Slides BS 25999

BS 25999 Lead Auditor Course
Presentation Slides
Issue 1.1: August 2008 BCM-040-01-EN-US
Welcome!
Safety - be aware of emergency exits Restroom and Telephones - nearest locations Contact Number - for urgent messages Personal Property - keep possessions secure Phones and Pagers - please avoid interruptions Recording Devices - not allowed in class Lunch and Breaks - please return on time p Smoking - not permitted in the classroom Special Needs - please inform the instructor
Issue 1.1 August 2008
BCM-040-01-EN-US
The British Standards Institution 2008
Presentation Slides
Introductions
Name Organization and business sector Job role Knowledge of BS25999 (1 10 scale) Knowledge of auditing (1 10 scale) Your aim for attending this course g g yourself Something interesting about y
Learning Objectives
Upon completion of the course, students should be able to:
Lead and carry out an audit of a business continuity management system Explain the requirements of BS 25999-2:2007 Understand the Business Continuity Management Code of Practice Clarify the different purposes of BS 25999 Part 1 and Part 2 Articulate and present audit findings Manage successful audit communication and interviews Write a succinct audit report Conduct opening, closing, and follow-up audit meetings
BCM-040-01-EN-US
Presentation Slides
Business Continuity
Defining Business Continuity

Strategic and tactical capability of the organization to plan for and respond to incidents and business disruption in p p order to continue business operations at an acceptable pre-defined level
BS 25999-2:2007, 2.3
BCM-040-01-EN-US
Presentation Slides
Defining Business Continuity Management

Holistic management process that identifies potential g p threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities
BS 25999-2:2007, 2.4
Business Continuity Terms

Business Continuity management system g y BCM program BCM response Activity Critical activities BCM strategy BCM exercise Incident Management Plan Business Continuity Plan Invocation Business Impact Analysis (BIA)
BCM-040-01-EN-US
Presentation Slides
BCM Standards
Code of Practice Best practice, not auditable Requirements Shall statements, auditable
10
Relationship with other Standards

BS 25999 modeled after PDCA cycle Consistent with other management system standards:
BS ISO 9001 BS ISO 14001 ISO/IEC 27001 ISO/IEC 20000-2
Continuity mentioned in the following standards:

ISO/IEC 27001 and ISO/IEC 27002 ISO/IEC 20000
BCM-040-01-EN-US
Presentation Slides
Introduction to Auditing
12
Auditing
What is an audit?
Systematic independent and documented process for Systematic, obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled
(ISO19011: 2002 clause 3.1)
Why audit? Requirement of BS 25999-2 Monitor and measure the management system Promote continual improvement of the management system f
BCM-040-01-EN-US
Presentation Slides
13
Benefits of Auditing
Verifies conformity to requirements Increases awareness and understanding Provides a measurement of effectiveness of the management system to top management Reduces risk of management system failure Identifies improvement opportunities Continual improvement if performed regularly
14
Typical Audit Activities

Initiating the Audit Conducting Document Review Preparing for On-site Activities Conducting On-site Activities Preparing, Approving, Distributing Audit Report Completing the Audit Conducting Audit Follow-up
BCM-040-01-EN-US
Presentation Slides
Overview of Process-based Management Systems
16
Management Systems
Common components of management systems:
Policy Planning Implementation and operation Performance assessment Improvement Management review
BCM-040-01-EN-US
Presentation Slides
17
Plan Do Check Act (PDCA) Cycle

Continual improvement of the Business Continuity Management System
Interested Parties
Plan
Establish
Interested Parties
Act
Maintain and improve
Business Continuity requirements and expectations
Do
Implement and operate
Check
Monitor and review
Managed Business Continuity
Exercise 1
Business Continuity Management Lifecycle
BCM-040-01-EN-US
Presentation Slides
19
Business Continuity Lifecycle

?
? ? ? ? ?
20

Understanding the Organization
Exercising, maintaining and reviewing
BCM Program Management
Determining BCM strategy
Developing and implementing BCM response
BCM-040-01-EN-US
10
Presentation Slides
21
Business Continuity Lifecycle and the Plan-Do-Check-Act Cycle

Continual improvement of the Business Continuity Management System
Interested Parties
Plan Establish Act Maintain and improve Check Monitor and review Do Implement and operate
Interested Parties
Business Continuity requirements and expectations
Managed M d Business Continuity
22
Requirements of BS 25999-2 and the PDCA Cycle

The organization shall develop, implement, maintain and continually improve a y p documented BCMS in accordance with 3.2 - 3.4
BS 25999-2:2007, 3.1
Develop
Continually Improve
Implement
Maintain
BCM-040-01-EN-US
11
Presentation Slides
Exercise 2
Requirements of BS 25999-2:2007
Auditing BS 25999-2:2007
BCM-040-01-EN-US
12
Presentation Slides
25
Value of Management System Audits

Management system audits enable management to:
Make informed judgment on:
Conformity Effectiveness of the system
Make effective business decisions Allocate necessary resources Improve business p p processes
26
ISO 19011:2002
ISO 19011:2002 provides guidance on:
Auditing principles Managing audit programs Conducting internal and external audits Competence of auditors
ISO 19011:2002 can also be applied to BS 25999-2
BCM-040-01-EN-US
13
Presentation Slides
27

Initiating the Audit Conducting Document Review g Preparing for On-site Activities Conducting On-site Activities Preparing, Approving, Distributing Audit Report Completing the Audit Conducting Audit Follow-up
Note: reference to ISO 19011 clause number 6.1
28
BS EN ISO/IEC 17021:2006
The initial certification audit shall be conducted in two stages: g Stage 1:
Audit clients management system documentation Review the clients status and evaluate whether client is ready for stage 2 audit
Stage 2:
Evaluate implementation of the clients management system Shall take place at the site(s) of the client
BCM-040-01-EN-US
14
Presentation Slides
Exercise 3
Audit Definitions
30
Types of Audits
Registration/Certification Product Customer contract Gap assessment/Pre-assessment Surveillance Combined audit/Joint audit
BCM-040-01-EN-US
15
Presentation Slides
31
Dimensions of Auditing
Intent Implementation Does Top Management intend to implement a BCMS and how is this intent i t t communicated? i t d? Does the implementation of the BCMS reflect the intent of Top Management? Is the implementation effective (i.e., does it meet the parameters established by the intent)
Effectiveness
32
Management System Standards and the Process Approach

BS 25999-2:
Is based upon the PDCA cycle which can be applied to processes Applies the PDCA cycle to implementing, operating, monitoring, exercising, maintaining and improving the effectiveness of a BCMS
ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system audits
BCM-040-01-EN-US
16
Presentation Slides
33
Applying the Process Approach to Auditing

Auditors can apply the process approach to auditing by g ensuring the auditee:
Can define the objectives, inputs, outputs, activities, and resources for its processes Analyzes, monitors, measures, and improves its processes Understands the sequence and interaction of ts p ocesses its processes
34
Process Auditing Approaches

Individual Process:
Input / Output/Value-added Activity Output/Value added Plan-Do-Check-Act Resources
Relationship with other Processes:

Flow/Sequence/Linkage/Combination Interaction / Communication Evidence Customer and supplier contract(s)
BCM-040-01-EN-US
17
Presentation Slides
35
Process Auditing Turtle Diagram

With what? Resources With Who? Personnel
Inputs From whom/ where
Process
(specific valuevalueadded activities)
Outputs To whom/ where
How done? Methods/ Documentation
What results? Performance indicators
36
Process Auditing Example

With what? Systems, applications With Who? BC manager, IT manager
Inputs BCP, IMP, Scope, Risks, Critical Activity
Exercising IT Support Processes
Outputs Written report, feedback for improvement, actions
How done? Desk check, simulation, walk-through
What results? Reduction in recovery times, successful recovery,
BCM-040-01-EN-US
18
Presentation Slides
Exercise 4
Process Auditing and the Turtle Diagram
38
Managing an Audit Program

Process Flow
PLAN
AUTHORIZE
DO
CHECK
ACT
5.1
ESTABLISH
OBJECTIVES EXTENT ROLES RESOURCES PROCEDURES
IMPLEMENT
SCHEDULE AUDITS EVALUATE AUDITORS SELECT TEAMS DIRECT ACTIVITIES MAINTAIN RECORDS
MONITOR & REVIEW

MONITOR REVIEW IDENTIFY NEED FOR CA/PA IDENTIFY OPP S OPPS TO IMPROVE
IMPROVE
AUDITOR COMPETENCE & EVALUATION
SPECIFIC AUDIT ACTIVITIES
BCM-040-01-EN-US
19
Presentation Slides
39
Audit Program
Audit program includes:
One or more audits depending on, size, nature and complexity of the auditee All activities necessary for planning, organizing, and providing resources to conduct audits
40
Audit Program
Top management should authorize responsibility for p g program management g Those assigned responsibility should:
Establish, implement, monitor, review, and improve the audit program Identify the necessary resources and ensure they are provided
BCM-040-01-EN-US
20
Presentation Slides
41
Audit Program
Audit program processes should include:
Planning and scheduling audits Assuring competence of auditors and audit teams Conducting audits and audit follow-up Monitoring the performance of the audit program
Program should be managed by a member of the organization Keep appropriate audit records to monitor and review the audit program
42
Audit Program and Plan

An audit plan is an output from the audit program p g Audit plans give details about the audit, including:
Which processes Which areas Which clauses
BCM-040-01-EN-US
21
Presentation Slides
Exercise 5
Considerations of the Audit Program
44
Audit Activities
6.1
BCM-040-01-EN-US
22
Presentation Slides
45
Initiating the Audit

Initiating the audit includes:
Appointing the audit t A i ti th dit team l d leader Defining audit objectives, scope, criteria Determining feasibility of the audit Selecting the audit team Establishing initial contact with the auditee
6.2
46
Defining Audit Objectives, Scope, Criteria

Audit objectives may include:
Determination of the extent of conformity of auditees BCMS with audit criteria Evaluation of capability of BCMS to ensure compliance with statutory, regulatory, and contractual requirements Evaluation of effectiveness of the BCMS to meet its objectives Identification of areas of improvement
6.2.2
BCM-040-01-EN-US
23
Presentation Slides
47
Defining Audit Objectives, Scope, Criteria

Audit scope describes extent and boundaries of g audit, including:
Physical locations Organizational units Activities and processes Time period covered by audit
48
Selecting the Audit Team

For team size and competence, consider:
Audit objectives, scope, criteria, and duration Whether audit is combined or joint Competence of team to meet objectives Statutory, regulatory, contractual and accreditation / certification requirements
6.2.4
BCM-040-01-EN-US
24
Presentation Slides
49
Selecting the Audit Team

For team size and competence, consider:
Independence of the team Ability of team members to interact with auditee and each other Language of the audit Auditees social and cultural characteristics
6.2.4
50
Auditor Responsibilities
Document and support all findings Keep auditee informed Safeguard all documents Maintain confidentiality Be objective and ethical Verify corrective actions, if required
BCM-040-01-EN-US
25
Presentation Slides
51
Auditor Competence
Auditor competence is based on:
Personal attributes Application of knowledge and skills
7.1
Competence is to be developed, maintained, and improved
52
Auditor Competence
Personal Attributes
Ethical Open-minded Diplomatic Observant Perceptive Versatile Tenacious Decisive Self-reliant
7.2
BCM-040-01-EN-US
26
Presentation Slides
53
Auditor Competence
Generic Knowledge and Skills
Audit principles, procedures, and techniques:

7.3.1
Apply principles, procedures, and techniques Plan and organize work Conduct audit within time schedule Collect information through interviewing, listening, observing, and reviewing documents Understand sampling techniques Confirm evidence to support findings Prepare audit reports Maintain confidentiality and security
54
Auditor Competence
Generic Knowledge and Skills
Organizational situations:
Size, structure, functions, and relationships , , , p Business processes and terminology Cultural and social customs
7.3.1
Laws, regulations, and other requirements:

Local, regional, and national Contracts and agreements International treaties and conventions
Management system and reference documents:

Interaction between the components of the system Applicable standards, procedures, and reference documents
BCM-040-01-EN-US
27
Presentation Slides
55
Auditor Competence
BCM Knowledge and Skills
Knowledge and skills BCM should cover:
Techniques used to develop and implement the BCM process Analysis methods and techniques to examine business impact and risk assessment Understanding of strategy development Understanding of planning techniques to examine the development and implementation of BCM responses and exercises Understanding of training and awareness programs for BCM
56
BS EN ISO/IEC 17021:2006
The initial certification audit shall be conducted in two stages: g Stage 1:
Audit clients management system documentation Review the clients status and evaluate whether client is ready for stage 2 audit
Stage 2:
Evaluate implementation of the clients management system Shall take place at the site(s) of the client
BCM-040-01-EN-US
28
Presentation Slides
57
Conducting Document Review

A review of auditees documentation:
Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit May include relevant BCMS documents, records, and previous audit reports May include a preliminary site visit
6.3
58
Conducting Document Review

When conducting a document review, ask:
Are all requirements of BS 25999 addressed? Does documentation match the audit scope? Is management commitment clearly defined? Have responsibilities been adequately defined? Is the lower level documentation referenced? Are you familiar with the area to be audited?
BCM-040-01-EN-US
29
Presentation Slides
Exercise 6
Document Review (Stage 1 Audit)
60
Audit Plan Preparation

The Audit Plan should identify or include:
Objectives/scope/criteria Personnel responsible for objectives and scope Reference documents Audit team members Language of the audit Areas to be audited Schedule of meetings. Allocation of appropriate resources Expected time and duration of each major audit activity Confidentiality requirements Audit reporting details Logistics Resolution of any plan objections Audit follow-up actions
6.4.1
BCM-040-01-EN-US
30
Presentation Slides
61
Audit Planning
Determine the objective of the audit Identify specified requirements Determine audit duration and resources needed Select the team Contact the auditee agree the date(s) Draw up audit plan Brief the team Prepare work documents
Exercise 7
Creating an Audit Plan
BCM-040-01-EN-US
31
Presentation Slides
63
Prepare Work Documents

Prepare work documents Use as a reference and for recording audit proceedings Include checklists, sampling plans and forms, BS 25999-1:2006 and BS 25999-2:2007 standards, etc. Keep checklists flexible to allow changes resulting from information collected during the audit Safeguard any confidential and proprietary information R t i work d Retain k documents and records t d d
64
Checklists Benefits
Keeps audit scope and objectives clear Provides evidence of audit planning Maintains audit pace and continuity Reduces auditor bias Reduces workload during audit Provides space for auditor notes Identifies expected evidence p
BCM-040-01-EN-US
32
Presentation Slides
65
Checklists Potential Drawbacks

Checklists tend to lose value if they are:
Tick lists Questionnaires
Checklists may lead to rigid adherence to pre-planned questions

Prepare them as memory aids
66
Checklists Preparation
One approach is to:
Identify audit scope and process(es) within scope Identify applicable factors (inputs, outputs, measures, resources, etc.) Use these points and other requirements (BS 25999-2, system documentation, etc.) to:
Plan what to look at Pl what t l k f ( dit evidence) Plan h t to look for (audit id )
Prepare checklist
BCM-040-01-EN-US
33
Presentation Slides
67
Checklist Structure
Audit checklist structure:
Process/Activity Audited: Requirement BS 25999-2 Clause # or other requirement Source What to look at Evidence What to look for Notes
Notes
Exercise 8
Creating Audit Work Documents
BCM-040-01-EN-US
34
Presentation Slides
69
Conduct On-site Audit Activities

Conduct Opening Meeting Communicate during the audit Explain roles and responsibilities of participants Collect and verify information Generate audit findings Prepare audit conclusions g g Conduct Closing Meeting
6.5
70
Opening Meeting
Hold opening meeting with auditee top management and those responsible for g p processes audited Meeting may range from informal (1st party) to formal (3rd party) Chaired by team leader Audit team present Purpose is to confirm all prior arrangements
6.5.1
BCM-040-01-EN-US
35
Presentation Slides
71
Opening Meeting
1. 2. 3. 4. 5. 6. 7. 8. 8 9. 10. Introduction / roles / attendance Objective / scope / criteria Documentation status Audit plan confirmation Audit methods Sampling Communication channels Language of audit Audit progress Closing / interim meetings
: 6.5.1
72
Opening Meeting
11. 12. 12 13. 14. 15. 16. 17. Logistics: Resources, safety, security, etc. Confidentiality Availability of guides Reporting methods including nonconformities Conditions for audit termination Appeal system: Audit conduct / conclusions Restrictions / questions q
6.5.1
BCM-040-01-EN-US
36
Presentation Slides
Exercise 9
Conducting an Opening Meeting
74
Collecting and Verifying Information

Sources of information
Collect by appropriate sampling & verification Audit evidence Evaluate against audit criteria Audit findings Review
Audit conclusions
BCM-040-01-EN-US
37
Presentation Slides
75
Auditing Process
Collect and Verify Information
Collect information relevant to:
Audit objectives, scope, and criteria objectives scope Interfaces between functions, activities and processes
6.5.4
Collect audit evidence by appropriate sampling and verify and record it Be aware of sampling limitations, if acting on the audit conclusion Use only information that is verifiable as audit evidence
76
Auditing Process
Techniques to Obtain Audit Evidence
Interview:
Personnel that manage perform and manage, perform, verify activities Also ensure they are responsible for the activity being audited Listen carefully to responses
Observe:
Identity, status, condition, processes, y, , ,p , equipment, activities, environment, and people
BCM-040-01-EN-US
38
Presentation Slides
77
Auditing Process Audit Evidence

Review documents that describe:
Activities Plans Controls Strategies Exercises Tests
Review business continuity records for evidence of conformity to documents Review records, statements of fact, or other information which are relevant to the audit criteria and verifiable Audit evidence may be qualitative or quantitative
78
Communication and Interpersonal Skills

Put auditee at ease Ask short questions and listen Reflect right attitude, tone of voice, body language, and facial expressions Smile and show eye contact Avoid interruptions Avoid off-cuff and condescending remarks Give praise when appropriate
BCM-040-01-EN-US
39
Presentation Slides
79
Communication and Interpersonal Skills

Show interest Be tactful and polite Show patience and understanding Remember to say please and thank you Ask the right person Dont say you understand when you dont
80
Questioning Techniques
Open question:
Using why who what where when or how gets more why, who, what, where, when, than a yes or no answer
Expansive question:
Further elaborates the current point
Opinion question:
Asks opinion about current point
Non verbal: Non-verbal:

Uses body language, for example: raise eye-brow to elicit further information
BCM-040-01-EN-US
40
Presentation Slides
81
Questioning Techniques
Repetitive question:
Repeats back response in form of a question
Hypothetical question
Uses what if, suppose that, etc.
Closed question:
Gets a yes or no answer Avoid using too often Used for confirmation
Silence:
Draws more information
82
Note Taking
Notes could be used as reference for:
Immediate investigation Investigation later Use by a colleague Subsequent audits
Notes must therefore be:

Legible Retrievable
BCM-040-01-EN-US
41
Presentation Slides
83
Note Taking
Notes taken during an audit are a record of:
The audit sample taken What was reported What was observed
Notes may be referenced by subsequent auditors
84
Control of the Audit

Checklist is an aid, not a requirement If potential audit trails appear decide to: appear,
Disregard Note for later Follow up immediately
Following audit trails may affect:

Sample size Audit plan
BCM-040-01-EN-US
42
Presentation Slides
85
Handling Difficult Situations

Cannot find document Uncooperative Unprepared Long telephone calls Constant interruptions Provocation Long-winded auditees g Diversionary tactics Called away Language Noisy environment Interdepartmental or personality conflicts Dog-and-pony show Volunteered information
86
Establish the Facts

Keep the Auditee Informed
For constructive, professional, and helpful audits:
Review audit progress and findings regularly Beat the grapevine or rumor mill Generate rapport
Use auditees terminology Make audit documentation:

Complete Helpful Concise
BCM-040-01-EN-US
43
Presentation Slides
87
Establish the Facts

Judgment in the Audit Process
Audit focus must be on conformity and effectiveness, g NOT on finding nonconformities The auditee must be given the benefit of any doubt where there is insufficient audit evidence
88
Establish the Facts

Get help from the auditee Discuss concerns Verify the findings Record all the evidence:
Exact observation Where, what, etc.
Establish why a nonconformity or otherwise State who (if relevant) - preferably by job title Obtain agreement with the facts
BCM-040-01-EN-US
44
Presentation Slides
89
Generate Audit Findings

Evaluate audit evidence against audit criteria to g generate audit findings g Indicate if findings are conformities, nonconformities or opportunities for improvement Meet (audit team) to review findings Specify (with supporting evidence) or summarize conformity by location, functions, or processes, as required by audit plan
6.5.5
90
Nonconformity
Non-fulfillment of a specified requirement:
Not doing it Partially doing it Doing it the wrong way
6.5.5
Specified requirements:
Conditions of customer contract BC standard (BS 25999-2) Business Continuity management system Statutory or regulatory requirements
BCM-040-01-EN-US
45
Presentation Slides
Exercise 10
Auditing Live Wild Logistics
92
Generate Audit Findings

Record nonconformity findings and supporting evidence pp g Obtain auditee acknowledgement of nonconformities for accuracy and understandability Try and resolve differences of opinion Keep a record of unresolved issues
6.5.5
BCM-040-01-EN-US
46
Presentation Slides
93
Nonconformity Minor
Failure to comply with a requirement which (based on j g judgement and experience) is not likely to result in p ) y BCMS failure Single observed lapse or isolated incident Minimal risk of nonconforming product or service Examples:
A two month lapse in the exercise program A training record not available No actions taken to improve or review BCM arrangements after exercises
94
Nonconformity Major
Absence or total breakdown of a system to meet a requirement q A number of minors related to the same clause or requirement A nonconformity that experience and judgement indicate will likely result in BCMS failure or significantly reduce its ability to assure controlled processes and products
BCM-040-01-EN-US
47
Presentation Slides
95
Nonconformity Major
Examples:
No documented procedure for a required BS 25999-2:2007 process/activity Document changes routinely made without authorization No awareness program for the business continuity management system No future planned internal audits Insufficient scope Numerous minor nonconformities found in the business continuity plan
96
Nonconformity
Classifying the Nonconformity
Consider the Seriousness:
What could go wrong if the nonconformity remains uncorrected? Is it likely the system would detect it before the customer is affected? If you are not certain it is a nonconformity, it is not. You must have: A requirement that has been broken Proof that it has been broken
BCM-040-01-EN-US
48
Presentation Slides
97
Nonconformity Poor Report Examples

The nonconformity statements below are q p inadequate due to the lack of specified requirements and detailed evidence:
Steering Group meeting minutes are not adequate The authority level for the Emergency Controller must be documented for clarity purposes
98
Nonconformity Good Report Examples

ABC BCMS Audit
Nonconformity Report
Incident Number: 1
Company under A di XYZ I C d Audit: XYZ, Inc. Area under Review: BCP Category: Major Minor BS 25999-2 Clause Number: 4.3.3.3
Requirement: Clause 4.3.3.3 of BS 25999-2:2007 states that the business continuity plan must identify lines of communication. Nonconformity Finding: Upon review of the business continuity plan for XYZ, Inc. Issue 2, it was found that the contact information for the BCP still names employees that have left XYZ, Inc.
BCM-040-01-EN-US
49
Presentation Slides
Exercise 11
Writing Nonconformities
100
Review Meeting with Auditee

The review meeting, normally 15 to 20 minutes in duration, is carried out at the end of each auditing g day with the management representative and guides to:
Review any nonconformities Resolve any problems Report audit progress Clarify Cl if any misunderstandings i d t di Obtain signatures to any nonconformities
6.5.2
BCM-040-01-EN-US
50
Presentation Slides
101
Preparing Audit Conclusions

Audit team should confer prior to the g g closing meeting:
Scheduling of the audit plan To plan for closing meeting Purpose is to:
Review audit findings and other information Agree on audit conclusions
6.5.6
To prepare the audit report and recommendations If included in audit plan, to discuss audit follow-up
102
Audit Report
Prepare, Approve and Distribute
1. 2. 2 3. 4. 5. 6. Audit reference Client and Auditee details Audit team details List of auditee representatives Objectives, scope, and criteria Audit plan dates, places, areas audited and timing 7. Summary of audit process 8. Audit Summary 9. Uncertainty due to sampling
6.6.1
6.6.2
BCM-040-01-EN-US
51
Presentation Slides
103
Audit Report
Prepare, Approve and Distribute
10. 11. 11 12. 13. 14. 15. 16. 17.
6.6.1 Nonconformity reports Recommendation 6.6.2 Obstacles encountered Any areas in audit scope not covered Any unresolved issues between the auditee and team Confirmation that audit objectives accomplished y Confidentiality statement Distribution list
104
Audit Report Distribution

Issue within agreed time period If delayed provide reasons and agree on delayed, new issue date Report must be dated, reviewed, and approved as per procedures Distribute to recipients designated by audit client Report is property of audit client R i i t and audit t Recipients d dit team must respect th t t the confidentiality of the report
6.6.1
BCM-040-01-EN-US
52
Presentation Slides
105
Completing the Audit

6.7 Audit is complete when all activities in audit p plan have been carried out and audit report p is distributed Maintain or dispose of audit documents based on contractual, regulatory, and audit program procedures Maintain confidentiality of audit documents, information, and report Notify audit client and auditee ASAP if disclosure of audit information is required
106
3rd Party Audit Recommendation Options

Recommend registration without conditions Recommend conditional registration based on submission of acceptable plan and follow-up:
Verification at next surveillance visit Evaluation of the mailed evidence Special visit to verify corrective action
Unable to recommend registration at this time:

Partial P ti l re-audit dit Full re-audit
BCM-040-01-EN-US
53
Presentation Slides
Exercise 12
Creating the Audit Report
108
Closing Meeting
Hold closing meeting (with auditee, audit client, and other parties) to p p ) present audit findings g and conclusions Cover situations encountered during audit that may decrease reliance on audit conclusions Discuss and resolve diverging audit findings and conclusions Keep a record if not resolved Provide recommendations for improvement where specified by audit objectives. Keep minutes and attendance records
6.5.7
BCM-040-01-EN-US
54
Presentation Slides
109
Closing Meeting
Team Leader prepares and works to an agenda and controls the meeting: g
Attendees Thanks Objective / Scope Reporting system Limitations Confidentiality Audit Summary Nonconformities Agreement (sign) Recommendation Clarification Depart
6.5.7
Exercise 13
Conducting the Closing Meeting
BCM-040-01-EN-US
55
Presentation Slides
111

Conducting the Follow-up
Audit conclusions may require corrective, p preventive, or improvement actions p Auditee decides and carries out these actions within agreed timeframe These actions are not part of the audit Auditee should keep client informed of status of these actions
6.8
112

Conducting the Follow-up
Audit team member should verify completion and effectiveness of actions taken This verification may be part of a subsequent audit Maintain independence in subsequent audit activities
6.8
BCM-040-01-EN-US
56
Presentation Slides
113

Corrective Action Follow-Up
6.8 Auditee receives the nonconformity report Auditee prepares and approves a corrective action plan Auditee submits the plan to audit organization Audit organization evaluates and approves the plan Auditee implements the approved corrective action plan
114

Corrective Action Follow-Up
Auditee collects and evaluates evidence of effectiveness Auditee revises the plan, if necessary Auditee documents the changes in the BCM system Auditor verifies the implementation and effectiveness Records of all actions taken by auditor and auditee
6.8
BCM-040-01-EN-US
57
Presentation Slides
Exercise 14
Conducting Audit Follow-up
Exercise 15
Sample Exam
BCM-040-01-EN-US
58
Presentation Slides
Conclusion
118

BCM-040-01-EN-US
59
Presentation Slides
119

120
Questions?
BCM-040-01-EN-US
60
Presentation Slides
Thank you for your attendance and participation!

BS 25999 Lead Auditor course
BCM-040-01-EN-US
61

Slides BS 25999

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Slides BS 25999

Uploaded by

Copyright:

Available Formats

BS 25999 Lead Auditor Course

BS 25999 Lead Auditor Course

Issue 1.1: August 2008 BCM-040-01-EN-US

Issue 1.1 August 2008

The British Standards Institution 2008

BS 25999 Lead Auditor Course

Issue 1.1 August 2008

The British Standards Institution 2008

BS 25999 Lead Auditor Course

Issue 1.1: August 2008 BCM-040-01-EN-US

Defining Business Continuity

Issue 1.1 August 2008

The British Standards Institution 2008

BS 25999 Lead Auditor Course

Defining Business Continuity Management

Business Continuity Terms

Issue 1.1 August 2008

The British Standards Institution 2008

BS 25999 Lead Auditor Course

Relationship with other Standards

Continuity mentioned in the following standards:

Issue 1.1 August 2008

The British Standards Institution 2008

BS 25999 Lead Auditor Course

Issue 1.1: August 2008 BCM-040-01-EN-US

Issue 1.1 August 2008

The British Standards Institution 2008

BS 25999 Lead Auditor Course

Typical Audit Activities

Issue 1.1 August 2008

The British Standards Institution 2008

BS 25999 Lead Auditor Course

Overview of Process-based Management Systems

Issue 1.1: August 2008 BCM-040-01-EN-US

Issue 1.1 August 2008

The British Standards Institution 2008

BS 25999 Lead Auditor Course

Plan Do Check Act (PDCA) Cycle

Issue 1.1: August 2008 BCM-040-01-EN-US

Issue 1.1 August 2008

The British Standards Institution 2008

BS 25999 Lead Auditor Course

Business Continuity Lifecycle

Business Continuity Lifecycle

Exercising, maintaining and reviewing

BCM Program Management

Determining BCM strategy

Developing and implementing BCM response

Issue 1.1 August 2008

The British Standards Institution 2008

BS 25999 Lead Auditor Course

Business Continuity Lifecycle and the Plan-Do-Check-Act Cycle

Exercising, maintaining and reviewing

BCM Program Management

Determining BCM strategy

Developing and implementing BCM response

Business Continuity requirements and expectations

Managed M d Business Continuity

Requirements of BS 25999-2 and the PDCA Cycle

Issue 1.1 August 2008

The British Standards Institution 2008

BS 25999 Lead Auditor Course

Issue 1.1: August 2008 BCM-040-01-EN-US

Issue 1.1: August 2008 BCM-040-01-EN-US