« Business Continuity

What to do after a continuity audit

A follow-up audit is a critical part of the continuity strategy process.
A follow-up audit is a critical part of the continuity strategy process.

One of the key steps in developing a successful continuity of operations plan is to test it through auditing of processes and systems. These audits not only check the validity of the recovery strategy, but also ensure that data privacy compliance and other regulations are met along the way. Audits are an important part of the process, and shouldn't be ignored or passed over lightly.

However, what many firms are unsure of is what to do after an audit occurs.

According to Hilary Estall, a contributor for Continuity Central, one of the most important things to do after an audit is schedule a follow-up audit.

When an audit is performed, the auditor will likely give a business a laundry list of a things that need to be addressed, corrected, improved upon or changed in general. They may also include observations that a company doesn't need to act upon, but could improve recovery time following a disaster. For each of the items on this list there businesses will want to consider the changes they can make that will conform with their company culture plan of action. The corrective action is usually discussed with the auditor and agreed upon during the closing meeting, and set within a timeline after the audit for completion. The follow-up audit should be scheduled for the end of these actions, to ensure that proper steps have been taken to address potential risks, and that new issues haven't arisen as a result of these changes.

A follow-up audit may not always be necessary, and the auditor can usually determine the best course of action.

The follow-up audit doesn't recheck the business continuity plan a firm has, it also establishes a schedule to complete upgrades and improvements within to enhance recovery opportunity. This means that corrective actions need to be addressed and ownership over the processes and systems at play has to be established. Companies that don't put forth a concerted effort to maximize their time between the initial audit and the follow-up will simply be wasting their time.

The greatest benefit that comes from a follow-up audit is the peace of mind that your company is protected from disaster risks. It can be easy to overlook, or even rush, this process, but ensuring that corrective actions have been taken properly and that the right steps have been taken to support successful continuity when a crisis does strike.

"It's no surprise that audits which have a clear and planned outcome offer far greater benefits to the organization," Estall notes. "I see this time and again on my auditing travels and, where I am the nominated internal auditor, will always insist on a meaningful follow up approach. After all, what's the point of being audited if you don't want to know where the gaps are and seek to improve as a result of plugging them?"