Internal Audit Checklist
ISO22301 Toolkit: Version 6 ©CertiKit [Type here]
[Type here]
[Type here]
Internal Audit Checklist
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This is a checklist to be used as a prompter for questions during an internal audit.
Areas of the standard addressed The following areas of the ISO22301 standard are addressed by this document: •
9 Performance evaluation o 9.2 Internal audit ▪ 9.2.2 Audit programme(s)
General guidance When conducting an internal audit, it can be useful to have a list of standard questions to ask, organized according to the sections of the ISO22301 standard. This makes the audit more interesting than simply reading the requirements from a spreadsheet. It’s possible that any one audit will not cover all parts of the standard, so you may need to edit this checklist to cover the areas you need. You may also like to add further questions to the lists, depending on the type of organization you are auditing. At each stage, it is important that evidence is reviewed and recorded to prove that procedures etc. are in place.
Review frequency We would recommend that this document is reviewed annually.
Version 1
Page 2 of 22
[Insert date]
Internal Audit Checklist
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Version 1
Page 3 of 22
[Insert date]
Internal Audit Checklist
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 22
[Insert date]
Internal Audit Checklist Audit details Audit: Audit scope: Auditor(s):
Date of audit:
4 Context of the organization 4.1 Understanding the organization and its context RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. What are the internal and external issues that are relevant to the BCMS? 2. How do they affect its ability to achieve its intended outcome? 3. What does the organization do and how might a disruptive incident affect its activities? 4. What is the organization’s risk appetite?
BCMS-FORM-09-4 Version 1
Page 5 of 22
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
5. What is the purpose of the BCMS?
4.2 Understanding the needs and expectations of interested parties RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. Who are the interested parties? 2. What are their requirements? 3. How have their requirements been established? 4. What are the main legal and regulatory requirements that the organization must meet with respect to business continuity? 5. How is the understanding of these requirements kept up to date?
4.3 Determining the scope of the BCMS RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. What is the scope of the BCMS? 2. How is it defined? 3. Are any exclusions explained?
BCMS-FORM-09-4 Version 1
Page 6 of 22
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
4. Does it consider the relevant issues and requirements? 5. Does it consider how the organization interacts with other organizations? 6. Is the scope documented?
4.4 Business continuity management system RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. How established is the BCMS? 2. How long has it been running for? 3. How much evidence has been collected so far, for example, records?
BCMS-FORM-09-4 Version 1
Page 7 of 22
[Insert date]
5 Leadership 5.1 Leadership and commitment RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
1. Who is defined as top management within the scope of the BCMS? 2. How does top management demonstrate leadership and commitment? 3. Are business continuity policies and objectives established? 4. Are enough resources allocated to the BCMS? 5. How does top management communicate to everyone involved in the BCMS?
5.2 Policy RECOMMENDED QUESTIONS 1. Can I review the business continuity policy? 2. Is it appropriate and does it cover the required areas? 3. Does it include the required commitments?
BCMS-FORM-09-4 Version 1
Page 8 of 22
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
4. How has it been communicated and distributed – and to whom? 5. When was it last reviewed?
5.3 Roles, responsibilities and authorities RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. What are the roles within the BCMS? 2. Does everyone understand what their responsibilities and authorities are? 3. Who has the responsibility and authority for conformance and reporting?
BCMS-FORM-09-4 Version 1
Page 9 of 22
[Insert date]
6 Planning 6.1 Actions to address risks and opportunities RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. What are the main risks to the BCMS? 2. What actions are or have been taken to address them? 3. How effective have these actions been?
6.2 Business continuity objectives and planning to achieve them RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. Are there documented business continuity objectives? 2. Do the objectives comply with section 6.2.1 a) to f)? 3. Is there a plan to achieve the objectives? 4. Does the plan include the who, what, when and how?
BCMS-FORM-09-4 Version 1
Page 10 of 22
[Insert date]
6.3 Planning changes to the BCMS RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. What changes to the BCMS have been identified recently? 2. How were these changes planned and managed?
BCMS-FORM-09-4 Version 1
Page 11 of 22
[Insert date]
7 Support 7.1 Resources RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
1. How are the resources needed for the BCMS determined? 2. Are the required resources provided?
7.2 Competence RECOMMENDED QUESTIONS 1. Have the necessary competences been determined? 2. How has the competence of the people involved in the BCMS been established? 3. What actions have been identified to acquire the necessary competence? 4. Have they been completed, and is there evidence of this?
7.3 Awareness
BCMS-FORM-09-4 Version 1
Page 12 of 22
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
1. What approach has been taken to providing awareness of the business continuity policy, contribution to the BCMS and implications of not conforming? 2. Has everyone been covered?
7.4 Communication RECOMMENDED QUESTIONS 1. How has the need for communication been established? 2. Is the approach to communication documented? 3. Do the procedures cover all areas in 7.4 a) to e)?
7.5 Documented information RECOMMENDED QUESTIONS 1. Is all the documented information required by the standard in place? 2. Is the level of other documentation reasonable for the size of BCMS?
BCMS-FORM-09-4 Version 1
Page 13 of 22
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
3. Are appropriate documentation standards, for example, identification and format, in place? 4. Are the standards applied in a uniform way? 5. Are appropriate controls in place to address the activities listed in 7.5.3.2? 6. How are documents of external origin handled? 7. How is the documentation protected?
BCMS-FORM-09-4 Version 1
Page 14 of 22
[Insert date]
8 Operation 8.1 Operational planning and control RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. What processes are used to meet requirements? 2. What documented information is kept about them? 3. What planned changes have taken place recently, and how were they controlled? 4. What processes are outsourced? 5. How are they controlled?
8.2 Business impact analysis and risk assessment RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. Is there a documented business impact analysis and risk assessment process? 2. Does the BIA process meet the requirements of 8.2.2 a) to h)? 3. What is the most recent business impact analysis? 4. Who was involved in creating it? BCMS-FORM-09-4 Version 1
Page 15 of 22
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
5. What are its conclusions? 6. What significant changes have happened that have prompted a business impact analysis to be carried out? 7. What is the most recent risk assessment? 8. Does it identify a reasonable set of risks and specify owners? 9. Are the likelihood and impact of risks assessed appropriately and risk levels determined? 10. How are the risks then evaluated and prioritized? 11. Review the most recent risk treatment plan. 12. Are reasonable risk treatment options selected?
8.3 Business continuity strategies and solutions RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. What is the business continuity strategy of the organization? 2. Which business continuity solutions have been identified? BCMS-FORM-09-4 Version 1
Page 16 of 22
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
3. How are the resource requirements for the implementation of the strategy determined? 4. Which risks have been treated?
8.4 Business continuity plans and procedures RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. What procedures have been established to manage disruptive incidents? 2. How well do the procedures meet the requirements of 8.4.1 a) to e)? 3. What is the management structure used during incidents? 4. Has this structure been used to manage an incident recently and, if so, what was the outcome? 5. What is the approach to communication during an incident? 6. What procedures are in place for items a) to f) in 8.4.3.1? 7. When were they last exercised?
BCMS-FORM-09-4 Version 1
Page 17 of 22
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
8. What business continuity plans are in place? 9. Which of them have been used to date? 10. What documented information is available in relation to the use of the plans? For instance, activity logs and communications. 11. Are all the areas defined within 8.4.4.2 included in the plans? 12. How would normal business activities be restored after each plan has been activated?
8.5 Exercise programme RECOMMENDED QUESTIONS 1. What is the schedule for exercising and testing business continuity plans? 2. When was the last test or exercise carried out? 3. What did it cover? 4. Who was involved?
BCMS-FORM-09-4 Version 1
Page 18 of 22
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
5. How successful was it? 6. What was learned from the test? 7. What records of the test are available?
8.6 Evaluation of business continuity documentation and capabilities RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
1. How are business continuity procedures evaluated? 2. Is a sample post-incident review available?
BCMS-FORM-09-4 Version 1
Page 19 of 22
[Insert date]
9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
1. How is it determined what should be monitored and measured? 2. Review evidence of monitoring and measurement. 3. What procedures are in place to cover monitoring and measurement in different areas? 4. How are results reported?
9.2 Internal audit RECOMMENDED QUESTIONS 1. How often are internal audits carried out? 2. Who carries them out? 3. Are the auditors objective and impartial? 4. May I review the most recent internal audit report? 5. Have any nonconformities resulting from previous audits been addressed? BCMS-FORM-09-4 Version 1
Page 20 of 22
[Insert date]
RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
6. Does the audit programme cover the complete scope of the BCMS?
9.3 Management review RECOMMENDED QUESTIONS 1. How often are management reviews carried out? 2. Who attends them? 3. Are they minuted? 4. Are all inputs in 9.3.2 covered in management reviews? 5. Review the results of the most recent one. 6. What outputs resulted from it? 7. Does the management review represent a reasonable assessment of the health of the BCMS?
BCMS-FORM-09-4 Version 1
Page 21 of 22
[Insert date]
10 Improvement 10.1 Incident, nonconformity and corrective action RECOMMENDED QUESTIONS
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
1. How are nonconformities identified? 2. How are they recorded? 3. Review the records of a recent nonconformity. 4. Was appropriate action taken to correct it and address the underlying causes? 5. Was the effectiveness of the corrective action reviewed?
10.2 Continual improvement RECOMMENDED QUESTIONS 1. How are improvements identified? 2. Are they recorded? 3. What evidence of continual improvement can be demonstrated?
BCMS-FORM-09-4 Version 1
Page 22 of 22
[Insert date]