public Relations     209

9.2 Crisis Communications    212

OVERVIEW CHAPTER 9 AUDIT ITEMS     214

10 COORDINATION WITH PUBLIC AUTHORITIES         215

  1. 1 Regulatory Framework 215

10.2 Coordination with Disaster Recovery and Business Continuity Agencies    217

OVERVIEW CHAPTER 10 AUDIT ITEMS  224

  1. COUNTRY-SPECIFIC ISSUES 225

11.1 Germany        225

11.2 Australia, New Zealand 230

11.3 Austria          231

11.4 Italy and Greece   232

11.5 United States and Canadian Standards on BCM and Risk Management 234

OVERVIEW CHAPTER 11 AUDIT ITEMS  235

  1. SOFTWARE-BASED PLANNING 236

12.1 General Status     236

12.2 Technical Status  241

12.3 Software Functionality           246

OVERVIEW CHAPTER 12 AUDIT ITEMS  248

APPENDIX A: SAMPLE AUDIT REPORT (FORMATTED) 249

APPENDIX B: SAMPLE WORK PAPERS (FORMATTED) 277

Sample 1: Audit Item from Area 1 (Project Initiation and Management)        278

Sample 2: Audit Item from Area 2 (Risk Evaluation and Control)         279

Sample 3: Audit Item (complex) from Area 6 (Detailed Planning)           280

Sample 4: Audit Item (complex) from Area 7 (Training and Awareness)          282

BIBLIOGRAPHY       284

ABOUT THE AUTHOR         286

ABOUT THE PUBLISHER    290

Rolf von Roessing has extensive experience in business continuity management, information security and traditional security. Over the last years, he has worked with Ernst & Young in several European and global offices, including specialist assignments such as Y2K subject matter expert and active participation in several global core teams for business continuity. His current position includes BCM and security-related responsibilities, and he heads these service lines for Austria and several other countries.Rolf von Roessing

Rolf is a board member of the Business Continuity Institute (BCI) and holds an MBCI certification. He is an active participant of the Institute’s education committee, working towards integration of BCM best practices and tertiary education programs. These developments include the consolidation and publication of BCM knowledge, academic and research work.

In Austria, Rolf has contributed to several standardization and codification initiatives, notably the ISO 17799 introduction as a common standard throughout the country. He frequently supervises security-related certification examinations and has presented various lectures and training courses on business continuity management in a European context.

Rolf holds postgraduate degrees in Britain, France and Germany, as well as the CISA (Certified Information Systems Auditor) and CISSP (Certified Information Systems Security Professional) professional certifications.

“Auditing Business Continuity: Global Best Practices” is his first major book, following a solid background of academic publications and professional papers, including:

  • “A Connection Between Romanian Power Plants Using a Computerized Network” (with C. Delamarian). Mannheim, Timisoara: ISIM (National Welding Institute), 1997
  • 2001: “Tools for BCM – Functional Criteria and Framework for a Software Based BCM Approach” (with Michael Wiring). Published by the BCI.
  • 2001: “BCM and Risk Management: Standardisation, Convergence and the Business Control and Transparency Act 1998.”
  • 2001: “Business Continuity Planning and its Framework of Reference: Laws, Standards and Integration With Insurance and Other Disciplines”. Pune, India: Proceedings of the C D Deshmukh Joint Seminar on Information Systems Business Continuity Planning, National Insurance Academy of India.
  • 2001: “High Availability: Just for eBusiness?” Presentation and Paper (in German). Leonberg (GER): Siemens AG
  • 2002: “Security, eBanking, Digital Signatures: Potential Risks, Measures and an Integrated Audit Approach”. Presentation and Paper (in German) for the Institute for International Research.

Rolf’s educational background includes:

  • Bachelor of Arts (Honours) European Business Administration, Middlesex University, London, upper second
  • Diplom-Betriebswirt (FH), 1992 – ESB Reutlingen, Germany
  • Master of Arts in International Business, DeMontfort University, Leicester UK, with distinction
  • Diplôme d´Etudes Supérieures Spécialisées, Cadre Européen en Affaires Internationales, Université de Savoie, Chambéry, France. Mention bien (equivalent of Distinction)
  • Fachzertifikat Internationales Management, 1993 – HTW Saarbruecken, Germany.

Rolf’s professional background includes:

  • 1996 – 2001 chapter board member, Project Management Institute, Frankfurt Germany
  • 1993 – 1994 research on knowledge-based systems and neural networks in power plant engineering, wrote the commercial strategy for the European Union within consortium of 13 major utility companies from 9 countries
  • 1994 – 1997 Head of IT Europe & Middle East Region, Securicor Security Services / Securicor Group
  • 1996 – 1997 Romanian State Electricity Utility & Rom. government – planning and political proposal for nationwide power plant network for backup / remote control purposes, part of strategic initiative for a resilient power infrastructure in Romania
  • 1997 – 2000 Ernst & Young Frankfurt, deputy head of European BCM services
  • 1999 several large Y2K BCM projects
  • 2000 – Ernst & Young Vienna, head of eSecurity Services, head of BCM for Austria, Croatia, Slovakia, Slovenia

There are numerous publications that provide a wealth of knowledge about what Business Continuity Management (BCM) is and how it should be done; few offer an explanation of how it can be assessed.  Many concentrate on how to develop and maintain a BCM plan; few adopt an holistic approach to BCM and address the key issue of how to develop and maintain a BCM capability based on an understanding of the business and its markets.

This work of Rolf von Roessing is grounded in sound experience and begins to fill the BCM plan/capability gap. It sets out the BCM audit process in a structured and user friendly way that should be basic reading for all BCM professionals and BCM auditors.

A particular acknowledgement is the complexity of a BCM audit and the need for professional BCM expertise as a key element to successfully achieve audit objectives.

The work not only provides a general outline of how to conduct different types of audits but also reinforces their application by providing practical examples and advice to illustrate the step-by-step methodology, including contracts, reports and techniques. The practical application of the methodology enables the professional auditor and BCM practitioner to identify and illustrate the use of good BCM practice whilst demonstrating added value and business resilience.

Dr. David J. Smith MBA LL.B(Hons)

Chairman of the Business Continuity Institute Education Committee

The Business Continuity Institute’s mission is to promote the art and science of Business Continuity Management world-wide. The BCI promotes the highest standards of professional competence and commercial ethics in the provision, maintenance and services for Business Continuity Management (BCM).  It provides an internationally recognised Certification scheme for BCM managers and practitioners.  The BCI Professional Recognition Program creates a benchmark for the assessment of best practice in the field. There are now over 1,200 members of the Institute working in 36 countries across the world.  Members are drawn from all sectors including Finance, Government, Health, Transport, Retail and Manufacturing.  

For further information, email TheBCI@btinternet.com or visit www.thebci.org

 

I was very happy to be asked to write a preface to this welcome addition to the growing library of Business Continuity learning.

Why? As a practicing consultant and trainer of enterprise risk management and business continuity, it has long been a source of discomfort that so many business continuity plans simply pay lip service to real needs. Plans are often over simplistic, over-focused on particular possibilities, ill-considered and incomplete. They make implicit assumptions – about the availability of people, assets and access, for instance – without subjecting those assumptions to challenge.

Around 85% of Business Continuity Plans fail when first tested. Put simply, these plans show fundamental flaws that would have prevented recovery from taking place within the required timescale.

Over 50% of Business Continuity Plans are never tested. This means that those flaws have not been exposed and the plans will almost certainly fail to deliver timely recovery.

These stark figures demonstrate just how misplaced are the hopes of many managers when they rely on such fragile plans. No matter what forethought is given to business continuity management, the actual experience of a disaster bears little relation to the pre-considered events and to plans developed in the relative calm of normal circumstances.

Too often business continuity arrangements are based on specific disaster scenarios and would not withstand scenarios that had not been considered.  But disasters are not disciplined. Chaos follows no roadmap. The unthinkable does happen. 

It is therefore crucial to businesses that plans are subject to stringent review. That is why I welcome Rolf von Roessing’s cogent contribution to this important area. Rolf provides a comprehensive, pragmatic and deeply practical step-by-step guide to Business Continuity audit. I commend it to all who are serious about the topic.

                                                                                    Andrew Hiles FBCI, MBCS

                                                                                    Oxford, UK

                                                                                    June 2002

 

Andrew Hiles was founder and, for some 14 years, Chair of an international business continuity user group.  He was a founding director of the Business Continuity Institute and a founder of the World Food Safety Organization.  An international consultant, trainer and coach in enterprise risk management and business continuity, Andrew has some 25 years experience in this area and is a director of consulting group Kingswell International.

This book presents a general methodology and a framework for auditing Business Continuity Management (BCM). The main purpose is to provide a single work of reference for auditors, managers working in business continuity and consultants.

BCM is a complex field. It covers business issues and technology with a perspective on the entire enterprise. The business continuity manager, and the auditor, require a diversified set of skills and extensive knowledge to assess business continuity as a question of business survival. There has been a lot of confusion about the terms “business continuity,” “disaster recovery,” “IT security” and many other words attempting to describe the continuation of critical business processes under adverse circumstances. However, for the auditor these terms refer to one and the same notion: businesses should take adequate precautions to ensure that no going concern issues arise from crises or disasters.

Some companies decide to take a cautious stance with regard to continuing their operations come what may: they prefer to “err on the safe side” and rely on preventative measures. Other firms, perhaps in an industry where “speed to market” and competitive pressure require a faster pace, may prefer to reduce investments on prevention, while putting in place a robust crisis and disaster management mechanism. Both types of corporations nevertheless pursue the overall goal of business continuity, by either avoiding risks or disasters (if they can), or by making sure they can deal with these events.

In a sense, BCM means “reading the future” or trying to safeguard an organization against unforeseen events. Management is still forced to address precisely this issue, by carefully evaluating their options and then making an entrepreneurial decision about the acceptable level of remaining risk. To the auditor, it is important to understand how this decision has been reached and whether it can be justified from a financial, operational and managerial point of view. Neither the overly cautious nor the reckless manager will succeed in today’s market – the BCM auditor should provide a sounding board and an objective business partnership to the management of the company being reviewed.

BCM audit is therefore an important element of ensuring corporate survival. The audit result incorporates issues of compliance, highlights weaknesses and provides reasonable recommendations to management, whose experience may be enhanced and improved by the auditor’s objective input from other corporations or industries. It is not to be confused with the much narrower field of IT audit. This book has been deliberately restricted to business continuity rather than IT continuity to highlight the all-important differences between the two.

The contents have been arranged around the Business Continuity Institute (BCI) / Disaster Recovery Institute International (DRII) Professional Practices for business continuity as well as other standards such as CobIT or ISO / IEC 17799. Some elements may look familiar to the experienced auditor who may still benefit from using this book as a reference manual or as an instructive tool for groups of auditors. This is intentional, as BCM and related audit questions should “fit in” with tools and models that are recognized and proven in the field.

 

This book is a toolset to assist you in planning, conducting and documenting a review of the business continuity management (BCM) process within a company or institution. It is structured in three main sections. The first part explains how to plan an audit from beginning to end. The second part contains a full audit program that you may use at varying levels of detail to support your audit strategy and plan. The third part contains samples of an audit report and selected work papers to help you put the plan and program into practice.

If you are a financial auditor, or an internal auditor tasked with reviewing business continuity, this may be a new field to you. Likewise, if you are a business continuity manager who has been assigned the task of being an auditor, this is a new way of looking at BCM, rather than implementing  it. Chapter 1 explains the concepts of BCM and audit seen together. It shows how to formulate the framework and scope of a BCM audit, how to define audit plans and how to write a clear and concise audit program that management and other stakeholders will understand and buy into.

As an auditor, you are managing the practical phase of a BCM review. Chapter 2 explains how to schedule the review, how to estimate time and effort, and how to streamline the process of formal audit steps. Known difficulties and pitfalls, many of them unique to BCM, are explained in detail. Even if you are a seasoned audit professional, this chapter may help you in identifying typical problems associated with reviewing a complex process and interacting with a wide range of managerial and technical responders. As a business continuity manager, Chapter 2 may help you understand the challenges presented by reviewing the BCM concepts without actually managing them yourself.

Chapter 3 outlines methods of analysis that you can use to arrive at a well-founded audit opinion. As a financial or internal auditor, this chapter will allow you to evaluate your findings and to avoid time-consuming detail when reviewing the BCM process. As a business continuity manager, you will find Chapter 3 a useful tool for looking at any given part of a BCM process and for comparing findings against your own experience and best practices.

The success of your work as a BCM auditor depends on clear, concise audit reports that are easily understood by management. Chapter 4 explains how audit reports are structured, written and presented to your stakeholders. In this chapter, you will find samples and templates ranging from small, detailed reports to a large set of reports designed for an international BCM audit.

Section 2 is a standardized audit program divided into work areas. You will find detailed audit questions covering all aspects of business continuity management. In the course of your BCM audit, you can use parts or the whole of the standardized questions for your audit plan and program. The standardized audit program is designed to give you additional information on risk ratings, recognized standards and additional materials that you may use to understand each item, as well as to communicate it to audit teams or the auditee organization.

For each item within the standardized audit program, the legal, regulatory and technical background is explained in detail. Detailed audit steps have been included for each question to give you indications as to the time and effort required during the audit. Suggested standard wordings for findings and recommendations have also been included.

Work area 11 contains detailed audit instructions for some national jurisdictions where different rules may apply. You can use these to guide your audit teams, and to find out what materials you may need to understand and evaluate when reviewing BCM abroad. The national parts of area 11 include the Central and Eastern European world to give you an overview of what to look for even if a foreign language is used.

Work area 12 will support you when reviewing typical BCM software tools. You will find useful hints and technical references to give you quick access to typical problems and difficulties that may constitute important audit findings.

Section 3 contains a sample audit report that is based on the examples used in Section 1. Selected work papers have been added to provide an indication as to the ways in which you might use the standardized audit program.

Depending on your previous experience with audit and BCM, you can use this book as a reference work or as a step-by-step guide for hands-on project work. However, it is not a “one-size-fits-all” guide along the lines of “BCM-in-a-box for $ 9.99.” Whether you are a novice auditor or a seasoned BCM professional, it is likely that you will use the book in different ways. Your comments on using it, and suggestions for improving the framework suggested, are welcome.

Miscellaneous Reporting Issues

Technical References

In contrast to other audit fields, particularly finance, it is likely that many findings will require footnotes to provide additional evidence or references to books or articles. A bibliography is therefore recommended for an overview of relevant publications. While it may be argued that the managerial reader is unlikely to read such technical references, they are nevertheless important for the more operational levels of the corporate hierarchy, for instance in facilities management and information technology. Hence, technical findings should be explained at an appropriate level of details, using attachments and appendices where necessary. When referring to published or unpublished material in this way, the auditor might wish to include copies of articles and papers with the audit report. Unlike an academic publication, the audit report should not require further research on part of the reader, although copyright restrictions may limit the amount of material that the auditor can copy and provide as a matter of courtesy.

In many cases, technical references may appear cumbersome and somewhat exaggerated – at first sight. However, the auditor is often required to provide evidence, or prove the technical points that constitute an audit finding. While the financial auditor can quite easily refer to standard works known to most financial experts, the BCM specialist is often forced to compile supporting evidence from many sources published in different periodicals and languages. This in turn requires that an audit report be much more specific and detailed in its referencing system and bibliography.

Management Presentations

Many audit engagements require final presentations to management which should be based upon the audit findings and reports. In most cases, these presentations will be given to senior management or the board of directors. Consequently, they differ significantly from the detailed reporting schedule outlined above. It is recommended that any presentation be short, concise and focused on the main objectives pursued both by business continuity management within the auditee organization and the audit itself. Given that presentations are usually prepared using an appropriate graphics package, the majority of information is likely to be given orally, rather than in writing. Experience has shown that elaborate presentations containing numerous slides may be counter-productive. BCM, more so than other audit topics, requires particular attention to brevity and a concise style of presenting. Otherwise, findings or recommendations may take a long time to explain or visualize. The auditor should limit presentation items in line with the management summary (see example above) to ensure that the audience is addressed at an appropriate technical level, and in a concise manner. The following rules of thumb, although fairly generalized in nature, nevertheless apply to presenting BCM findings and recommendations to a senior management group:

  • it takes at least three minutes to present one slide. Each question from the audience will prolong this time by one to two minutes.
  • it takes thirty seconds for the reader to understand a complex visual slide
  • it takes thirty seconds for the audience to read a text slide with many bullet points
  • a slide with more than four bullet points (textual) appears crowded
  • if the presentation contains more than seven major findings, they should be sub-grouped. Otherwise, the audience will not remember all of them
  • when using tabular representations of numbers or graphs, add thirty to sixty seconds time for understanding, and up to two minutes for explaining what the visual means

Using these simple rules, the auditor may calculate overall presentation time by counting slides and estimating the overall duration – with and without questions from the audience. It is further suggested that longer presentations be structured to provide natural breaks or audience participation. This is particularly important when the contents of the presentation address several topics:

  • when a question is formed in the mind of a person listening to the presentation, this question will remain “active” for 30 seconds (short-term memory), for up to four hours (medium-term memory) or indefinitely (long-term memory). Some BCM questions relate to complex facts and visuals. It is advisable to increase the number of feedback loops by asking for questions from the audience after each “complicated” slide – this will cover the questions in short-term memory.
  • Not all questions are necessarily noted down by participants. The auditor may prefer to continue without interruption. It is recommended to use a flip chart to physically note down the questions for later discussion, and to reassure the audience that all questions will be answered.
  • Rather than asking for management input and opinions after the presentation, the auditor may provide “breaks” by asking for statements from the audience during the presentations. These may be useful when completing one aspect of BCM, such as risk management, prior to proceeding to the next one (business impact assessment). This type of audience participation, as well as asking for action points set by management, will enable the auditor / presenter to reinforce the rapport with the audience, and to give positive feedback while progressing towards the conclusions (“as Mr. X has pointed out earlier, this slide shows that BIA activities have not been addressed in countries A, B and C…”).

The auditor, in presenting to management groups, should take into consideration that BCM – in most cases – will be an unfamiliar topic to the majority of the audience. While some knowledgeable individuals may be present, others will be confronting the issues of business continuity for the first time. It is therefore very important that all participants be made comfortable with the subject, and that ample discussion time be provided. Ideally, senior managers should themselves formulate the conclusions and action points arising from the presentation, rather than being deprived of their prerogative to make decisions. Despite the fact that the auditor is presenting findings and recommendations, the latter should be formulated in a manner that invites managerial reactions and decisions, rather than pre-empting these decisions.