Five Tips to Prepare for a Program Audit

Michael Herrera, CEO, MHA Consulting

As BCM professionals we have all gone through program audits at one time or another. It is in our best interest to know what to expect from an auditor, how to deal with the audit experience in a positive way, and how to respond to findings and move our program forward.

At MHA, we are the BCM Office for a good number of our clients. We manage each program using industry best practices and standards as our measuring stick to ensure that the program provides the highest level of resiliency and meets or exceeds compliance requirements. We know which of our managed programs are in line with best practices and which ones need more time and work. Audits are a part of our daily consulting efforts.

We are finding that it is increasingly common for audits to be inconsistent in their application, findings, and outcomes. It is not unusual for audit findings to conflict with what we know to be the true state of compliance in a BCM program. Common conditions we see during audits:

• Audit teams lack intimate understanding of BCM industry standards and guidelines.
• Audit teams don’t grasp the difference between standards and guidelines.
• Audit teams don’t read what you send them.
• Audit teams generate findings that often have little to do with raising resiliency.
• There is often conflict created by a “them versus us” mentality.

How do we make audits as bearable and consistent as possible?

Tip #1 – Be prepared – understand your compliance status

• Ensure your BCM Office and internal audit have a clear understanding of the program to be able to speak to it as needed during an audit.
• Familiarize yourself with the standards, regulations, and best practices that apply to your industry and BCM program.
• Understand your compliance status and where your deficiencies are prior to the audit.

Tip #2 – Be proactive – understand how your program will be evaluated

• Auditors should provide you with a scope of the audit, including what standards they will use to evaluate your program. Note any variations from the standards you actually use and resolve that ahead of time.

Tip #3 – Be cooperative – the auditor is a potential ally

• Provide the auditors with the information and documentation they need in a timely and thorough manner. Gather your documentation ahead of time, if possible.
• Compile requested data and information in a logical and organized manner. The documents should tell a positive story of your program from end to end.
• Don’t attempt to produce documents you know you don’t have at the last minute.  It’s not worth the embarrassment.

Tip #4 – Be realistic and respond honestly to findings; it’s OK to disagree with a finding

• A BCM GRC tool like BCMMetrics^TM can be used to help you prepare for and respond to an audit. BCMMetrics allows you to do your own due diligence so you know where you stand (level of compliance and successes/opportunities) before the audit. Run reports to identify where you are in compliance and where you have big gaps. Share these efforts with your auditors, including any plans you have to address any deficiencies.

Tip #5 – Be accountable – follow through with your action items; improve your own internal standards as needed

What do you do when you disagree with an audit finding?

Fear of possible repercussions for speaking out often keeps us from pushing back on audit findings. I believe that if you have solid evidence a finding was not merited, by all means, push back. Be respectful and specific with your disagreement, and don’t hesitate to propose an alternate conclusion or recommendation. There is no reason to be saddled with needless work that does not raise the resiliency of your program.

In closing, working with auditors is a worthwhile investment of time that can lead to increased management focus and support. Don’t underestimate the importance of preparation, cooperation, honesty, and accountability throughout the audit engagement.