How do you feel when you know your Business Continuity work is about to be audited? Pleased? Excited? Defensive? Curious? Your reaction or emotion may depend on what you know the audit is going to find.

But what is the role of an auditor? Is it to catch us out, to shame us, to embarrass us? Personally I believe it is to be more constructive than any of these. Certainly when I have audited Business Continuity programmes I have always approached the task with a view to identifying areas for improvement whilst recognising where agreed policies or standards have, or have not, been met.

Because Business Continuity is a niche topic some auditors may not be totally familiar with the disciplines, terminology and practices in use. Sure, they may do some research in the form of a crash course via Google and perhaps look through some industry standards if they decide to delve a bit deeper. Better that you have a conversation with them at the outset or perhaps suggest engaging a subject matter expert to actually undertake the audit.

So what are they going to audit your work against? Obviously if you have an internal Policy this will be a logical starting point. The internal Policy is of course a starting point for your role anyway, so even before the idea of an audit is raised you should be working towards meeting the requirements. Don’t give the auditors a cheap shot by not satisfying your own policy! If you are in a Regulated Industry there will be directives and rules stipulated so once again there is something tangible in the form of a reference point against which the auditor can assess the effectiveness of the programme. Auditors love having something to benchmark or check against.

On the flipside, what do you want from the audit? Are there issues you need help with? Issues you would appreciate some visibility and support on? Have you been banging your head against a wall to get stuff done? Maybe the audit will provide an opportunity to overcome some blockages by giving you another channel through which to raise the issues?

Another consideration, and definitely something I recommend you do, is check the findings from any previous audits. It’s another easy shot for the auditors if they find their previous recommendations have not been addressed. The auditors are only doing their job and if previously documented actions remain incomplete it won’t be them that gets called to account.

Another key point to bear in mind is the need for evidence. ‘If there’s no evidence, it doesn’t exist’. Therefore, if you’ve run exercises, or undertaken tests, keep records. If you’ve chaired meetings where are the action logs? If you have to comply with a set of standards how are you measuring and reporting?

Make sure you get to see a draft of the audit report before it is published. Not to change the findings but sometimes a subtle change of terminology can be helpful to ensure clarity. A simple example I saw in one audit report was a reference to business systems when actually the topic was business processes. To Business Continuity practitioners these are different entities.

Good auditors and good managers should not suffer any trepidation around this work. If managers are honest with themselves there shouldn’t be any surprises and if the auditors do their job well, all sides benefit from identifying where improvements need to be made.

So in conclusion, a well thought through and well conducted audit can be a real help to your Business Continuity work. If you need a subject matter expert to conduct your audits give me a call.