1 PURPOSE

  1. To define a systematic way of conducting internal audits on the Business Continuity Management System (BCMS) to:
    • Determine whether the BCMS confirmed with the planned arrangement of the documented systems and the ISO22301:2012 specifications (whenever applicable) – at this moment refer to as the BCMS certification standards.
    • Has been effectively implemented and maintained.
  2. Provide information on the result of the audit to Executive Management.

2 SCOPE

  1. The procedure shall cover the internal audit activities relating to the requirement of the BCMS certification standard(s) and the documented BCM Manual and BC plans.

3 RESPONSIBILITY

  1. The Organization BCM Coordinator shall review and approve the yearly BCMS audit program.
  2. The Organization BCM Coordinator shall be responsible for the appointment of the internal auditors and ensure that timely corrective actions as a result of an audit are taken.
  3. The appointed Audit Team Leader shall be responsible for planning for the BCM audit program, execute and follow-up the entire auditing cycle.
  4. The appointed auditor shall be responsible for coordinating the audit with the operational staff and reporting the audit schedule to the audit team leader.
  5. The appointed auditors shall prepare the audit report which shall be consolidated by the Audit Team Leader for handing over to the Organization BCM Coordinator. The Organization BCM Coordinator will inform the Executive Management on the results if the internal audit.
  6. The auditee or the party responsible shall take timely correction and corrective action regarding discrepancies found during an audit.
  7. The auditee’s Executive Management shall be responsible for the review, agreement and corrective action arising from the non-conformities revealed in the audit report. He shall ensure the timeliness and effectiveness of the corrective action to eliminate detected nonconformities and timeliness and their causes.
  8. The Organization BCM Coordinator shall be responsible for ensuring that the BCMS is effectively implemented and maintained. He shall check the work of the Internal Audit team and guide improvement to the internal auditing function.

4 PROCEDURE DETAILS

4.1 Audit Frequency

  1. The BCMS shall be audited once a year.

4.2 Auditor’s Qualification and Competence

  1. The Organization BCM Coordinator is responsible for the selection of the BCMS auditors.
  2. The appointed BCMS Auditor must be trained, preferably with Business Continuity Certified Auditor (BCCA) or Business Continuity Certified Lead Auditor (BCCLA) or ISO22301 BCMS Lead Auditor. He or she must be independent in the areas to be audited.
  3. An untrained auditor can be an observer or on OJT but must be supervised by a trained auditor for at least two rounds of audits before he is allowed to perform internal audits.
  4. The appointed internal BCMS Auditor must be impartial and objective in conducting the audit.

4.3 Audit Plan

  1. The Audit Team Leader shall prepare the Internal Audit Plan and assign tasks to the BCMS internal auditors, taking into consideration the results of previous audits, changes in the BCMS, the importance of the processes and areas to be audited, and risk and impact assessments of the organisation’s activities, services and products.
  2. Additional audits may be carried out in the event of any special circumstances arising during an audit or the introduction of a new activity, service or product.
  3. The Internal Audit Plan shall be planned in such a way so as to avoid peak periods which would clash with other interests and the avoid peak periods which would clash with other interests and the Plan will be communicated to the auditees to eliminate the element of surprise.

4.4 Pre-audit Activities

  1. 4.4.1 The Audit Team leader shall brief the audit team before the commencement of the audit.
  2. 4.4.2 The auditor shall review previous Audit Reports relevant to the audit, review the requirements of the BCMS and plan for audit. The auditor may prepare his notes and checklist for the audit to be carried out by him.
  3. 4.4.3 The auditee at the area to be audited shall be notified, in advance, either through electronic means or hard copy memo of the scope of the audit will be conducted.

4.5 On-site Audit Activities

  1. 4.5.1 The auditor shall audit the system against the ISO22301:2012 standards, the BCMS manual and system procedures. Also, the evaluation of compliance to BCMS legal and other requirements shall be conducted during the audit. The auditor shall exercise objectivity and treat privileged information about the audit with discretion.
  2. 4.5.2 At the end of the audit, the audit team shall hold a meeting with the auditee’s management to present audit findings. At this meeting, the attendees shall agree and acknowledge on the course of findings and timescale for closing out.
  3. 4.5.3 Findings and observations from the audits shall be recorded on the Internal Audit Report by the auditors.
  4. 4.5.4 Auditor and Auditee shall agree on the audit findings.

4.6 Follow-up Actions

  1. 4.6.1 For the non-conformity raised, the auditees shall identify an immediate correction action to rectify the finding.
  2. 4.6.2 The auditees shall ensure cause analysis on the non-conformity should be conducted and corrective action(s)identified. A completion date for completing the corrective action should be stated.
  3. 4.6.3 The auditor shall follow up with findings and corrective actions to satisfy him of the action taken. When the verified corrective actions are satisfactory, the auditor shall close the IADR. The findings and corrective actions are to be recorded in Internal Audit Response form.
  4. 4.6.4 When the corrective action requires the long period for implementation, the auditee shall propose a plan for the corrective action. The auditor shall take note of the non-conformity and verify the effectiveness of corrective action in the next audit.
  5. 4.6.5 The completed IADR shall be handed to the Organization BCM Coordinator for filing.
  6. 4.6.6 The BCMS shall summarise the IADR which will be presented during the Management Review meeting.

5 DEFINITIONS

  1. 5.1 Business Continuity Management System (BCMS)
  2. 5.2 Non-conformity
  3. 5.3 Observation
  4. 5.4 Audit
  5. 5.5 Internal Audit

6 RELATED DOCUMENTS (Internal Audit)

6.1 Description of the record (Internal Audit)

  1. 6.1.1 2016
    • Internal Audit Report (21 Sept 2016)
    • Internal Audit Response (21 Sep 2016)
  2. 6.1.2 2015
    • Internal Audit Report (28 Aug 2015)
    • Internal Audit Response (2 Sep 2015)
  3. 6.1.3 2014
    Internal Audit Report (23 Sep 2014)
    Internal Audit Response (24 Sep 2014)
    Internal Audit Schedule
  4. 6.1.4 2013
    Internal Audit Report (26 Aug 2013)
    Internal Audit Response (2 Sep 2013)
  5. 6.1.5 2012
    Internal Audit Report (19 Sep 2012)
    Internal Audit Response (27 Sep 2012)
  6. 6.1.6 2011
    2011 Internal Audit Report (22 Sep 2011)
    2011 Internal Audit Response (28 Sep 2011)

6.1 Description of the record (External Audit)

  1. 6.2.1 2015 External Audit
    • TUV SUD External Audit Agenda (21 Sept 2015)
    • TUV SUD External Audit Report (PDF)
    • External Audit Response
  2. 6.2.1 2014 External Audit
    TUV SUD External Audit Agenda (01 Oct 2014)
    TUV SUD External Audit Report (PDF)
    External Audit Response
  3. 6.2.2 2013 External Audit
    DNV External Audit Agenda (24 Sep 2013)
    DNV External Audit Report (PDF)
    2013 External Audit Response
  4. 6.2.3 2012 External Audit
    DNV External Audit Agenda (8 Oct 2012)
    DNV External Audit Report (PDF)
    2012 External Audit Response
  5. 6.2.4 2011 External Audit
    DNV External Audit Agenda (10 Oct 2011)
    DNV External Audit Report (PDF)
    2011 External Audit Response
  6. 6.3 Nonconformity, Corrective and Preventive Action

7. RECORDS

  1. 7.1 Description of the record (Internal Audit)

8 APPENDICES

  1. 8.1 APPENDIX I Flowchart for Internal Audit
  2. 8.2 APPENDIX II Internal Audit Plan
  3. 8.3 APPENDIX III Internal Audit Checklist
  4. 8.4 APPENDIX IV Internal Audit Discrepancy Report (IADR)
  5. 8.5 APPENDIX V Internal Audit Summary Report