the role of internal audit in...

© 2005 Protiviti Inc.

The Role of Internal AuditIn Business Continuity Planning

Dan Bailey, MBCP


Dan Bailey, MBCPSenior Manager Protiviti [email protected]

• Actively involved in the Information Technology industry since 1984• Actively involved in the Business Continuity industry since 1991• Received CBCP designation in 1999; MBCP designation in 2002• Co-Founder of the Arkansas chapter of the Association of Contingency

Planners• 2002 President of the North Texas chapter of the Association of

Contingency Planners• 2003-2005 DRI International Certification Commissioner• 2006-2008 DRI International Vice-Chair of the newly established Education

Commission

Introduction


Agenda

• Establishing A Framework• Internal Audit – Adding Value to the BCP

Process• Information Available to the Internal Auditor• Proven Approaches to Conducting a BCP Audit• SOX Section 404?• Wrap-up and Summary

“By 2008, we believe more than 50% of the G2000 will have robust and tested BC plans, with the remainder attempting to enhance their capabilities beyond rudimentary BC and disaster recovery through 2012.” - META Group (February 2003)


Section I

Establishing A Framework


BCM = Crisis Management + Business Resumption Planning + IT Disaster Recovery Planning

…the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise.

Business Continuity Management Defined


Components of A Business Continuity Process

• Contract Terms and Conditions with Suppliers

• Customer Service Level Agreements

• Governance Documentation

- Process Accountability

- Recurring Activities

- Documentation Standards

- Strategy Testing- Training &

Awareness- Plan

Maintenance

- Succession plans

• Audit Committee Oversight

• Executive Mgmt Sponsorship

• Business Continuity Coordinator

• Crisis Mgmt Team

• Business Recovery Coordinators

• IT DR Coordinators

• Recovery Teams• Internal Audit

Oversight• Industry /

Governmental Oversight

• Risk Assessment Conclusions (Likelihood and Vulnerability)

• Business Impact Analysis Conclusions (Recovery Objectives)

• Strategy Design Options

• Strategy Cost-Benefit Analysis

• Strategy Test Results

• Diagnostic and Benchmarking Conclusions

• Business Continuity Governance Design and Data Gathering

• Risk Assessment

• Business Impact Analysis

• Strategy Design• Plan

Documentation• Plan Validation• Knowledge

Transfer / Implementation

• Documentation Repository

• Plan Documentation Software

• Risk Assessment Conclusions

• Business Impact Analysis Conclusions

• Backup / Replication Software (IT DR Only)

• IT Hardware

• Emergency Response

• Crisis Mgmt• Crisis

Communications• Business

Resumption Planning

• IT DR Planning• Business Impact

Analysis• Risk Assessment• Business

Continuity Strategy Testing

• Training & Awareness

• Supplier Risk Mgmt

Business Strategies &

Policies

Business & Risk

Management Processes

People & Organizational

Structure

Management Reports Methodologies Systems & Data


The Continuity Life Cycle

Risk Assessment

Business ImpactAnalysis

Business Continuity Strategy Design

Project InitiationAnd Management

Solutions Deployment

Compliance Monitoring& Auditing

Training & AwarenessPrograms

Continuity Life Cycle

Solutions Deployment& Plan Documentation

Business ContinuityPlan Testing

• “Typical” Participants in the Planning Process:

– Executive Sponsor– Steering Committee– Business Continuity

Coordinator– Business Process

Owners– Information

Technology– Human Resources– Facilities– Security– EHS– Legal– Corporate

Communications– Risk Management– Internal Audit?

The BCP Maturity Continuum

Defined

Repeatable

Ad Hoc

Business continuity management is a competitive advantage. Management “advertises” the existence of the business continuity process internally and externally with customers. Continuity-related service level agreements, associated with uptime, performance and continuity, are utilized to drive efficiencies internally and build strategic relationships with customers.

Business functions and IT assets supporting the delivery of products and services, as well as customer service, are protected from long-term business interruptions. Customer expectations regarding product and service delivery have been taken into account. Testing and training limitations may result in isolated recovery issues, often taking the form of recovery capacity constraints and missed recovery objectives.

Significant risk of continuity-related impacts are present. Business interruptions, ranging from isolated infrastructure failures through regional events, have the potential to cause serious financial harm and/or reputational impairment. The organization relies on “force majeure” clauses to minimize contractual violations.

Management relies on untested or under-tested continuity-related processes to manage the effects of business interruptions. IT asset recovery is often the most mature aspect of the continuity process, although some organizations emphasize either crisis management or business resumption planning. Employees have limited knowledge regarding their roles during recovery, potentially impacting the likelihood of a successful response effort.

In addition to a customer focus and the desire to minimize financial loss and reputation impairment, management addresses regulatory compliance through the design of solutions with characteristics mandated by industry and governmental organizations. Specific compliance categories include data protection, financial reporting process continuity, strategy testing and plan maintenance processes.

Comprehensive, organization-wide business continuity strategies are aligned with strategic objectives and customer expectations. BCM operates as a core business function, chartered with clear accountability and responsibility. Regular BCP testing and maintenance occurs. Personnel are well trained regarding their roles and responsibilities. Metrics are collected and managed to ensure continuity-related service level agreements are met.

Business continuity strategies address core business functions, information technology assets and supply chain relationships. Management fully supports this effort. The organization’s business continuity management process, to include crisis management, crisis communications, business resumption planning and IT disaster recovery planning, operates as a single function. The BCM process reflects the current business and technology environment.

A formal business continuity strategy has been designed and deployed. A risk assessment has been performed to identify and assess continuity risks. A business impact analysis (BIA) has been performed, but there are no processes to keep it current. Testing is infrequent or fails to address all aspects of the continuity process. Plan maintenance activities have not occurred in over twelve months. Metrics for key BCP tasks require refinement.

The organization’s business continuity strategy addresses crisismanagement, business resumption or IT disaster recovery. Continuity processes are designed and developed separately and lack integration. A high-level risk assessment and/or business impact analysis has been performed. Although some continuity-related processes exist, plan maintenance and testing procedureshave not been implemented.

BCP goals and expectations were derived without a risk assessment or business impact analysis. Business continuity strategies arecharacterized as ad hoc; a formal documented plan does not exist. Business continuity accountability and responsibility remain unassigned. Business continuity testing and training and awareness processes have not been designed. The organization lacks confidence in its ability to survive following a business interruption.

Managed

Optimizing

Characteristics of Capability Method of Achievement

Pro

cess

Mat

urityBCM Capability Maturity Continuum



Managing Business Continuity

• Finance– Direct Report to CFO– Risk Management / Loss

Prevention • Executive Council

– Legal– Human Resources– Corporate Communications

• Operations– Direct Report to the COO– EHS– Security

• Information Technology• Internal Audit

Eff e

ctiv

ene s

s


Section II

Internal Audit – AddingValue to the BCP Process


� Asked if a plan was in place

� Reviewed the (IT Disaster Recovery) plan for currency, if they were truly IT Auditors

� Asked if tests were performed; didn’t review the results

� Occasionally owned the BCP process!

In the Past, The Internal Auditor…


The Continuity Life Cycle - Revisited

Risk Assessment

Business ImpactAnalysis

Business Continuity Strategy Design

Project InitiationAnd Management

Solutions Deployment

Compliance Monitoring& Auditing

Training & AwarenessPrograms

Continuity Life Cycle

Solutions Deployment& Plan Documentation

Business ContinuityPlan Testing

• Ways In Which the Internal Auditor Can Add Value to the BCP Process:

– Keeping Management Informed on Progress Toward BCM Development and Implementation

– The Internal Sales Person – Making the Case for Business Continuity

• Participation in the Risk Assessment and Business Impact Analysis

– Defining Key Business Functions By Assisting with the BIA

– Defining Key Controls and Guide Toward a Process, not a Plan

– Project Management Standards– Help Craft Maturity Levels and

Definitions– Audit the BCP Process – Initially and

in the Future


Section III

Information Available to theInternal Auditor


Guidance from the IIA – www.theiia.org

BusinessContinuityManagement

• Auditors should evaluate business continuity readiness • Internal audit should assess the organization's

business continuity process on a regular basis –provide preparedness summary to senior management

• Internal auditors can play a role in the organization’s planning, to include the risk assessment

– Internal audit activity can help with an assessment of an organization's internal and external environment

• Evaluate the BCP/DRP during formulation– Internal auditors have a thorough understanding

of the business, the individual functions and interdependent relationships

Practice Advisory 2110-2: Internal Audit’s Role in the Business Continuity Process


Guidance from the IIA (cont.)


• Review the proposed business continuity and disaster recovery plans for design, completeness, and overall adequacy

• During that recovery period:– Internal audit should monitor the effectiveness of

the recovery and control of operations– Recommend improvements to the BCP– Internal audit can also provide support during the

recovery activities– internal auditors can assist in identifying the

lessons learned from the disaster and the recovery operations

• Periodically audit the organization's BCPs/DRPs– Adequacy to ensure the timely resumption of

operations and processes after adverse circumstances

– Reflects the current business operating environment



Guidance from the IIA (cont.)


• During the audit, Internal Audit should consider:

– Are all plans up to date?– Are all critical business functions and systems

covered?– Are the plans based on the risks and potential

consequences of business interruptions?– Are the plans fully documented?– Have functional responsibilities been assigned?– Is the organization capable of and prepared to

implement the plans?– Are the plans tested and revised based on the

results?– Are the plans stored properly and safely? Is the

storage location known?– Are the locations of alternate facilities (backup

sites) known to employees?– Do the plans call for coordination with local

emergency services?



• Standards and Guidelines– COBIT– FFIEC– NIST– ISO 9000 & 14000, QS 9000– ISO 17799– NFPA 1600– DRI International– BCI PAS 56– ITIL– Homeland Security– COSO

Regulations and Standards

• Regulatory Requirements– Sarbanes Oxley (Governance)– FEMA– FERC– JCAHO– HIPAA– GLBA– FFIEC (Updated)– OSHA– SEC– NYSE / NASD– State Insurance Departments– USA PATRIOT Act– IRS– Australian/New Zealand Standard

AS/NZS 4360:1999– California 1386– BASEL II– Public Utility Commissions– FCC


Section IV

Proven Approaches toConducting a BCP Audit


• Provide Management Assurance• Identify Control Gaps• Regulatory Compliance• Identify Actions to Enhance Maturity• Ensure Business Process Owners are Accountable

for Their Plans and Testing

Why Conduct a BCP Audit?



• Work in a Collaborative Manner (Advise/Teach)• Understand the History of BCP, Management

Objectives and the Level of Maturity Up Front• Understand the Scope of Business Continuity• Approach From a Process Perspective, as Opposed to

a Documentation Review– Look for and assess key success factors such as

repeatability, extensibility and maintainability• Focus on the Entire BCM Life-cycle, Ranging from

Standards Assessments Through Plan Testing• Brainstorm Ideas for Improvement – Engage the

Business Continuity Coordinator

A Proven Practice BCP Audit Approach


• Evaluate the Following:– Standards, Policies and Procedures– Relationships with External Agencies

and Authorities– Training and Awareness Materials – Budgetary Documentation– Documented plans– Recovery Location / Hot-site Contracts– Test Results– Service Level Agreements– Regulatory Requirements– Supply Chain / Vendors– Network

Executing A Process Oriented BCP Audit

• A Comprehensive Business Continuity Management Process Includes:

– Crisis Management– Crisis Communications– Business Resumption Planning– IT Disaster Recovery Planning


The Assessment Approach

• The Approach– Confirm Assessment Expectations / Collect Business Requirements– Evaluate the Business Continuity Process

• Process Management• Risk Assessment and Business Impact Analysis• Define Recovery Strategies and Business Continuity Procedures• Training and Awareness, Plan Testing Process, Auditing and Plan

Maintenance– Collect Benchmarking Data to Reinforce Findings– Validate, Present and Report


• Nothing Reinforces a Recommendation Like Benchmarking Data– Same Industry– Same Size Company

• We maintain information in the following areas:– BCM Process Description and Scope– Who Owns the BCM Process– Budgetary Data– Number of Personnel Addressing Business Continuity– Recovery Objectives (Business and IT)

• Benchmarking Data Is Available Through Third-party Specialists, Vendors and Informal Contacts (Like This Session)

Industry Benchmarking Data


• In addition to a review of documentation, we recommend discussions with Business Continuity Management owners, as well as the Business Process owners whom they support (In order to better understand their expectations)

Participants in the BCP Audit



Presenting the Findings


• Reinforce Scope and Focus• Focus on Process Maturity• Highlight Strengths and Weaknesses

– Tie Findings to Business Impact, to Include Regulatory Compliance

• Provide Action Items and Recommend Points of Contact for Each

• Offer to Track Completion of Each Finding / Action Item

• Next Steps – What Will Next Year’s Audit Focus On?


Section V

Sarbanes Oxley?


Internal Audit and SOX Section 404?

• Section 404 had become a driver for conducting some audits• Standard may change audit priority• Business continuity will remain a key business issue – regardless of Section 404

scope

“Furthermore, management’s plans that could potentially affect financial reporting in future periods are not controls. For example, a company’s business continuity or contingency planning has no effect on the company’s current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company’s business continuity or contingency planning is not part of internal control over financial reporting.”

PCAOB Release No. 2004-001, March 9, 2004


Section V

Presentation Summary


Wrap-up and Summary


• Establishing A Framework– What is Business Continuity?– Components of a Business Continuity Process– The Business Continuity Life Cycle– The BCP Maturity Continuum

• Internal Audit – Adding Value to the BCP Process– In the Past– Today: Revisiting the Continuity Life Cycle

• Information Available to the Internal Auditor– Regulations and Standards

• Proven Approaches to Conducting a BCP Audit– Why Conduct An Audit?– Proven Practice Audit Approaches – Executing A Process Oriented BCP Audit– Participants in the BCP Audit– Industry Benchmarking– Presenting Findings

• Wrap-up and Summary


Questions & Answers


Dan Bailey, MBCPProtiviti Inc.

Senior ManagerNational Leadership Team - Business Continuity Management Services

[email protected] (office)214.207.4543 (mobile)

Contact Information

the role of internal audit in...

Documents