BS 25999 Lead Auditor Course
Presentation Slides
BS 25999 Lead Auditor Course
Issue 1.1: August 2008 BCM-040-01-EN-US
2
Welcome! • • • • • • • • •
Issue 1.1 – August 2008
Safety - be aware of emergency exits Restroom and Telephones - nearest locations Contact Number - for urgent messages Personal Property - keep possessions secure Phones and Pagers - please avoid interruptions Recording Devices - not allowed in class Lunch and Breaks - p please return on time Smoking - not permitted in the classroom Special Needs - please inform the instructor
BCM-040-01-EN-US
©The British Standards Institution 2008
1
BS 25999 Lead Auditor Course
Presentation Slides
3
Introductions • • • • • • •
Name Organization and business sector Job role Knowledge of BS25999 (1 – 10 scale) Knowledge of auditing (1 – 10 scale) Your aim for attending this course g interesting g about yyourself Something
4
Learning Objectives Upon completion of the course, students should be able to: • Lead and carry out an audit of a business continuity management system • Explain the requirements of BS 25999-2:2007 • Understand the Business Continuity Management Code of Practice • Clarify the different purposes of BS 25999 Part 1 and Part 2 • Articulate and present audit findings • Manage successful audit communication and interviews • Write a succinct audit report • Conduct opening, closing, and follow-up audit meetings
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
2
BS 25999 Lead Auditor Course
Presentation Slides
Business Continuity
Issue 1.1: August 2008 BCM-040-01-EN-US
6
Defining Business Continuity Strategic and tactical capability of the organization to plan for and respond p to incidents and business disruption p in order to continue business operations at an acceptable pre-defined level BS 25999-2:2007, 2.3
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
3
BS 25999 Lead Auditor Course
Presentation Slides
7
Defining Business Continuity Management Holistic management process that identifies potential g and the impacts p to business threats to an organization operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities BS 25999-2:2007, 2.4
8
Business Continuity Terms • Business Continuity management g system y • BCM program • BCM response • Activity • Critical activities
Issue 1.1 – August 2008
BCM-040-01-EN-US
• • • • • •
BCM strategy BCM exercise Incident Management Plan Business Continuity Plan Invocation Business Impact Analysis (BIA)
©The British Standards Institution 2008
4
BS 25999 Lead Auditor Course
Presentation Slides
9
BCM Standards
Code of Practice – Best practice, not auditable Requirements – Shall statements, auditable
10
Relationship with other Standards • BS 25999 modeled after PDCA cycle • Consistent with other management system standards:
BS ISO 9001 BS ISO 14001 ISO/IEC 27001 ISO/IEC 20000-2
• Continuity mentioned in the following standards: ISO/IEC 27001 and ISO/IEC 27002 ISO/IEC 20000
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
5
BS 25999 Lead Auditor Course
Presentation Slides
Introduction to Auditing
Issue 1.1: August 2008 BCM-040-01-EN-US
12
Auditing What is an audit? • Systematic Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled (ISO19011: 2002 clause 3.1)
• • • •
Issue 1.1 – August 2008
Why audit? Requirement of BS 25999-2 Monitor and measure the management system Promote continual improvement off the management system
BCM-040-01-EN-US
©The British Standards Institution 2008
6
BS 25999 Lead Auditor Course
Presentation Slides
13
Benefits of Auditing • Verifies conformity to requirements • Increases awareness and understanding • Provides a measurement of effectiveness of the management system to top management • Reduces risk of management system failure • Identifies improvement opportunities • Continual improvement if performed regularly
14
Typical Audit Activities Initiating the Audit Conducting Document Review Preparing for On-site Activities Conducting On-site Activities Preparing, Approving, Distributing Audit Report Completing the Audit Conducting Audit Follow-up
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
7
BS 25999 Lead Auditor Course
Presentation Slides
Overview of Process-based Management Systems
Issue 1.1: August 2008 BCM-040-01-EN-US
16
Management Systems Common components of management systems: • • • • • •
Issue 1.1 – August 2008
Policy Planning Implementation and operation Performance assessment Improvement Management review
BCM-040-01-EN-US
©The British Standards Institution 2008
8
BS 25999 Lead Auditor Course
Presentation Slides
17
Plan – Do – Check – Act (PDCA) Cycle Continual improvement of the Business Continuity Management System
Plan
Interested Parties
Interested Parties
Establish
Act
Do
Maintain and improve Business Continuity requirements and expectations
Implement and operate
Check Monitor and review
Managed Business Continuity
Exercise 1 Business Continuity Management Lifecycle
Issue 1.1: August 2008 BCM-040-01-EN-US
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
9
BS 25999 Lead Auditor Course
Presentation Slides
19
Business Continuity Lifecycle ?
? ?
?
?
?
20
Business Continuity Lifecycle Understanding the Organization
Exercising, maintaining and reviewing
BCM Program Management
Determining BCM strategy
Developing and implementing BCM response
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
10
BS 25999 Lead Auditor Course
Presentation Slides
21
Business Continuity Lifecycle and the Plan-Do-Check-Act Cycle Continual improvement of the Business Continuity Management System Understanding the Organization
Exercising, maintaining and reviewing
BCM Program Management
Developing and implementing BCM response
Plan
Interested Parties
Determining BCM strategy
Business Continuity requirements and expectations
Interested Parties
Establish Act Maintain and improve
Do Implement and operate Check Monitor and review
M Managed d Business Continuity
22
Requirements of BS 25999-2 and the PDCA Cycle The organization shall develop, implement, maintain and continuallyy improve p a documented BCMS in accordance with 3.2 - 3.4 BS 25999-2:2007, 3.1 Develop
Continually Improve
Implement
Maintain
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
11
BS 25999 Lead Auditor Course
Presentation Slides
Exercise 2 Requirements of BS 25999-2:2007
Issue 1.1: August 2008 BCM-040-01-EN-US
Auditing BS 25999-2:2007
Issue 1.1: August 2008 BCM-040-01-EN-US
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
12
BS 25999 Lead Auditor Course
Presentation Slides
25
Value of Management System Audits Management system audits enable management to: • Make informed judgment on: Conformity Effectiveness of the system
• Make effective business decisions • Allocate necessary resources • Improve p business p processes
26
ISO 19011:2002 ISO 19011:2002 provides guidance on: • Auditing principles • Managing audit programs • Conducting internal and external audits • Competence of auditors
ISO 19011:2002 can also be applied to BS 25999-2
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
13
BS 25999 Lead Auditor Course
Presentation Slides
27
Typical Audit Activities 6.1
Initiating the Audit Conducting g Document Review Preparing for On-site Activities Conducting On-site Activities Preparing, Approving, Distributing Audit Report
Note: reference to ISO 19011 clause number
Completing the Audit Conducting Audit Follow-up
28
BS EN ISO/IEC 17021:2006 The initial certification audit shall be conducted in two stages: g • Stage 1: Audit client’s management system documentation Review the client’s status and evaluate whether client is ready for stage 2 audit
• Stage 2: Evaluate implementation of the client’s management system Shall take place at the site(s) of the client
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
14
BS 25999 Lead Auditor Course
Presentation Slides
Exercise 3 Audit Definitions
Issue 1.1: August 2008 BCM-040-01-EN-US
30
Types of Audits • • • • • •
Issue 1.1 – August 2008
Registration/Certification Product Customer contract Gap assessment/Pre-assessment Surveillance Combined audit/Joint audit
BCM-040-01-EN-US
©The British Standards Institution 2008
15
BS 25999 Lead Auditor Course
Presentation Slides
31
Dimensions of Auditing Intent
Does Top Management intend to implement a BCMS and how is this i t t communicated? intent i t d?
Implementation
Does the implementation of the BCMS reflect the intent of Top Management?
Effectiveness
Is the implementation effective (i.e., does it meet the parameters established by the intent)
32
Management System Standards and the Process Approach • BS 25999-2: Is based upon the PDCA cycle which can be applied to processes Applies the PDCA cycle to implementing, operating, monitoring, exercising, maintaining and improving the effectiveness of a BCMS
• ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system audits
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
16
BS 25999 Lead Auditor Course
Presentation Slides
33
Applying the Process Approach to Auditing Auditors can apply the process approach to auditing by g the auditee: ensuring • Can define the objectives, inputs, outputs, activities, and resources for its processes • Analyzes, monitors, measures, and improves its processes • Understands the sequence and interaction of ts processes p ocesses its
34
Process Auditing Approaches Individual Process: • Input / Output/Value-added Output/Value added Activity • Plan-Do-Check-Act • Resources
Relationship with other Processes: • • • •
Issue 1.1 – August 2008
Flow/Sequence/Linkage/Combination Interaction / Communication Evidence Customer and supplier contract(s)
BCM-040-01-EN-US
©The British Standards Institution 2008
17
BS 25999 Lead Auditor Course
Presentation Slides
35
Process Auditing “Turtle Diagram” With what? Resources
With Who? Personnel
Process
Inputs From whom/ where
Outputs To whom/ where
(specific valuevalueadded activities)
How done? Methods/ Documentation
What results? Performance indicators
36
Process Auditing Example With Who? BC manager, IT manager
With what? Systems, applications
Exercising IT Support Processes
Inputs BCP, IMP, Scope, Risks, Critical Activity
How done? Desk check, simulation, walk-through
Issue 1.1 – August 2008
BCM-040-01-EN-US
Outputs Written report, feedback for improvement, actions
What results? Reduction in recovery times, successful recovery,
©The British Standards Institution 2008
18
BS 25999 Lead Auditor Course
Presentation Slides
Exercise 4 Process Auditing and the Turtle Diagram
Issue 1.1: August 2008 BCM-040-01-EN-US
38
Managing an Audit Program Process Flow PLAN
DO
CHECK
ACT
5.1
AUTHORIZE
ESTABLISH
IMPLEMENT • SCHEDULE AUDITS • EVALUATE AUDITORS • SELECT TEAMS • DIRECT ACTIVITIES • MAINTAIN RECORDS
• OBJECTIVES • EXTENT • ROLES • RESOURCES • PROCEDURES
AUDITOR COMPETENCE & EVALUATION
Issue 1.1 – August 2008
MONITOR & REVIEW
IMPROVE
• MONITOR • REVIEW • IDENTIFY NEED FOR CA/PA • IDENTIFY OPP OPP’S S TO IMPROVE
SPECIFIC AUDIT ACTIVITIES
BCM-040-01-EN-US
©The British Standards Institution 2008
19
BS 25999 Lead Auditor Course
Presentation Slides
39
Audit Program Audit program includes: • One or more audits depending on, size, nature and complexity of the auditee • All activities necessary for planning, organizing, and providing resources to conduct audits
40
Audit Program • Top management should authorize responsibility for program p g management g • Those assigned responsibility should: Establish, implement, monitor, review, and improve the audit program Identify the necessary resources and ensure they are provided
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
20
BS 25999 Lead Auditor Course
Presentation Slides
41
Audit Program • Audit program processes should include:
Planning and scheduling audits Assuring competence of auditors and audit teams Conducting audits and audit follow-up Monitoring the performance of the audit program
• Program should be managed by a member of the organization • Keep appropriate audit records to monitor and review the audit program
42
Audit Program and Plan • An audit plan is an output from the audit program p g • Audit plans give details about the audit, including: Which processes Which areas Which clauses
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
21
BS 25999 Lead Auditor Course
Presentation Slides
Exercise 5 Considerations of the Audit Program
Issue 1.1: August 2008 BCM-040-01-EN-US
44
Audit Activities Initiating the Audit
6.1
Conducting Document Review Preparing for On-site Activities Conducting On-site Activities Preparing, Approving, Distributing Audit Report Completing the Audit Conducting Audit Follow-up
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
22
BS 25999 Lead Auditor Course
Presentation Slides
45
Initiating the Audit Initiating the audit includes: • • • • •
6.2
Appointing A i ti the th audit dit tteam lleader d Defining audit objectives, scope, criteria Determining feasibility of the audit Selecting the audit team Establishing initial contact with the auditee
46
Defining Audit Objectives, Scope, Criteria Audit objectives may include:
6.2.2
• Determination of the extent of conformity of auditee’s BCMS with audit criteria • Evaluation of capability of BCMS to ensure compliance with statutory, regulatory, and contractual requirements • Evaluation of effectiveness of the BCMS to meet its objectives • Identification of areas of improvement
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
23
BS 25999 Lead Auditor Course
Presentation Slides
47
Defining Audit Objectives, Scope, Criteria Audit scope describes extent and boundaries of g audit, including: • • • •
Physical locations Organizational units Activities and processes Time period covered by audit
48
Selecting the Audit Team For team size and competence, consider: • • • •
Issue 1.1 – August 2008
6.2.4
Audit objectives, scope, criteria, and duration Whether audit is combined or joint Competence of team to meet objectives Statutory, regulatory, contractual and accreditation / certification requirements
BCM-040-01-EN-US
©The British Standards Institution 2008
24
BS 25999 Lead Auditor Course
Presentation Slides
49
Selecting the Audit Team For team size and competence, consider:
6.2.4
• Independence of the team • Ability of team members to interact with auditee and each other • Language of the audit • Auditee’s social and cultural characteristics
50
Auditor Responsibilities • • • • • •
Issue 1.1 – August 2008
Document and support all findings Keep auditee informed Safeguard all documents Maintain confidentiality Be objective and ethical Verify corrective actions, if required
BCM-040-01-EN-US
©The British Standards Institution 2008
25
BS 25999 Lead Auditor Course
Presentation Slides
51
Auditor Competence • Auditor competence is based on:
7.1
Personal attributes Application of knowledge and skills
• Competence is to be developed, maintained, and improved
52
Auditor Competence Personal Attributes • • • • • • • • •
Issue 1.1 – August 2008
Ethical Open-minded Diplomatic Observant Perceptive Versatile Tenacious Decisive Self-reliant
BCM-040-01-EN-US
7.2
©The British Standards Institution 2008
26
BS 25999 Lead Auditor Course
Presentation Slides
53
Auditor Competence Generic Knowledge and Skills Audit principles, procedures, and techniques: • • • • • • • •
7.3.1
Apply principles, procedures, and techniques Plan and organize work Conduct audit within time schedule Collect information through interviewing, listening, observing, and reviewing documents Understand sampling techniques Confirm evidence to support findings Prepare audit reports Maintain confidentiality and security
54
Auditor Competence Generic Knowledge and Skills • Organizational situations:
7.3.1
Size,, structure,, functions,, and relationships p Business processes and terminology Cultural and social customs
• Laws, regulations, and other requirements: Local, regional, and national Contracts and agreements International treaties and conventions
• Management system and reference documents: Interaction between the components of the system Applicable standards, procedures, and reference documents
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
27
BS 25999 Lead Auditor Course
Presentation Slides
55
Auditor Competence BCM Knowledge and Skills Knowledge and skills BCM should cover: • Techniques used to develop and implement the BCM process • Analysis methods and techniques to examine business impact and risk assessment • Understanding of strategy development • Understanding of planning techniques to examine the development and implementation of BCM responses and exercises • Understanding of training and awareness programs for BCM
56
BS EN ISO/IEC 17021:2006 The initial certification audit shall be conducted in two stages: g • Stage 1: Audit client’s management system documentation Review the client’s status and evaluate whether client is ready for stage 2 audit
• Stage 2: Evaluate implementation of the client’s management system Shall take place at the site(s) of the client
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
28
BS 25999 Lead Auditor Course
Presentation Slides
57
Conducting Document Review A review of auditee’s documentation:
6.3
• Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit • May include relevant BCMS documents, records, and previous audit reports • May include a preliminary site visit
58
Conducting Document Review When conducting a document review, ask: • • • • • •
Issue 1.1 – August 2008
Are all requirements of BS 25999 addressed? Does documentation match the audit scope? Is management commitment clearly defined? Have responsibilities been adequately defined? Is the lower level documentation referenced? Are you familiar with the area to be audited?
BCM-040-01-EN-US
©The British Standards Institution 2008
29
BS 25999 Lead Auditor Course
Presentation Slides
Exercise 6 Document Review (Stage 1 Audit)
Issue 1.1: August 2008 BCM-040-01-EN-US
60
Audit Plan Preparation The Audit Plan should identify or include: • Objectives/scope/criteria • Personnel responsible for objectives and scope • Reference documents • Audit team members • Language of the audit • Areas to be audited • Schedule of meetings. • Allocation of appropriate resources
Issue 1.1 – August 2008
BCM-040-01-EN-US
6.4.1
• Expected time and duration of each major audit activity • Confidentiality requirements • Audit reporting details • Logistics • Resolution of any plan objections • Audit follow-up actions
©The British Standards Institution 2008
30
BS 25999 Lead Auditor Course
Presentation Slides
61
Audit Planning • • • • • • • •
Determine the objective of the audit Identify specified requirements Determine audit duration and resources needed Select the team Contact the auditee – agree the date(s) Draw up audit plan Brief the team Prepare work documents
Exercise 7 Creating an Audit Plan
Issue 1.1: August 2008 BCM-040-01-EN-US
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
31
BS 25999 Lead Auditor Course
Presentation Slides
63
Prepare Work Documents • Prepare work documents • Use as a reference and for recording audit proceedings • Include checklists, sampling plans and forms, BS 25999-1:2006 and BS 25999-2:2007 standards, etc. • Keep checklists flexible to allow changes resulting from information collected during the audit • Safeguard any confidential and proprietary information • Retain R t i work kd documents t and d records d
64
Checklists Benefits • • • • • • •
Issue 1.1 – August 2008
Keeps audit scope and objectives clear Provides evidence of audit planning Maintains audit pace and continuity Reduces auditor bias Reduces workload during audit Provides space for auditor notes Identifies expected p evidence
BCM-040-01-EN-US
©The British Standards Institution 2008
32
BS 25999 Lead Auditor Course
Presentation Slides
65
Checklists Potential Drawbacks • Checklists tend to lose value if they are: Tick lists Questionnaires
• Checklists may lead to rigid adherence to pre-planned questions Prepare them as memory aids
66
Checklists Preparation One approach is to: • Identify audit scope and process(es) within scope • Identify applicable factors (inputs, outputs, measures, resources, etc.) • Use these points and other requirements (BS 25999-2, system documentation, etc.) to: • Plan what to look at • Plan Pl what h t tto llook k ffor ((audit dit evidence) id )
• Prepare checklist
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
33
BS 25999 Lead Auditor Course
Presentation Slides
67
Checklist Structure Audit checklist structure: Process/Activity Audited: Requirement
Source
Evidence
Notes
BS 25999-2 Clause # or other requirement
What to “look at”
What to “look for”
Notes
Exercise 8 Creating Audit Work Documents
Issue 1.1: August 2008 BCM-040-01-EN-US
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
34
BS 25999 Lead Auditor Course
Presentation Slides
69
Conduct On-site Audit Activities • • • • • • •
Conduct Opening Meeting Communicate during the audit Explain roles and responsibilities of participants Collect and verify information Generate audit findings Prepare audit conclusions g Meeting g Conduct Closing
6.5
70
Opening Meeting • Hold opening meeting with auditee top management g and those responsible p for processes audited • Meeting may range from informal (1st party) to formal (3rd party) • Chaired by team leader • Audit team present • Purpose is to confirm all prior arrangements
Issue 1.1 – August 2008
BCM-040-01-EN-US
6.5.1
©The British Standards Institution 2008
35
BS 25999 Lead Auditor Course
Presentation Slides
71
Opening Meeting 1. 2. 3. 4. 5. 6. 7. 8 8. 9. 10.
:
Introduction / roles / attendance Objective / scope / criteria Documentation status Audit plan confirmation Audit methods Sampling Communication channels Language of audit Audit progress Closing / interim meetings
6.5.1
72
Opening Meeting 11. 12 12. 13. 14. 15. 16. 17.
Issue 1.1 – August 2008
Logistics: Resources, safety, security, etc. Confidentiality Availability of guides Reporting methods including nonconformities Conditions for audit termination Appeal system: Audit conduct / conclusions Restrictions / questions q
BCM-040-01-EN-US
6.5.1
©The British Standards Institution 2008
36
BS 25999 Lead Auditor Course
Presentation Slides
Exercise 9 Conducting an Opening Meeting
Issue 1.1: August 2008 BCM-040-01-EN-US
74
Collecting and Verifying Information Sources of information
Collect by appropriate sampling & verification Audit evidence Evaluate against audit criteria Audit findings Review
Audit conclusions
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
37
BS 25999 Lead Auditor Course
Presentation Slides
75
Auditing Process Collect and Verify Information • Collect information relevant to:
6.5.4
Audit objectives, objectives scope, scope and criteria Interfaces between functions, activities and processes
• Collect audit evidence by appropriate sampling and verify and record it • Be aware of sampling limitations, if acting on the audit conclusion • Use only information that is verifiable as audit evidence
76
Auditing Process Techniques to Obtain Audit Evidence • Interview: Personnel that manage manage, perform perform, and verify activities Also ensure they are responsible for the activity being audited Listen carefully to responses
• Observe: Identity, y, status,, condition,, processes, p , equipment, activities, environment, and people
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
38
BS 25999 Lead Auditor Course
Presentation Slides
77
Auditing Process Audit Evidence • Review documents that describe:
Activities Plans Controls Strategies Exercises Tests
• Review business continuity records for evidence of conformity to documents • Review records, statements of fact, or other information which are relevant to the audit criteria and verifiable • Audit evidence may be qualitative or quantitative
78
Communication and Interpersonal Skills • Put auditee at ease • Ask short questions and listen • Reflect right attitude, tone of voice, body language, and facial expressions • Smile and show eye contact • Avoid interruptions • Avoid off-cuff and condescending remarks • Give praise when appropriate
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
39
BS 25999 Lead Auditor Course
Presentation Slides
79
Communication and Interpersonal Skills • • • • • •
Show interest Be tactful and polite Show patience and understanding Remember to say please and thank you Ask the right person Don’t say you understand when you don’t
80
Questioning Techniques • Open question: Using why why, who who, what what, where where, when when, or how gets more than a yes or no answer
• Expansive question: Further elaborates the current point
• Opinion question: Asks opinion about current point
• Non-verbal: Non verbal: Uses body language, for example: raise eye-brow to elicit further information
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
40
BS 25999 Lead Auditor Course
Presentation Slides
81
Questioning Techniques • Repetitive question: Repeats back response in form of a question
• Hypothetical question Uses what if, suppose that, etc.
• Closed question: Gets a yes or no answer Avoid using too often Used for confirmation
• Silence: Draws more information
82
Note Taking • Notes could be used as reference for:
Immediate investigation Investigation later Use by a colleague Subsequent audits
• Notes must therefore be: Legible Retrievable
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
41
BS 25999 Lead Auditor Course
Presentation Slides
83
Note Taking • Notes taken during an audit are a record of: The audit sample taken What was reported What was observed
• Notes may be referenced by subsequent auditors
84
Control of the Audit • Checklist is an aid, not a requirement • If potential audit trails appear appear, decide to: Disregard Note for later Follow up immediately
• Following audit trails may affect: Sample size Audit plan
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
42
BS 25999 Lead Auditor Course
Presentation Slides
85
Handling Difficult Situations • • • • • • • •
Cannot find document Uncooperative Unprepared Long telephone calls Constant interruptions Provocation Long-winded g auditees Diversionary tactics
• • • •
Called away Language Noisy environment Interdepartmental or personality conflicts • Dog-and-pony show • Volunteered information
86
Establish the Facts Keep the Auditee Informed • For constructive, professional, and helpful audits: Review audit progress and findings regularly Beat the grapevine or rumor mill Generate rapport
• Use auditee’s terminology • Make audit documentation: Complete Helpful Concise
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
43
BS 25999 Lead Auditor Course
Presentation Slides
87
Establish the Facts Judgment in the Audit Process • Audit focus must be on conformity and effectiveness, g nonconformities NOT on finding • The auditee must be given the benefit of any doubt where there is insufficient audit evidence
88
Establish the Facts • • • •
Get help from the auditee Discuss concerns Verify the findings Record all the evidence: Exact observation Where, what, etc.
• Establish why a nonconformity or otherwise • State who (if relevant) - preferably by job title • Obtain agreement with the facts
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
44
BS 25999 Lead Auditor Course
Presentation Slides
89
Generate Audit Findings • Evaluate audit evidence against audit criteria to generate audit findings g g • Indicate if findings are conformities, nonconformities or opportunities for improvement • Meet (audit team) to review findings • Specify (with supporting evidence) or summarize conformity by location, functions, or processes, as required by audit plan
6.5.5
90
Nonconformity • Non-fulfillment of a specified requirement:
6.5.5
Not doing it Partially doing it Doing it the wrong way
• Specified requirements:
Issue 1.1 – August 2008
Conditions of customer contract BC standard (BS 25999-2) Business Continuity management system Statutory or regulatory requirements
BCM-040-01-EN-US
©The British Standards Institution 2008
45
BS 25999 Lead Auditor Course
Presentation Slides
Exercise 10 Auditing Live Wild Logistics
Issue 1.1: August 2008 BCM-040-01-EN-US
92
Generate Audit Findings • Record nonconformity findings and supporting pp g evidence • Obtain auditee acknowledgement of nonconformities for accuracy and understandability • Try and resolve differences of opinion • Keep a record of unresolved issues
Issue 1.1 – August 2008
BCM-040-01-EN-US
6.5.5
©The British Standards Institution 2008
46
BS 25999 Lead Auditor Course
Presentation Slides
93
Nonconformity – Minor • Failure to comply with a requirement which (based on jjudgement g and experience) p ) is not likely y to result in BCMS failure • Single observed lapse or isolated incident • Minimal risk of nonconforming product or service • Examples: A two month lapse in the exercise program A training record not available No actions taken to improve or review BCM arrangements after exercises
94
Nonconformity – Major • Absence or total breakdown of a system to meet a requirement q • A number of minors related to the same clause or requirement • A nonconformity that experience and judgement indicate will likely result in BCMS failure or significantly reduce its ability to assure controlled processes and products
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
47
BS 25999 Lead Auditor Course
Presentation Slides
95
Nonconformity – Major Examples: • No documented procedure for a required BS 25999-2:2007 process/activity • Document changes routinely made without authorization • No awareness program for the business continuity management system • No future planned internal audits • Insufficient scope • Numerous minor nonconformities found in the business continuity plan
96
Nonconformity Classifying the Nonconformity Consider the Seriousness: • What could go wrong if the nonconformity remains uncorrected? • Is it likely the system would detect it before the customer is affected? • If you are not certain it is a nonconformity, it is not. You must have: A requirement that has been broken Proof that it has been broken
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
48
BS 25999 Lead Auditor Course
Presentation Slides
97
Nonconformity Poor Report Examples The nonconformity statements below are q due to the lack of specified p inadequate requirements and detailed evidence: • Steering Group meeting minutes are not adequate • The authority level for the Emergency Controller must be documented for clarity purposes
98
Nonconformity Good Report Examples Nonconformity Report
ABC BCMS Audit
Incident Number: 1
C Company under d A Audit: di XYZ XYZ, IInc. Area under Review: BCP Category:
Major
BS 25999-2 Clause Number: 4.3.3.3
; Minor
Requirement: Clause 4.3.3.3 of BS 25999-2:2007 states that the business continuity plan must identify lines of communication. Nonconformity Finding: Upon review of the business continuity plan for XYZ, Inc. Issue 2, it was found that the contact information for the BCP still names employees that have left XYZ, Inc.
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
49
BS 25999 Lead Auditor Course
Presentation Slides
Exercise 11 Writing Nonconformities
Issue 1.1: August 2008 BCM-040-01-EN-US
100
Review Meeting with Auditee The review meeting, normally 15 to 20 minutes in duration, is carried out at the end of each auditing g day with the management representative and guides to: • • • • •
Issue 1.1 – August 2008
6.5.2
Review any nonconformities Resolve any problems Report audit progress Cl if any misunderstandings Clarify i d t di Obtain signatures to any nonconformities
BCM-040-01-EN-US
©The British Standards Institution 2008
50
BS 25999 Lead Auditor Course
Presentation Slides
101
Preparing Audit Conclusions Audit team should confer prior to the g meeting: g closing
6.5.6
• Scheduling of the audit plan • To plan for closing meeting • Purpose is to:
Review audit findings and other information Agree on audit conclusions
• To prepare the audit report and recommendations • If included in audit plan, to discuss audit follow-up
102
Audit Report Prepare, Approve and Distribute 1. 2 2. 3. 4. 5. 6.
Audit reference Client and Auditee details Audit team details List of auditee representatives Objectives, scope, and criteria Audit plan – dates, places, areas audited and timing 7. Summary of audit process 8. Audit Summary 9. Uncertainty due to sampling
Issue 1.1 – August 2008
BCM-040-01-EN-US
6.6.1
6.6.2
©The British Standards Institution 2008
51
BS 25999 Lead Auditor Course
Presentation Slides
103
Audit Report Prepare, Approve and Distribute 10. 11 11. 12. 13. 14. 15. 16. 17.
6.6.1 Nonconformity reports Recommendation 6.6.2 Obstacles encountered Any areas in audit scope not covered Any unresolved issues between the auditee and team Confirmation that audit objectives accomplished Confidentialityy statement Distribution list
104
Audit Report Distribution • Issue within agreed time period • If delayed delayed, provide reasons and agree on new issue date • Report must be dated, reviewed, and approved as per procedures • Distribute to recipients designated by audit client • Report is property of audit client • Recipients R i i t and d audit dit tteam mustt respectt th the confidentiality of the report
Issue 1.1 – August 2008
BCM-040-01-EN-US
6.6.1
©The British Standards Institution 2008
52
BS 25999 Lead Auditor Course
Presentation Slides
105
Completing the Audit 6.7 • Audit is complete when all activities in audit plan have been carried out and audit report p p is distributed • Maintain or dispose of audit documents based on contractual, regulatory, and audit program procedures • Maintain confidentiality of audit documents, information, and report • Notify audit client and auditee ASAP if disclosure of audit information is required
106
3rd Party Audit Recommendation Options • Recommend registration without conditions • Recommend conditional registration based on submission of acceptable plan and follow-up: Verification at next surveillance visit Evaluation of the mailed evidence Special visit to verify corrective action
• Unable to recommend registration at this time: Partial P ti l re-audit dit Full re-audit
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
53
BS 25999 Lead Auditor Course
Presentation Slides
Exercise 12 Creating the Audit Report
Issue 1.1: August 2008 BCM-040-01-EN-US
108
Closing Meeting • Hold closing meeting (with auditee, audit client, and other p parties)) to p present audit findings g and conclusions • Cover situations encountered during audit that may decrease reliance on audit conclusions • Discuss and resolve diverging audit findings and conclusions • Keep a record if not resolved • Provide recommendations for improvement where specified by audit objectives. • Keep minutes and attendance records
Issue 1.1 – August 2008
BCM-040-01-EN-US
6.5.7
©The British Standards Institution 2008
54
BS 25999 Lead Auditor Course
Presentation Slides
109
Closing Meeting Team Leader prepares and works to an agenda and controls the meeting: g • • • • • •
Attendees Thanks Objective / Scope Reporting system Limitations Confidentiality
• • • • • •
6.5.7
Audit Summary Nonconformities Agreement (sign) Recommendation Clarification Depart
Exercise 13 Conducting the Closing Meeting
Issue 1.1: August 2008 BCM-040-01-EN-US
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
55
BS 25999 Lead Auditor Course
Presentation Slides
111
Completing the Audit Conducting the Follow-up • Audit conclusions may require corrective, preventive, or improvement p p actions • Auditee decides and carries out these actions within agreed timeframe • These actions are not part of the audit • Auditee should keep client informed of status of these actions
6.8
112
Completing the Audit Conducting the Follow-up • Audit team member should verify completion and effectiveness of actions taken • This verification may be part of a subsequent audit • Maintain independence in subsequent audit activities
Issue 1.1 – August 2008
BCM-040-01-EN-US
6.8
©The British Standards Institution 2008
56
BS 25999 Lead Auditor Course
Presentation Slides
113
Completing the Audit Corrective Action Follow-Up 6.8 • Auditee receives the nonconformity report • Auditee prepares and approves a corrective action plan • Auditee submits the plan to audit organization • Audit organization evaluates and approves the plan • Auditee implements the approved corrective action plan
114
Completing the Audit Corrective Action Follow-Up • Auditee collects and evaluates evidence of effectiveness • Auditee revises the plan, if necessary • Auditee documents the changes in the BCM system • Auditor verifies the implementation and effectiveness • Records of all actions taken by auditor and auditee
Issue 1.1 – August 2008
BCM-040-01-EN-US
6.8
©The British Standards Institution 2008
57
BS 25999 Lead Auditor Course
Presentation Slides
Exercise 14 Conducting Audit Follow-up
Issue 1.1: August 2008 BCM-040-01-EN-US
Exercise 15 Sample Exam
Issue 1.1: August 2008 BCM-040-01-EN-US
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
58
BS 25999 Lead Auditor Course
Presentation Slides
Conclusion
Issue 1.1: August 2008 BCM-040-01-EN-US
118
Business Continuity Lifecycle Understanding the Organization
Exercising, maintaining and reviewing
BCM Program Management
Determining BCM strategy
Developing and implementing BCM response
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
59
BS 25999 Lead Auditor Course
Presentation Slides
119
Typical Audit Activities Initiating the Audit Conducting Document Review Preparing for On-site Activities Conducting On-site Activities Preparing, Approving, Distributing Audit Report Completing the Audit Conducting Audit Follow-up
120
Questions?
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
60
BS 25999 Lead Auditor Course
Presentation Slides
Thank you for your attendance and participation! BS 25999 Lead Auditor course
Issue 1.1: August 2008 BCM-040-01-EN-US
Issue 1.1 – August 2008
BCM-040-01-EN-US
©The British Standards Institution 2008
61