Being able to continue critical business functions while responding to a major disaster, and then to return to normal operations efficiently and cohesively afterward, is a critical success factor for all organizations. Effective Business Continuity programs (BCPs) and disaster recovery (DR) programs are vital and have become a necessary cost of doing business.
Internal audits of the BCP and DR programs are highly recommended. The Board and management need assurance regarding the effectiveness of those efforts. They want to know that the DR plan will work when needed, the investments in BCP and DR are obtaining good value, and a disaster will not bring the business to its knees. An independent assessment of the BCP and DR programs by internal audit can provide objective feedback that helps ensure the programs are adequate to prevent a business failure. Think about it: While everyone has focused on the requirements of Sarbanes-Oxley for almost five years, have your DR and BCP efforts kept pace with today’s new challenges and expanding requirements? Have an answer, because your board is increasingly likely to ask.
An audit of the BCP and DR program can take many forms. At its simplest, auditors can conduct a quick “BCP/DR health check,” reviewing the plans and interviewing key stakeholders. At its most complex, the audit team can analyze almost every aspect of the program, evaluate the risk-based planning, observe BCP/DR tests, assess the completeness of the business-impact analysis, and so forth. The type and the extent of auditing performed depend on the risks involved, management’s assurance requirements, and the availability of audit resources. External specialist resources may be useful on occasion. The auditors might participate as formal observers in mock drills or review the program’s documentation and assess its comprehensiveness and completeness. Your options are numerous. Internal auditors normally will review what has been planned and achieved against management’s expectations and then compare to generally accepted best practices in the field. This is where audit objectivity comes to the fore: The auditors have a legitimate purpose to assess whether management’s expectations are reasonable and sufficient, given the level of risk to the organization and in relation to other similar organizations. The following advice covers the main phases of any audit: scoping, planning, fieldwork, analysis and reporting. BCP and DR programs, however, come in many shapes and sizes, so the specific details of any given audit will vary according to the situation.
As with any audit, defining the goals and objectives for a review of the BCP and DR programs is the auditor’s first task. Scoping is best conducted on the basis of a rational assessment of the associated risks. The following aspects are generally worth considering when scoping a BCP and DR audit:
Overall program governance: How are the programs managed? Are they given appropriate strategic direction and investment? (That is, does the organization place sufficient emphasis on BCP and DR?) Are suitable sponsors and stakeholders involved, representing all critical parts of the organization? Do they take sufficient interest in the programs, demonstrating their support through involvement and action? Most importantly, who is accountable for their success or failure?
A critical success factor in every BCP and DR effort is the way in which the programs are planned and driven to ensure that they meet objectives, despite the organization’s inevitable competing priorities. Does program management balance consideration of the many conflicting priorities managers face with the critical need that corporate resiliency efforts be appropriate? This is not a oncea- year exercise anymore; being prepared is an ongoing, day-in and day-out effort.
Have the programs’ requirements been clearly and fully defined by management? Has a comprehensive business-impact analysis been completed? Is it regularly updated?
Have all the critical business processes been identified and suitable plans prepared? Do the plans take sufficient account of the need to maintain or recover the supporting infrastructure (IT servers and networks, for example)? Are the plans reasonably “tidy,” or are they cluttered with nonessential processes, systems and activities? Are significant outsourced activities adequately covered? Do they need validation as well?
Inevitably, changes will be required to implement BCP and DR arrangements. Is change management managed effectively to provide the best assurance that changes are tracked and addressed within the live and DR environments?
DR testing processes: Program managers need to demonstrate the organization’s preparedness, build management confidence, and, most importantly, strengthen the organization’s BCP and DR capabilities. Is “people participation” identified, approved and tracked to provide the best assurance that the drills and tests are actually attended and that those results meet your BCP and DR objectives?
Plan maintenance: How is the change management process that keeps the plans up to date governed, even as the organization changes? Are roles and responsibilities allocated within the organization for developing, testing, and maintaining BCP and DR plans?
BCP and DR procedures: Consider the procedures and associated training, guidelines, and so forth to make managers and staff familiar with the process to follow in a disaster.
In addition to defining what aspects fall within the audit’s scope, equally important is that management and the Board clarify any aspects that are out of the scope. A natural part of the scoping phase is to identify one or more management sponsors for the audit. Audits are conducted for the benefit of the company’s management, rather than for audit’s own purposes, so it is important to know who will receive, accept and act upon the final audit report.
Having defined the scope, the audit team needs to plan the audit within the constraints of available resources from the audit department and from the business as a whole. Resourcing decisions are largely risk-based, taking account of factors such as the program management’s experience, the level of management involvement in the program efforts, the size and complexity of the program, and the potential effects on the organization if the program fails.
Audit teams combining business and IT auditors are recommended wherever possible, since BCP and DR span both fields of expertise.
This is also a good time for the auditors to identify and contact the primary auditees. Securing their assistance with the audit fieldwork is easier if they have an opportunity to comment on the timing and nature of the work required – provided that the audit department’s independence and objectivity are not unduly compromised in the process! The audit approach also needs to be decided during the audit planning. For instance, will it be feasible to review all BCP and DR plans, or is it necessary to sample the plans? If so, on what basis will the sample be selected? Should auditing of BCP and DR efforts be separate and distinct audits?
Most auditors generate an audit checklist at this stage, converting the agreed audit scope into a structured series of audit tests that they plan to conduct. In addition, before fieldwork commences, audit management should review the audit plans and checklists to ensure that all of the key issues identified in the scope have been given sufficient consideration to satisfy management’s assurance needs.
In this phase of the audit, the auditors examine the BCP and DR program based on the goals and methods decided upon in the earlier phases. BCP helps the organization to survive a disaster by keeping critical business processes operating during the crisis, whereas DR restores the other less-critical processes following the crisis. Audit testing during the fieldwork phase gathers sufficient evidence to assess whether the program is able to meet these two fundamental requirements.
Details of the tests are normally recorded in the audit checklist. They are accompanied by a file containing the corresponding audit evidence, such as annotated copies of BCP and DR plans, test results, and other materials that the auditors have reviewed.
Audit reporting is a straightforward process, at least in theory. This is where the auditors analyze the results of their tests, formulate their recommendations, and prepare and finally present a formal audit report to management. In the report, the auditors explain:
What they set out to do: This part of the report will introduce the risks and recap the audit scope.
The audit methods: This will describe how the auditor went about meeting the objectives.
What they found: This typically covers the key issues identified, if not the full gory details.
The recommendations: This will entail advice to management on how to address the issues identified.
A description of the actual BCP and DR program, including its scope, mandate, role and accomplishments also would be useful in getting everyone on the same page regarding organizational investments in BCP and DR efforts.
Audit reporting requires a careful balance between the somewhat idealistic outlook of some auditors and the realities of managing the organization with limited resources and competing priorities. At the end of the day, it is management – not the auditors – that is responsible for deciding which, if any, recommended improvements to the BCP and DR program they intend to make.
Is your investment in resiliency appropriate? What measures have been implemented to track your progress? And, finally, is management regularly assessing and improving the organization’s “preparedness” capabilities in the event of a disaster?
About the Author
Dan Swanson is a 26-year internal audit veteran, who was the director of professional practices at the Institute of Internal Auditors (IIA). Prior to his work with the IIA, Swanson was an independent management consultant for more than 10 years. He has completed audit projects for more than 30 different organizations, spending almost 10 years in government auditing, at the federal, provincial, and municipal levels, and the rest in the private sector, mainly in the financial services, transportation, and health sectors. For more information contact Dan at [email protected]
This amended extract and the original text it is taken from are both subject to ITG Copyright and may not be reproduced without prior written consent from the publisher.