Being able to continue critical business functions while responding to a major disaster, and then to return to normal operations efficiently and cohesively afterward, is a critical success factor for all organizations. Effective Business Continuity programs (BCPs) and disaster recovery (DR) programs are vital and have become a necessary cost of doing business.<\/p>\n
Internal audits of the BCP and DR programs are highly recommended. The Board and management need assurance regarding the effectiveness of those efforts. They want to know that the DR plan will work when needed, the investments in BCP and DR are obtaining good value, and a disaster will not bring the business to its knees. An independent assessment of the BCP and DR programs by internal audit can provide objective feedback that helps ensure the programs are adequate to prevent a business failure. Think about it: While everyone has focused on the requirements of Sarbanes-Oxley for almost five years, have your DR and BCP efforts kept pace with today\u2019s new challenges and expanding requirements? Have an answer, because your board is increasingly likely to ask.<\/p>\n
An audit of the BCP and DR program can take many forms. At its simplest, auditors can conduct a quick \u201cBCP\/DR health check,\u201d reviewing the plans and interviewing key stakeholders. At its most complex, the audit team can analyze almost every aspect of the program, evaluate the risk-based planning, observe BCP\/DR tests, assess the completeness of the business-impact analysis, and so forth. The type and the extent of auditing performed depend on the risks involved, management\u2019s assurance requirements, and the availability of audit resources. External specialist resources may be useful on occasion. The auditors might participate as formal observers in mock drills or review the program\u2019s documentation and assess its comprehensiveness and completeness. Your options are numerous. Internal auditors normally will review what has been planned and achieved against management\u2019s expectations and then compare to generally accepted best practices in the field. This is where audit objectivity comes to the fore: The auditors have a legitimate purpose to assess whether management\u2019s expectations are reasonable and sufficient, given the level of risk to the organization and in relation to other similar organizations. The following advice covers the main phases of any audit: scoping, planning, fieldwork, analysis and reporting. BCP and DR programs, however, come in many shapes and sizes, so the specific details of any given audit will vary according to the situation.<\/p>\n
As with any audit, defining the goals and objectives for a review of the BCP and DR programs is the auditor\u2019s first task. Scoping is best conducted on the\u00a0basis of a rational assessment of the associated risks. The following aspects are generally worth considering when scoping a BCP and DR audit:<\/p>\n
Overall program governance: How are the programs managed? Are they given appropriate strategic direction and investment? (That is, does the organization place sufficient emphasis on BCP and DR?) Are suitable sponsors and stakeholders involved, representing all critical parts of the organization? Do they take sufficient interest in the programs, demonstrating their support through involvement and action? Most importantly, who is accountable for their success or failure?<\/p>\n
A critical success factor in every BCP and DR effort is the way in which the programs are planned and driven to ensure that they meet objectives, despite the organization\u2019s inevitable competing priorities. Does program management balance consideration of the many conflicting priorities managers face with the critical need that corporate resiliency efforts be appropriate? This is not a oncea- year exercise anymore; being prepared is an ongoing, day-in and day-out effort.<\/p>\n
Have the programs\u2019 requirements been clearly and fully defined by management? Has a comprehensive business-impact analysis been completed? Is it regularly updated?<\/p>\n
Have all the critical business processes been identified and suitable plans prepared? Do the plans take sufficient account of the need to maintain or recover the supporting infrastructure (IT servers and networks, for example)? Are the plans reasonably \u201ctidy,\u201d or are they cluttered with nonessential processes, systems and activities? Are significant outsourced activities adequately covered? Do they need validation as well?<\/p>\n
Inevitably, changes will be required to implement BCP and DR arrangements. Is change management managed effectively to provide the best assurance that changes are tracked and addressed within the live and DR environments?<\/p>\n
DR testing processes:<\/strong> Program managers need to demonstrate the organization\u2019s preparedness, build management confidence, and, most importantly, strengthen the organization\u2019s BCP and DR capabilities. Is \u201cpeople participation\u201d identified, approved and tracked to provide the best assurance that the drills and tests are actually attended and that those results meet your BCP and DR objectives?<\/p>\n Plan maintenance:<\/strong> How is the change management process that keeps the plans up to date governed, even as the organization changes? Are roles and responsibilities allocated within the organization for developing, testing, and maintaining BCP and DR plans?<\/p>\n BCP and DR procedures:<\/strong> Consider the procedures and associated training, guidelines, and so forth to make managers and staff familiar with the process to follow in a disaster.<\/p>\n In addition to defining what aspects fall within the audit\u2019s scope, equally important is that management and the Board clarify any aspects that are out of the scope. A natural part of the scoping phase is to identify one or more management sponsors for the audit. Audits are conducted for the benefit of the company\u2019s management, rather than for audit\u2019s own purposes, so it is important to know who will receive, accept and act upon the final audit report.<\/p>\n Having defined the scope, the audit team needs to plan the audit within the constraints of available resources from the audit department and from the business as a whole. Resourcing decisions are largely risk-based, taking account of factors such as the program management\u2019s experience, the level of management involvement in the program efforts, the size and complexity of the program, and the potential effects on the organization if the program fails.<\/p>\n Audit teams combining business and IT auditors are recommended wherever possible, since BCP and DR span both fields of expertise.<\/p>\n This is also a good time for the auditors to identify and contact the primary auditees. Securing their assistance with the audit fieldwork is easier if they have an opportunity to comment on the timing and nature of the work required \u2013 provided that the audit department\u2019s independence and objectivity are not unduly compromised in the process! The audit approach also needs to be decided during the audit planning. For instance, will it be feasible to review all BCP and DR plans, or is it necessary to sample the plans? If so, on what basis will the sample be selected? Should auditing of BCP and DR efforts be separate and distinct audits?<\/p>\n Most auditors generate an audit checklist at this stage, converting the agreed audit scope into a structured series of audit tests that they plan to conduct. In addition, before fieldwork commences, audit management should review the audit plans and checklists to ensure that all of the key issues identified in the scope have been given sufficient consideration to satisfy management\u2019s assurance needs.<\/p>\n In this phase of the audit, the auditors examine the BCP and DR program based on the goals and methods decided upon in the earlier phases. BCP helps the organization to survive a disaster by keeping critical business processes operating during the crisis, whereas DR restores the other less-critical processes following the crisis. Audit testing during the fieldwork phase gathers sufficient evidence to assess whether the program is able to meet these two fundamental requirements.<\/p>\n Details of the tests are normally recorded in the audit checklist. They are accompanied by a file containing the corresponding audit evidence, such as annotated copies of BCP and DR plans, test results, and other materials that the auditors have reviewed.<\/p>\n Audit reporting is a straightforward process, at least in theory. This is where the auditors analyze the results of their tests, formulate their recommendations, and prepare and finally present a formal audit report to management. In the report, the auditors explain:<\/p>\n What they set out to do:<\/strong> This part of the report will introduce the risks and recap the audit scope.<\/p>\n The audit methods:<\/strong> This will describe how the auditor went about meeting the objectives.<\/p>\n What they found:<\/strong> This typically covers the key issues identified, if not the full gory details.<\/p>\n The recommendations:<\/strong> This will entail advice to management on how to address the issues identified.<\/p>\n A description of the actual BCP and DR program, including its scope, mandate, role and accomplishments also would be useful in getting everyone on the same page regarding organizational investments in BCP and DR efforts.<\/p>\n Audit reporting requires a careful balance between the somewhat idealistic outlook of some auditors and the realities of managing the organization with limited resources and competing priorities. At the end of the day, it is management \u2013 not the auditors \u2013 that is responsible for deciding which, if any, recommended improvements to the BCP and DR program they intend to make.<\/p>\n Is your investment in resiliency appropriate? What measures have been implemented to track your progress? And, finally, is management regularly assessing and improving the organization\u2019s \u201cpreparedness\u201d capabilities in the event of a disaster?<\/p>\nAudit Planning Phase<\/h2>\n
Audit Fieldwork Phase<\/h2>\n
Audit tests of a BCP and DR program may include the following:<\/h3>\n
\n
Audit Analysis and Reporting Phase<\/h2>\n
The Bottom Line<\/h2>\n
\n