Role of IA in BCP

8/12/2019 Role of IA in BCP

1/31

Page 0 2005 Protiviti Inc.

The Role of Internal AuditIn Business Continuity Planning

Dan Bailey, MBCP


2/31


Dan Bailey, MBCPSenior ManagerProtiviti [email protected]

Actively involved in the Information Technology industry since 1984

Actively involved in the Business Continuity industry since 1991 Received CBCP designation in 1999; MBCP designation in 2002 Co-Founder of the Arkansas chapter of the Association of Contingency

Planners 2002 President of the North Texas chapter of the Association of

Contingency Planners 2003-2005 DRI International Certification Commissioner 2006-2008 DRI International Vice-Chair of the newly established Education

Commission

Introduction


3/31


Agenda

Establishing A Framework Internal Audit Adding Value to the BCP

Process Information Available to the Internal Auditor Proven Approaches to Conducting a BCP Audit SOX Section 404? Wrap-up and Summary

By 2008, we believe more than 50% of the G2000 will have robust and tested BC plans, with the remainder attempting toenhance their capabilities beyond rudimentary BC and disaster recovery through 2012. - META Group (February 2003)


4/31


Section I

Establishing A Framework


5/31


BCM = Crisis Management + Business Resumption Planning + IT Disaster Recovery Planning

the development of strategies, plans andactions which provide protection or alternativemodes of operation for those activities orbusiness processes which, if they were to beinterrupted, might otherwise bring about aseriously damaging or potentially fatal loss to theenterprise.

Business Continuity Management Defined


6/31


Components of A Business Continuity Process

Contract Termsand Conditionswith Suppliers

CustomerService LevelAgreements

GovernanceDocumentation

- ProcessAccountability

- RecurringActivities

- DocumentationStandards

- Strategy Testing- Training &

Awareness- Plan

Maintenance

- Successionplans

Audit CommitteeOversight

Executive MgmtSponsorship

BusinessContinuityCoordinator

Crisis MgmtTeam

BusinessRecoveryCoordinators

IT DRCoordinators Recovery Teams Internal Audit

Oversight Industry /

Governmental

Oversight

RiskAssessmentConclusions(Likelihood andVulnerability)

Business ImpactAnalysisConclusions(RecoveryObjectives)

Strategy DesignOptions

Strategy Cost-Benefit Analysis

Strategy TestResults

Diagnostic andBenchmarkingConclusions

BusinessContinuityGovernanceDesign and DataGathering

RiskAssessment

Business ImpactAnalysis

Strategy Design Plan

Documentation

Plan Validation KnowledgeTransfer /Implementation

DocumentationRepository

PlanDocumentationSoftware

Risk AssessmentConclusions

Business ImpactAnalysisConclusions

Backup /ReplicationSoftware (IT DROnly)

IT Hardware

EmergencyResponse

Crisis Mgmt Crisis

Communications

BusinessResumptionPlanning

IT DR Planning Business Impact

Analysis Risk Assessment

BusinessContinuityStrategy Testing

Training &Awareness

Supplier RiskMgmt

BusinessStrategies &

Policies

Business &Risk

ManagementProcesses

People &Organizational

Structure

ManagementReports Methodologies

Systems & Data


7/31


The Continuity Life Cycle

Risk Assessment

Business Impact Analysis

Business Continuity

Strategy Design

Project Initiation And Management

Solutions Deployment

Compliance Monitoring & Auditing

Training & Awareness Programs

ContinuityLife Cycle

Solutions Deployment & Plan Documentation

Business Continuity Plan Testing

Typical Participants in thePlanning Process: Executive Sponsor Steering Committee Business Continuity

Coordinator Business Process

Owners

InformationTechnology Human Resources Facilities Security EHS Legal Corporate

Communications Risk Management Internal Audit?


8/31


9/31


Managing Business Continuity

Finance Direct Report to CFO Risk Management / Loss

Prevention Executive Council

Legal Human Resources Corporate Communications

Operations Direct Report to the COO EHS Security

Information Technology Internal Audit

E f f e c t i v

e n e s

s


10/31


11/31


Asked if a plan was in place

Reviewed the (IT Disaster Recovery) plan forcurrency, if they were truly IT Auditors

Asked if tests were performed; didnt reviewthe results

Occasionally owned the BCP process!

In the Past, The Internal Auditor


12/31


The Continuity Life Cycle - Revisited

Risk Assessment

Business Impact Analysis

Business ContinuityStrategy Design

Project Initiation And Management

Solutions Deployment

Compliance Monitoring & Auditing

Training & Awareness Programs ContinuityLife Cycle

Solutions Deployment & Plan Documentation

Business Continuity Plan Testing

Ways In Which the Internal Auditor CanAdd Value to the BCP Process: Keeping Management Informed on

Progress Toward BCM Developmentand Implementation

The Internal Sales Person Makingthe Case for Business Continuity

Participation in the RiskAssessment and BusinessImpact Analysis

Defining Key Business Functions ByAssisting with the BIA

Defining Key Controls and Guide

Toward a Process, not a Plan Project Management Standards Help Craft Maturity Levels and

Definitions Audit the BCP Process Initially and

in the Future


13/31


Section III

Information Available to theInternal Auditor


14/31


Guidance from the IIA www.theiia.org

Business

ContinuityManagement

Auditors should evaluate business continuity readiness Internal audit should assess the organization's

business continuity process on a regular basis provide preparedness summary to senior management

Internal auditors can play a role in the organizationsplanning, to include the risk assessment Internal audit activity can help with an assessment

of an organization's internal and externalenvironment

Evaluate the BCP/DRP during formulation Internal auditors have a thorough understanding

of the business, the individual functions andinterdependent relationships

Practice Advisory 2110-2: Internal Audits Role in the Business Continuity Process


15/31


Guidance from the IIA (cont.)

Business


Review the proposed business continuity and disasterrecovery plans for design, completeness, and overalladequacy

During that recovery period: Internal audit should monitor the effectiveness of

the recovery and control of operations Recommend improvements to the BCP Internal audit can also provide support during the

recovery activities internal auditors can assist in identifying the

lessons learned from the disaster and therecovery operations

Periodically audit the organization's BCPs/DRPs

Adequacy to ensure the timely resumption ofoperations and processes after adversecircumstances

Reflects the current business operatingenvironment



16/31


Guidance from the IIA (cont.)

Business


During the audit, Internal Audit should consider : Are all plans up to date? Are all critical business functions and systems

covered? Are the plans based on the risks and potential

consequences of business interruptions?

Are the plans fully documented? Have functional responsibilities been assigned? Is the organization capable of and prepared to

implement the plans? Are the plans tested and revised based on the

results?

Are the plans stored properly and safely? Is thestorage location known? Are the locations of alternate facilities (backup

sites) known to employees? Do the plans call for coordination with local

emergency services?



17/31


Standards and Guidelines COBIT

FFIEC NIST ISO 9000 & 14000, QS 9000 ISO 17799 NFPA 1600 DRI International

BCI PAS 56 ITIL Homeland Security COSO

Regulations and Standards

Regulatory Requirements Sarbanes Oxley (Governance)

FEMA FERC JCAHO HIPAA GLBA FFIEC (Updated) OSHA SEC NYSE / NASD State Insurance Departments USA PATRIOT Act IRS Australian/New Zealand Standard

AS/NZS 4360:1999 California 1386 BASEL II Public Utility Commissions FCC


18/31


Section IV

Proven Approaches toConducting a BCP Audit


19/31


20/31


Work in a Collaborative Manner (Advise/Teach)

Understand the History of BCP, ManagementObjectives and the Level of Maturity Up Front

Understand the Scope of Business Continuity Approach From a Process Perspective, as Opposed to

a Documentation Review

Look for and assess key success factors such asrepeatability, extensibility and maintainability

Focus on the Entire BCM Life-cycle, Ranging fromStandards Assessments Through Plan Testing

Brainstorm Ideas for Improvement Engage the

Business Continuity Coordinator

A Proven Practice BCP Audit Approach


21/31


Evaluate the Following: Standards, Policies and Procedures Relationships with External Agencies

and Authorities Training and Awareness Materials Budgetary Documentation Documented plans Recovery Location / Hot-site Contracts Test Results Service Level Agreements Regulatory Requirements

Supply Chain / Vendors Network

Executing A Process Oriented BCP Audit

A Comprehensive Business ContinuityManagement Process Includes: Crisis Management Crisis Communications Business Resumption Planning IT Disaster Recovery Planning


22/31


The Assessment Approach

The Approach Confirm Assessment Expectations / Collect Business Requirements Evaluate the Business Continuity Process

Process Management Risk Assessment and Business Impact Analysis

Define Recovery Strategies and Business Continuity Procedures Training and Awareness, Plan Testing Process, Auditing and Plan

Maintenance Collect Benchmarking Data to Reinforce Findings Validate, Present and Report


23/31


Nothing Reinforces a Recommendation Like Benchmarking Data Same Industry Same Size Company

We maintain information in the following areas: BCM Process Description and Scope Who Owns the BCM Process

Budgetary Data Number of Personnel Addressing Business Continuity Recovery Objectives (Business and IT)

Benchmarking Data Is Available Through Third-party Specialists, Vendors andInformal Contacts (Like This Session)

Industry Benchmarking Data


24/31


In addition to a review of documentation, werecommend discussions with Business

Continuity Management owners, as well as theBusiness Process owners whom they support(In order to better understand their expectations)

Participants in the BCP Audit

Business



25/31


Presenting the Findings

Business


Reinforce Scope and Focus Focus on Process Maturity Highlight Strengths and Weaknesses

Tie Findings to Business Impact, to IncludeRegulatory Compliance

Provide Action Items and Recommend Points ofContact for Each

Offer to Track Completion of Each Finding /Action Item

Next Steps What Will Next Years Audit FocusOn?


26/31


Section V

Sarbanes Oxley?


27/31


Internal Audit and SOX Section 404?

Section 404 had become a driver for conducting some audits Standard may change audit priority Business continuity will remain a key business issue regardless of Section 404

scope

Furthermore, managements plans that could potentially affect financial reporting infuture periods are not controls. For example, a companys business continuity or

contingency planning has no effect on the companys current abilities to initiate,authorize, record, process, or report financial data. Therefore, a companys businesscontinuity or contingency planning is not part of internal control over financial reporting.

PCAOB Release No. 2004-001, March 9, 2004


28/31


Section V

Presentation Summary


29/31


Wrap-up and Summary

Business


Establishing A Framework What is Business Continuity? Components of a Business Continuity Process

The Business Continuity Life Cycle The BCP Maturity Continuum

Internal Audit Adding Value to the BCP Process In the Past Today: Revisiting the Continuity Life Cycle

Information Available to the Internal Auditor Regulations and Standards

Proven Approaches to Conducting a BCP Audit Why Conduct An Audit? Proven Practice Audit Approaches Executing A Process Oriented BCP Audit Participants in the BCP Audit Industry Benchmarking Presenting Findings

Wrap-up and Summary


30/31


Questions & Answers


31/31


Dan Bailey, MBCPProtiviti Inc.

Senior ManagerNational Leadership Team - Business Continuity Management Services

[email protected] (office)

214.207.4543 (mobile)

Contact Information

Role of IA in BCP

Documents

Transcript of Role of IA in BCP