1. There are two main approaches to understanding business continuity planning (BCP): an audit-based approach and a solution-based approach.
2. An audit-based approach involves using audit methods and techniques to conduct a thorough examination of BCP, focusing on risk areas and controls.
3. A solution-based approach works collaboratively with clients to develop pragmatic and realistic solutions that fit their needs, rather than the auditor deciding solutions.
2. Justify the capability of auditing based approach to understanding BCP over
a solution-based approach
Audit approaches are the methods or techniques that auditors use in their audit assignments. Both
internal and external audits apply audit approaches to conduct their audit activities differently
based on the nature of engagement, scope, nature of the client’s business, and audit risks.
Solution-Focused(SF) is a future-oriented, goal-directed approach to solving human problems of
living. Initially developed as a rebellion against the traditional psychotherapy approach which is
driven by the therapist/expert deciding what might be the best possible solution for those who
seek help, SF aims to work collaboratively with the client who understands his own
circumstances the best in order to arrive at a solution that is pragmatic and realistic to fit his
needs.
Selecting the right audit approach is important. It can help the auditor to improve audit
performance in terms of efficiency and effectiveness. The right audit approach could also help
auditors to focus on the hight risks areas and pay less effort on the low risks areas. Different
audit firms might use different audit approach to perform their audit testing.
Here are the four essential audit approaches:
1. Substantive Procedures Audit Approach
2. Balance Sheet Audit Approach
3. System Based Approach
4. Risk-based Audit Approach
Risk-based Audit Approach:
By the following RISK Based internal audit should be able to conclude that:
1. Risk management processes, both their design and how well they are working
2. Management of those risks classified as 'key', including the effectiveness of the controls
and other responses to them
3. Complete, accurate and appropriate reporting and classification of risks