I have just started reading a book that I have been given about auditing business continuity, and have come across a remarkable statement in the book that says, and I quote, “…the internal auditor conducts the most detailed review work and therefore has the most input to a business continuity programme.”
Now, someone please correct me if I’m wrong, but shouldn’t the executive management have the most input to a business continuity programme, or maybe the individual tasked with managing the programme? I always thought that the role of internal audit was to review and challenge with a view to assist the organisation to improve the way that it operates. This should be no different in the context of a business continuity programme.
To my mind the theory of how a business continuity programme should implemented is very simple and straight forward (although the practice can be a bit tricky). The executive management set the strategic direction, allocate the resources, and appoint a suitably trained and knowledgeable person to manage the implementation. Internal audit check the implementation against whatever standard the organisation has decided to adopt, and make recommendations for improvement. This is a world away from “… has the most input to a business continuity programme.”
If internal audit set themselves up as the experts in business continuity, then they should manage the implementation. Maybe the Business Continuity Manager could then take over the review role and check internal audit’s implementation against the agreed standard.
The Business Continuity Consultant 