Slides BS 25999

BS 25999 Lead Auditor Course Presentation Slides

Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 1

BS 25999 Lead Auditor Course

Issue 1.1: August 2008BCM-040-01-EN-US

2

Welcome!

• Safety - be aware of emergency exits• Restroom and Telephones - nearest locations• Restroom and Telephones - nearest locations• Contact Number - for urgent messages• Personal Property - keep possessions secure • Phones and Pagers - please avoid interruptions• Recording Devices - not allowed in class• Lunch and Breaks - please return on timep• Smoking - not permitted in the classroom• Special Needs - please inform the instructor



3

Introductions

• Name• Organization and business sector• Organization and business sector• Job role• Knowledge of BS25999 (1 – 10 scale)• Knowledge of auditing (1 – 10 scale)• Your aim for attending this course• Something interesting about yourselfg g y

Learning Objectives

Upon completion of the course, students should be able to:

4

• Lead and carry out an audit of a business continuity management system

• Explain the requirements of BS 25999-2:2007• Understand the Business Continuity Management Code

of Practice• Clarify the different purposes of BS 25999 Part 1 and Part 2• Articulate and present audit findings• Manage successful audit communication and interviews• Write a succinct audit report• Conduct opening, closing, and follow-up audit meetings



Business Continuity


6

Defining Business Continuity

Strategic and tactical capability of the organization to plan for and respond to incidents and business disruption in p porder to continue business operations at an acceptable

pre-defined level

BS 25999-2:2007, 2.3



Defining Business Continuity ManagementHolistic management process that identifies potential threats to an organization and the impacts to business

7

g poperations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities

BS 25999-2:2007, 2.4

8

Business Continuity Terms

• Business Continuity management system

• BCM strategy• BCM exerciseg y

• BCM program• BCM response• Activity• Critical activities

BCM exercise• Incident Management Plan• Business Continuity Plan• Invocation• Business Impact Analysis

(BIA)



9

BCM Standards

Code of Practice – Best practice, not auditable

Requirements – Shall statements, auditable

10

Relationship with other Standards

• BS 25999 modeled after PDCA cycle • Consistent with other management system standards:• Consistent with other management system standards:

BS ISO 9001BS ISO 14001ISO/IEC 27001ISO/IEC 20000-2

• Continuity mentioned in the following standards:ISO/IEC 27001 and ISO/IEC 27002ISO/IEC 20000



Introduction to Auditing


12

Auditing

What is an audit?• Systematic independent and documented process forSystematic, independent and documented process for

obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled (ISO19011: 2002 clause 3.1)

• Why audit?• Requirement of BS 25999-2• Monitor and measure the management system

f• Promote continual improvement of the management system



13

Benefits of Auditing

• Verifies conformity to requirements• Increases awareness and understanding• Increases awareness and understanding• Provides a measurement of effectiveness of the

management system to top management• Reduces risk of management system failure• Identifies improvement opportunities• Continual improvement if performed regularly

14

Typical Audit ActivitiesInitiating the Audit

Conducting Document Review

Preparing for On-site Activities

Conducting On-site Activities

Preparing, Approving, Distributing Audit Report

Completing the Audit

Conducting Audit Follow-up



Overview of Process-based Management Systems


16

Management Systems

Common components of management systems:

• Policy• Planning• Implementation and operation• Performance assessment• Improvement• Management reviewManagement review



17

Plan – Do – Check – Act (PDCA) Cycle

Continual improvement of the Business Continuity Management System

Interested Parties

Interested Parties

Establish

Maintain and improve

Implement and operate

Plan

Act Do

Business Continuity

requirements and

expectations

Managed Business Continuity

Check

Monitor and review

Exercise 1

Business Continuity Management Lifecycle




19

Business Continuity Lifecycle

??

? ??

?

20


Understanding the Organization

Determining BCM strategy

Developing and

Exercising,maintaining

and reviewingBCM Program Management

Developing and implementing BCM response



21

Business Continuity Lifecycle and the Plan-Do-Check-Act Cycle





Interested Parties

Interested Parties

Business Continuity

M d

Establish

Maintain and

improve

Implement and

operate

Plan

Check

Act Do

Continual improvement of the Business Continuity Management System


requirements and

expectations

Managed Business Continuity

Monitor and

review

22

Requirements of BS 25999-2 and the PDCA Cycle

The organization shall develop, implement, maintain and continually improve a y pdocumented BCMS in accordance with 3.2 - 3.4

BS 25999-2:2007, 3.1DevelopDevelop

ImplementImplementContinually Improve

Continually Improve

MaintainMaintain



Exercise 2

Requirements of BS 25999-2:2007


Auditing BS 25999-2:2007




25

Value of Management System Audits

Management system audits enable management to:

• Make informed judgment on:ConformityEffectiveness of the system

• Make effective business decisions• Allocate necessary resources• Improve business processesp p

26

ISO 19011:2002

ISO 19011:2002 provides guidance on:

• Auditing principles• Managing audit programs• Conducting internal and

external audits• Competence of auditors

ISO 19011:2002 can also be applied to BS 25999-2

ISO 19011:2002 can also be applied to BS 25999-2



27



6.16.1

g






Note: reference to ISO 19011 clause

number

BS EN ISO/IEC 17021:2006

The initial certification audit shall be conducted in two stages:

28

g

• Stage 1: Audit client’s management system documentationReview the client’s status and evaluate whether client is ready for stage 2 audit

• Stage 2:Evaluate implementation of the client’s management systemShall take place at the site(s) of the client



Exercise 3

Audit Definitions


30

Types of Audits

• Registration/Certification• Product• Product • Customer contract• Gap assessment/Pre-assessment• Surveillance• Combined audit/Joint audit



31

Dimensions of Auditing

IntentDoes Top Management intend to implement a BCMS and how is this i t t i t d?intent communicated?

Implementation Does the implementation of the BCMS reflect the intent of Top Management?

EffectivenessIs the implementation effective (i.e., does it meet the parameters established by the intent)

32

Management System Standards and the Process Approach• BS 25999-2:

Is based upon the PDCA cycle which can be appliedIs based upon the PDCA cycle which can be applied to processesApplies the PDCA cycle to implementing, operating, monitoring, exercising, maintaining and improving the effectiveness of a BCMS

• ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system auditssystem audits



33

Applying the Process Approachto AuditingAuditors can apply the process approach to auditing by ensuring the auditee:g

• Can define the objectives, inputs, outputs, activities, and resources for its processes

• Analyzes, monitors, measures, and improves its processes

• Understands the sequence and interaction of its processests p ocesses

34

Process Auditing Approaches

Individual Process:• Input / Output/Value-added ActivityInput / Output/Value added Activity• Plan-Do-Check-Act• Resources

Relationship with other Processes:• Flow/Sequence/Linkage/Combination• Interaction / Communication• Evidence• Customer and supplier contract(s)



35

Process Auditing “Turtle Diagram”With what?Resources With Who?

Personnel

OutputsTo whom/

where

InputsFrom

whom/ where

ProcessProcess(specific value(specific value--

added activities)added activities)

What results?Performanceindicators

How done?Methods/

Documentation

36

Process Auditing ExampleWith what?Systems,

applications

With Who?BC manager, IT

manager

OutputsWritten report, feedback for

improvement, actions

InputsBCP, IMP,

Scope, Risks, Critical Activity

Exercising IT

Support Processes

What results?Reduction in recovery

times, successful recovery,

How done?Desk check, simulation,

walk-through



Exercise 4

Process Auditing and the Turtle Diagram


38

Managing an Audit ProgramProcess Flow

PLAN DO CHECK ACT 5.15.1

AUTHORIZE

ESTABLISH IMPLEMENT MONITOR& REVIEW IMPROVE

• OBJECTIVES• EXTENT• ROLES

• RESOURCES• PROCEDURES

• SCHEDULE AUDITS• EVALUATE

AUDITORS• SELECT TEAMS

• DIRECT ACTIVITIES

• MONITOR• REVIEW

• IDENTIFY NEEDFOR CA/PA

• IDENTIFY OPP’S

SPECIFIC AUDITACTIVITIES

AUDITOR COMPETENCE

& EVALUATION

• PROCEDURES DIRECT ACTIVITIES• MAINTAIN RECORDS

• IDENTIFY OPP S TO IMPROVE



39

Audit Program

Audit program includes:

• One or more audits depending on, size, nature and complexity of the auditee

• All activities necessary for planning, organizing, and providing resources to conduct audits

40

Audit Program

• Top management should authorize responsibility for program managementp g g

• Those assigned responsibility should:Establish, implement, monitor, review, and improve the audit programIdentify the necessary resources and ensure they are provided



41

Audit Program

• Audit program processes should include:Planning and scheduling auditsPlanning and scheduling auditsAssuring competence of auditors and audit teamsConducting audits and audit follow-upMonitoring the performance of the audit program

• Program should be managed by a member of the organization Keep appropriate audit records to monitor and review the• Keep appropriate audit records to monitor and review the audit program

42

Audit Program and Plan

• An audit plan is an output from the audit programp g

• Audit plans give details about the audit, including:

Which processesWhich areasWhich clauses



Exercise 5

Considerations of the Audit Program


44

Audit ActivitiesInitiating the Audit


6.16.1








45

Initiating the Audit

Initiating the audit includes:

A i ti th dit t l d

6.26.2

• Appointing the audit team leader• Defining audit objectives, scope, criteria• Determining feasibility of the audit• Selecting the audit team• Establishing initial contact with the auditee

Defining Audit Objectives, Scope, CriteriaAudit objectives may include:

46

6.2.26.2.2

• Determination of the extent of conformity of auditee’s BCMS with audit criteria

• Evaluation of capability of BCMS to ensure compliance with statutory, regulatory, and contractual requirements

• Evaluation of effectiveness of the BCMS to meet its objectives

• Identification of areas of improvement• Identification of areas of improvement



47

Defining Audit Objectives, Scope, CriteriaAudit scope describes extent and boundaries of audit, including:g

• Physical locations• Organizational units• Activities and processes• Time period covered by audit

48

Selecting the Audit Team

For team size and competence, consider: 6.2.46.2.4

• Audit objectives, scope, criteria, and duration• Whether audit is combined or joint• Competence of team to meet objectives• Statutory, regulatory, contractual and accreditation /

certification requirements



49

Selecting the Audit Team

For team size and competence, consider: 6.2.46.2.4

• Independence of the team• Ability of team members to interact with auditee and

each other • Language of the audit • Auditee’s social and cultural characteristics

50

Auditor Responsibilities

• Document and support all findings• Keep auditee informed• Keep auditee informed• Safeguard all documents• Maintain confidentiality• Be objective and ethical• Verify corrective actions, if required



51

Auditor Competence

• Auditor competence is based on:Personal attributes

7.17.1

Personal attributesApplication of knowledge and skills

• Competence is to be developed, maintained, and improved

52

Auditor CompetencePersonal Attributes• Ethical• Open-minded

7.27.2

• Open-minded• Diplomatic• Observant• Perceptive• Versatile• Tenacious• Decisive• Self-reliant



53

Auditor CompetenceGeneric Knowledge and SkillsAudit principles, procedures, and techniques: 7.3.17.3.1

• Apply principles, procedures, and techniques• Plan and organize work• Conduct audit within time schedule• Collect information through interviewing, listening, observing,

and reviewing documents• Understand sampling techniques• Confirm evidence to support findings• Prepare audit reports• Maintain confidentiality and security

54

Auditor CompetenceGeneric Knowledge and Skills• Organizational situations:

Size, structure, functions, and relationships7.3.17.3.1

, , , pBusiness processes and terminologyCultural and social customs

• Laws, regulations, and other requirements:Local, regional, and nationalContracts and agreementsInternational treaties and conventions

• Management system and reference documents: Interaction between the components of the systemApplicable standards, procedures, and reference documents



55

Auditor CompetenceBCM Knowledge and SkillsKnowledge and skills BCM should cover:

• Techniques used to develop and implement the BCM process

• Analysis methods and techniques to examine business impact and risk assessment

• Understanding of strategy development• Understanding of planning techniques to examine the

development and implementation of BCM responsesdevelopment and implementation of BCM responses and exercises

• Understanding of training and awareness programs for BCM

BS EN ISO/IEC 17021:2006

The initial certification audit shall be conducted in two stages:

56

g

• Stage 1: Audit client’s management system documentationReview the client’s status and evaluate whether client is ready for stage 2 audit

• Stage 2:Evaluate implementation of the client’s management systemShall take place at the site(s) of the client



57


A review of auditee’s documentation: 6.36.3

• Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit

• May include relevant BCMS documents, records, and previous audit reports

• May include a preliminary site visit

58


When conducting a document review, ask:

• Are all requirements of BS 25999 addressed?• Does documentation match the audit scope?• Is management commitment clearly defined?• Have responsibilities been adequately defined?• Is the lower level documentation referenced?• Are you familiar with the area to be audited?Are you familiar with the area to be audited?



Exercise 6

Document Review (Stage 1 Audit)


60

Audit Plan Preparation

• Objectives/scope/criteria • Expected time and duration

The Audit Plan should identify or include: 6.4.16.4.1

• Objectives/scope/criteria• Personnel responsible for

objectives and scope• Reference documents• Audit team members• Language of the audit• Areas to be audited

• Expected time and duration of each major audit activity

• Confidentiality requirements• Audit reporting details• Logistics• Resolution of any plan

objections• Areas to be audited• Schedule of meetings.• Allocation of

appropriate resources

objections• Audit follow-up actions



61

Audit Planning

• Determine the objective of the audit• Identify specified requirements• Identify specified requirements• Determine audit duration and resources needed• Select the team• Contact the auditee – agree the date(s)• Draw up audit plan• Brief the team• Prepare work documents

Exercise 7

Creating an Audit Plan




63

Prepare Work Documents

• Prepare work documents • Use as a reference and for recording audit proceedings• Use as a reference and for recording audit proceedings• Include checklists, sampling plans and forms,

BS 25999-1:2006 and BS 25999-2:2007 standards, etc.• Keep checklists flexible to allow changes resulting from

information collected during the audit• Safeguard any confidential and proprietary information

R t i k d t d d• Retain work documents and records

64

Checklists Benefits

• Keeps audit scope and objectives clear• Provides evidence of audit planning• Provides evidence of audit planning• Maintains audit pace and continuity• Reduces auditor bias• Reduces workload during audit• Provides space for auditor notes• Identifies expected evidencep



65

Checklists Potential Drawbacks

• Checklists tend to lose value if they are:Tick listsTick listsQuestionnaires

• Checklists may lead to rigid adherence to pre-planned questions

Prepare them as memory aids

66

Checklists Preparation

One approach is to:

• Identify audit scope and process(es) within scope• Identify applicable factors (inputs, outputs, measures,

resources, etc.)• Use these points and other requirements

(BS 25999-2, system documentation, etc.) to:• Plan what to look at

Pl h t t l k f ( dit id )• Plan what to look for (audit evidence)• Prepare checklist



67

Checklist Structure

Audit checklist structure:

Process/Activity Audited:

Requirement Source Evidence Notes

BS 25999-2Clause # or other requirement

What to “look at”

What to“look for”

Notes

Exercise 8

Creating Audit Work Documents




69

Conduct On-site Audit Activities

• Conduct Opening Meeting• Communicate during the audit

6.56.5

• Communicate during the audit• Explain roles and responsibilities of participants• Collect and verify information• Generate audit findings• Prepare audit conclusions• Conduct Closing Meetingg g

70

Opening Meeting

• Hold opening meeting with auditee top management and those responsible for

6.5.16.5.1g p

processes audited• Meeting may range from informal (1st party) to

formal (3rd party)• Chaired by team leader• Audit team present• Purpose is to confirm all prior arrangementsPurpose is to confirm all prior arrangements



71

Opening Meeting

1. Introduction / roles / attendance2. Objective / scope / criteria

:6.5.16.5.1

2. Objective / scope / criteria3. Documentation status4. Audit plan confirmation5. Audit methods6. Sampling 7. Communication channels8 Language of audit8. Language of audit9. Audit progress10. Closing / interim meetings

72

Opening Meeting

11. Logistics: Resources, safety, security, etc.12 Confidentiality

6.5.16.5.1

12. Confidentiality13. Availability of guides14. Reporting methods including nonconformities15. Conditions for audit termination16. Appeal system: Audit conduct / conclusions17. Restrictions / questionsq



Exercise 9

Conducting an Opening Meeting


74

Collecting and Verifying Information

Sources of information

Collect by appropriate sampling & verification

Evaluate againstaudit criteria

Audit evidence

Audit findings

Audit conclusions

Review



75

Auditing ProcessCollect and Verify Information• Collect information relevant to:

Audit objectives scope and criteria6.5.46.5.4

Audit objectives, scope, and criteriaInterfaces between functions, activities and processes

• Collect audit evidence by appropriate sampling and verify and record it

• Be aware of sampling limitations, if acting on the audit conclusion

• Use only information that is verifiable as audit evidence

76

Auditing ProcessTechniques to Obtain Audit Evidence• Interview:

Personnel that manage perform andPersonnel that manage, perform, and verify activitiesAlso ensure they are responsible for the activity being auditedListen carefully to responses

• Observe:Identity, status, condition, processes, y, , , p ,equipment, activities, environment, and people



77

Auditing Process Audit Evidence

• Review documents that describe:ActivitiesPlansControlsStrategiesExercisesTests

• Review business continuity records for evidence of conformity to documents

• Review records, statements of fact, or other information which are relevant to the audit criteria and verifiable

• Audit evidence may be qualitative or quantitative

78

Communication and Interpersonal Skills• Put auditee at ease• Ask short questions and listen• Ask short questions and listen• Reflect right attitude, tone of voice, body language,

and facial expressions• Smile and show eye contact• Avoid interruptions• Avoid off-cuff and condescending remarks• Give praise when appropriate



79

Communication and Interpersonal Skills • Show interest• Be tactful and polite• Be tactful and polite• Show patience and understanding• Remember to say please and thank you• Ask the right person• Don’t say you understand when you don’t

80

Questioning Techniques

• Open question:Using why who what where when or how gets moreUsing why, who, what, where, when, or how gets more than a yes or no answer

• Expansive question:Further elaborates the current point

• Opinion question:Asks opinion about current point

Non verbal:• Non-verbal:Uses body language, for example: raise eye-brow to elicit further information



81

Questioning Techniques

• Repetitive question:Repeats back response in form of a questionRepeats back response in form of a question

• Hypothetical questionUses what if, suppose that, etc.

• Closed question:Gets a yes or no answerAvoid using too oftenUsed for confirmation

• Silence:Draws more information

82

Note Taking

• Notes could be used as reference for:Immediate investigationImmediate investigationInvestigation laterUse by a colleagueSubsequent audits

• Notes must therefore be:LegibleRetrievable



83

Note Taking

• Notes taken during an audit are a record of:The audit sample takenThe audit sample takenWhat was reportedWhat was observed

• Notes may be referenced by subsequent auditors

84

Control of the Audit

• Checklist is an aid, not a requirement• If potential audit trails appear decide to:• If potential audit trails appear, decide to:

DisregardNote for laterFollow up immediately

• Following audit trails may affect:Sample sizeAudit plan



85

Handling Difficult Situations

• Cannot find document• Uncooperative

• Called away• LanguageUncooperative

• Unprepared• Long telephone calls• Constant interruptions• Provocation• Long-winded auditees

Language • Noisy environment• Interdepartmental or

personality conflicts• Dog-and-pony show• Volunteered informationg

• Diversionary tactics

86

Establish the FactsKeep the Auditee Informed• For constructive, professional, and helpful audits:

Review audit progress and findings regularlyReview audit progress and findings regularlyBeat the grapevine or rumor millGenerate rapport

• Use auditee’s terminology• Make audit documentation:

CompleteHelpfulConcise



87

Establish the FactsJudgment in the Audit Process• Audit focus must be on conformity and effectiveness,

NOT on finding nonconformitiesg• The auditee must be given the benefit of any doubt

where there is insufficient audit evidence

88

Establish the Facts

• Get help from the auditee• Discuss concerns• Discuss concerns• Verify the findings• Record all the evidence:

Exact observationWhere, what, etc.

• Establish why a nonconformity or otherwise• State who (if relevant) - preferably by job title• Obtain agreement with the facts



89

Generate Audit Findings

• Evaluate audit evidence against audit criteria to generate audit findings

6.5.56.5.5g g

• Indicate if findings are conformities, nonconformities or opportunities for improvement

• Meet (audit team) to review findings• Specify (with supporting evidence) or summarize

conformity by location, functions, or processes, as required by audit plan

90

Nonconformity

• Non-fulfillment of a specified requirement:Not doing it

6.5.56.5.5

Not doing itPartially doing itDoing it the wrong way

• Specified requirements:Conditions of customer contractBC standard (BS 25999-2)Business Continuity management systemStatutory or regulatory requirements



Exercise 10

Auditing Live Wild Logistics


92

Generate Audit Findings

• Record nonconformity findings and supporting evidence

6.5.56.5.5pp g

• Obtain auditee acknowledgement of nonconformities for accuracy and understandability

• Try and resolve differences of opinion• Keep a record of unresolved issues



93

Nonconformity – Minor

• Failure to comply with a requirement which (based on judgement and experience) is not likely to result in j g p ) yBCMS failure

• Single observed lapse or isolated incident• Minimal risk of nonconforming product or service• Examples:

A two month lapse in the exercise programA training record not availableA training record not availableNo actions taken to improve or review BCM arrangements after exercises

94

Nonconformity – Major

• Absence or total breakdown of a system to meet a requirementq

• A number of minors related to the same clause or requirement

• A nonconformity that experience and judgement indicate will likely result in BCMS failure or significantly reduce its ability to assure controlled processes and products



Nonconformity – Major

Examples:

95

• No documented procedure for a required BS 25999-2:2007 process/activity

• Document changes routinely made without authorization

• No awareness program for the business continuity management system

• No future planned internal audits• No future planned internal audits• Insufficient scope• Numerous minor nonconformities found in the business

continuity plan

96

Nonconformity Classifying the NonconformityConsider the Seriousness:

• What could go wrong if the nonconformity remains uncorrected?

• Is it likely the system would detect it before the customer is affected?

• If you are not certain it is a nonconformity, it is not. You must have:

A requirement that has been brokenA requirement that has been brokenProof that it has been broken



97

Nonconformity Poor Report Examples

The nonconformity statements below are inadequate due to the lack of specified q prequirements and detailed evidence:

• Steering Group meeting minutes are not adequate• The authority level for the Emergency Controller must

be documented for clarity purposes

98

Nonconformity Good Report Examples

ABC BCMS Audit

Nonconformity Report

Incident Number: 1

C d A di XYZ ICompany under Audit: XYZ, Inc.

Area under Review: BCP

BS 25999-2 Clause Number: 4.3.3.3

Category: Major Minor

Requirement:

Clause 4.3.3.3 of BS 25999-2:2007 states that the business continuity plan must identify lines of communication.

Nonconformity Finding:

Upon review of the business continuity plan for XYZ, Inc. Issue 2, it was found that the contact information for the BCP still names employees that have left XYZ, Inc.



Exercise 11

Writing Nonconformities


100

Review Meeting with Auditee

The review meeting, normally 15 to 20 minutes in duration, is carried out at the end of each auditing

6.5.26.5.2g

day with the management representative and guides to:

• Review any nonconformities• Resolve any problems• Report audit progress

Cl if i d t di• Clarify any misunderstandings• Obtain signatures to any nonconformities



101

Preparing Audit Conclusions

Audit team should confer prior to the closing meeting:

6.5.66.5.6g g

• Scheduling of the audit plan• To plan for closing meeting• Purpose is to:

Review audit findings and other information Agree on audit conclusions

• To prepare the audit report and recommendations• If included in audit plan, to discuss audit follow-up

102

Audit Report Prepare, Approve and Distribute1. Audit reference2 Client and Auditee details

6.6.16.6.1

2. Client and Auditee details3. Audit team details 4. List of auditee representatives5. Objectives, scope, and criteria 6. Audit plan – dates, places, areas audited

and timing

6.6.26.6.2

7. Summary of audit process8. Audit Summary 9. Uncertainty due to sampling



103

Audit Report Prepare, Approve and Distribute10. Nonconformity reports11 Recommendation

6.6.16.6.1

11. Recommendation12. Obstacles encountered13. Any areas in audit scope not covered14. Any unresolved issues between the auditee and team15. Confirmation that audit objectives accomplished16. Confidentiality statement

6.6.26.6.2

y17. Distribution list

104

Audit Report Distribution

• Issue within agreed time period• If delayed provide reasons and agree on

6.6.16.6.1

• If delayed, provide reasons and agree on new issue date

• Report must be dated, reviewed, and approved as per procedures

• Distribute to recipients designated by audit client• Report is property of audit client

R i i t d dit t t t th• Recipients and audit team must respect the confidentiality of the report



105


• Audit is complete when all activities in audit plan have been carried out and audit report

6.76.7p pis distributed

• Maintain or dispose of audit documents based on contractual, regulatory, and audit program procedures

• Maintain confidentiality of audit documents, information, and report

• Notify audit client and auditee ASAP if disclosure of audit information is required

106

3rd Party AuditRecommendation Options• Recommend registration without conditions• Recommend conditional registration based on• Recommend conditional registration based on

submission of acceptable plan and follow-up:Verification at next surveillance visitEvaluation of the mailed evidence Special visit to verify corrective action

• Unable to recommend registration at this time:P ti l ditPartial re-auditFull re-audit



Exercise 12

Creating the Audit Report


108

Closing Meeting

• Hold closing meeting (with auditee, audit client, and other parties) to present audit findings

6.5.76.5.7p ) p g

and conclusions• Cover situations encountered during audit that may

decrease reliance on audit conclusions• Discuss and resolve diverging audit findings

and conclusions• Keep a record if not resolved• Provide recommendations for improvement where

specified by audit objectives.• Keep minutes and attendance records



109

Closing Meeting

Team Leader prepares and works to an agenda and controls the meeting:

6.5.76.5.7

• Attendees• Thanks• Objective / Scope• Reporting system• Limitations

• Audit Summary • Nonconformities• Agreement (sign)• Recommendation• Clarification

g

• Confidentiality • Depart

Exercise 13

Conducting the Closing Meeting




111

Completing the AuditConducting the Follow-up • Audit conclusions may require corrective,

preventive, or improvement actions6.86.8

p p• Auditee decides and carries out these actions

within agreed timeframe• These actions are not part of the audit• Auditee should keep client informed of status of

these actions

112

Completing the Audit Conducting the Follow-up • Audit team member should verify completion

and effectiveness of actions taken6.86.8

• This verification may be part of a subsequent audit• Maintain independence in subsequent

audit activities



113

Completing the Audit Corrective Action Follow-Up• Auditee receives the nonconformity report• Auditee prepares and approves a corrective

6.86.8

• Auditee prepares and approves a corrective action plan

• Auditee submits the plan to audit organization• Audit organization evaluates and approves the plan• Auditee implements the approved corrective action plan

114

Completing the Audit Corrective Action Follow-Up• Auditee collects and evaluates evidence

of effectiveness6.86.8

• Auditee revises the plan, if necessary• Auditee documents the changes in the BCM system• Auditor verifies the implementation and effectiveness• Records of all actions taken by auditor and auditee



Exercise 14



Exercise 15

Sample Exam




Conclusion


118




Developing and






119








120

Questions?



Thank you for your attendance and participation!

BS 25999 Lead Auditor course
