Role of IA in BCP
Transcript of Role of IA in BCP
-
8/12/2019 Role of IA in BCP
1/31
Page 0 2005 Protiviti Inc.
The Role of Internal AuditIn Business Continuity Planning
Dan Bailey, MBCP
-
8/12/2019 Role of IA in BCP
2/31
Page 1 2005 Protiviti Inc.
Dan Bailey, MBCPSenior ManagerProtiviti [email protected]
Actively involved in the Information Technology industry since 1984
Actively involved in the Business Continuity industry since 1991 Received CBCP designation in 1999; MBCP designation in 2002 Co-Founder of the Arkansas chapter of the Association of Contingency
Planners 2002 President of the North Texas chapter of the Association of
Contingency Planners 2003-2005 DRI International Certification Commissioner 2006-2008 DRI International Vice-Chair of the newly established Education
Commission
Introduction
-
8/12/2019 Role of IA in BCP
3/31
Page 2 2005 Protiviti Inc.
Agenda
Establishing A Framework Internal Audit Adding Value to the BCP
Process Information Available to the Internal Auditor Proven Approaches to Conducting a BCP Audit SOX Section 404? Wrap-up and Summary
By 2008, we believe more than 50% of the G2000 will have robust and tested BC plans, with the remainder attempting toenhance their capabilities beyond rudimentary BC and disaster recovery through 2012. - META Group (February 2003)
-
8/12/2019 Role of IA in BCP
4/31
Page 3 2005 Protiviti Inc.
Section I
Establishing A Framework
-
8/12/2019 Role of IA in BCP
5/31
Page 4 2005 Protiviti Inc.
BCM = Crisis Management + Business Resumption Planning + IT Disaster Recovery Planning
the development of strategies, plans andactions which provide protection or alternativemodes of operation for those activities orbusiness processes which, if they were to beinterrupted, might otherwise bring about aseriously damaging or potentially fatal loss to theenterprise.
Business Continuity Management Defined
-
8/12/2019 Role of IA in BCP
6/31
Page 5 2005 Protiviti Inc.
Components of A Business Continuity Process
Contract Termsand Conditionswith Suppliers
CustomerService LevelAgreements
GovernanceDocumentation
- ProcessAccountability
- RecurringActivities
- DocumentationStandards
- Strategy Testing- Training &
Awareness- Plan
Maintenance
- Successionplans
Audit CommitteeOversight
Executive MgmtSponsorship
BusinessContinuityCoordinator
Crisis MgmtTeam
BusinessRecoveryCoordinators
IT DRCoordinators Recovery Teams Internal Audit
Oversight Industry /
Governmental
Oversight
RiskAssessmentConclusions(Likelihood andVulnerability)
Business ImpactAnalysisConclusions(RecoveryObjectives)
Strategy DesignOptions
Strategy Cost-Benefit Analysis
Strategy TestResults
Diagnostic andBenchmarkingConclusions
BusinessContinuityGovernanceDesign and DataGathering
RiskAssessment
Business ImpactAnalysis
Strategy Design Plan
Documentation
Plan Validation KnowledgeTransfer /Implementation
DocumentationRepository
PlanDocumentationSoftware
Risk AssessmentConclusions
Business ImpactAnalysisConclusions
Backup /ReplicationSoftware (IT DROnly)
IT Hardware
EmergencyResponse
Crisis Mgmt Crisis
Communications
BusinessResumptionPlanning
IT DR Planning Business Impact
Analysis Risk Assessment
BusinessContinuityStrategy Testing
Training &Awareness
Supplier RiskMgmt
BusinessStrategies &
Policies
Business &Risk
ManagementProcesses
People &Organizational
Structure
ManagementReports Methodologies
Systems & Data
-
8/12/2019 Role of IA in BCP
7/31
Page 6 2005 Protiviti Inc.
The Continuity Life Cycle
Risk Assessment
Business Impact Analysis
Business Continuity
Strategy Design
Project Initiation And Management
Solutions Deployment
Compliance Monitoring & Auditing
Training & Awareness Programs
ContinuityLife Cycle
Solutions Deployment & Plan Documentation
Business Continuity Plan Testing
Typical Participants in thePlanning Process: Executive Sponsor Steering Committee Business Continuity
Coordinator Business Process
Owners
InformationTechnology Human Resources Facilities Security EHS Legal Corporate
Communications Risk Management Internal Audit?
-
8/12/2019 Role of IA in BCP
8/31
-
8/12/2019 Role of IA in BCP
9/31
Page 8 2005 Protiviti Inc.
Managing Business Continuity
Finance Direct Report to CFO Risk Management / Loss
Prevention Executive Council
Legal Human Resources Corporate Communications
Operations Direct Report to the COO EHS Security
Information Technology Internal Audit
E f f e c t i v
e n e s
s
-
8/12/2019 Role of IA in BCP
10/31
-
8/12/2019 Role of IA in BCP
11/31
Page 10 2005 Protiviti Inc.
Asked if a plan was in place
Reviewed the (IT Disaster Recovery) plan forcurrency, if they were truly IT Auditors
Asked if tests were performed; didnt reviewthe results
Occasionally owned the BCP process!
In the Past, The Internal Auditor
-
8/12/2019 Role of IA in BCP
12/31
Page 11 2005 Protiviti Inc.
The Continuity Life Cycle - Revisited
Risk Assessment
Business Impact Analysis
Business ContinuityStrategy Design
Project Initiation And Management
Solutions Deployment
Compliance Monitoring & Auditing
Training & Awareness Programs ContinuityLife Cycle
Solutions Deployment & Plan Documentation
Business Continuity Plan Testing
Ways In Which the Internal Auditor CanAdd Value to the BCP Process: Keeping Management Informed on
Progress Toward BCM Developmentand Implementation
The Internal Sales Person Makingthe Case for Business Continuity
Participation in the RiskAssessment and BusinessImpact Analysis
Defining Key Business Functions ByAssisting with the BIA
Defining Key Controls and Guide
Toward a Process, not a Plan Project Management Standards Help Craft Maturity Levels and
Definitions Audit the BCP Process Initially and
in the Future
-
8/12/2019 Role of IA in BCP
13/31
Page 12 2005 Protiviti Inc.
Section III
Information Available to theInternal Auditor
-
8/12/2019 Role of IA in BCP
14/31
Page 13 2005 Protiviti Inc.
Guidance from the IIA www.theiia.org
Business
ContinuityManagement
Auditors should evaluate business continuity readiness Internal audit should assess the organization's
business continuity process on a regular basis provide preparedness summary to senior management
Internal auditors can play a role in the organizationsplanning, to include the risk assessment Internal audit activity can help with an assessment
of an organization's internal and externalenvironment
Evaluate the BCP/DRP during formulation Internal auditors have a thorough understanding
of the business, the individual functions andinterdependent relationships
Practice Advisory 2110-2: Internal Audits Role in the Business Continuity Process
-
8/12/2019 Role of IA in BCP
15/31
Page 14 2005 Protiviti Inc.
Guidance from the IIA (cont.)
Business
ContinuityManagement
Review the proposed business continuity and disasterrecovery plans for design, completeness, and overalladequacy
During that recovery period: Internal audit should monitor the effectiveness of
the recovery and control of operations Recommend improvements to the BCP Internal audit can also provide support during the
recovery activities internal auditors can assist in identifying the
lessons learned from the disaster and therecovery operations
Periodically audit the organization's BCPs/DRPs
Adequacy to ensure the timely resumption ofoperations and processes after adversecircumstances
Reflects the current business operatingenvironment
Practice Advisory 2110-2: Internal Audits Role in the Business Continuity Process
-
8/12/2019 Role of IA in BCP
16/31
Page 15 2005 Protiviti Inc.
Guidance from the IIA (cont.)
Business
ContinuityManagement
During the audit, Internal Audit should consider : Are all plans up to date? Are all critical business functions and systems
covered? Are the plans based on the risks and potential
consequences of business interruptions?
Are the plans fully documented? Have functional responsibilities been assigned? Is the organization capable of and prepared to
implement the plans? Are the plans tested and revised based on the
results?
Are the plans stored properly and safely? Is thestorage location known? Are the locations of alternate facilities (backup
sites) known to employees? Do the plans call for coordination with local
emergency services?
Practice Advisory 2110-2: Internal Audits Role in the Business Continuity Process
-
8/12/2019 Role of IA in BCP
17/31
Page 16 2005 Protiviti Inc.
Standards and Guidelines COBIT
FFIEC NIST ISO 9000 & 14000, QS 9000 ISO 17799 NFPA 1600 DRI International
BCI PAS 56 ITIL Homeland Security COSO
Regulations and Standards
Regulatory Requirements Sarbanes Oxley (Governance)
FEMA FERC JCAHO HIPAA GLBA FFIEC (Updated) OSHA SEC NYSE / NASD State Insurance Departments USA PATRIOT Act IRS Australian/New Zealand Standard
AS/NZS 4360:1999 California 1386 BASEL II Public Utility Commissions FCC
-
8/12/2019 Role of IA in BCP
18/31
Page 17 2005 Protiviti Inc.
Section IV
Proven Approaches toConducting a BCP Audit
-
8/12/2019 Role of IA in BCP
19/31
-
8/12/2019 Role of IA in BCP
20/31
Page 19 2005 Protiviti Inc.
Work in a Collaborative Manner (Advise/Teach)
Understand the History of BCP, ManagementObjectives and the Level of Maturity Up Front
Understand the Scope of Business Continuity Approach From a Process Perspective, as Opposed to
a Documentation Review
Look for and assess key success factors such asrepeatability, extensibility and maintainability
Focus on the Entire BCM Life-cycle, Ranging fromStandards Assessments Through Plan Testing
Brainstorm Ideas for Improvement Engage the
Business Continuity Coordinator
A Proven Practice BCP Audit Approach
-
8/12/2019 Role of IA in BCP
21/31
Page 20 2005 Protiviti Inc.
Evaluate the Following: Standards, Policies and Procedures Relationships with External Agencies
and Authorities Training and Awareness Materials Budgetary Documentation Documented plans Recovery Location / Hot-site Contracts Test Results Service Level Agreements Regulatory Requirements
Supply Chain / Vendors Network
Executing A Process Oriented BCP Audit
A Comprehensive Business ContinuityManagement Process Includes: Crisis Management Crisis Communications Business Resumption Planning IT Disaster Recovery Planning
-
8/12/2019 Role of IA in BCP
22/31
Page 21 2005 Protiviti Inc.
The Assessment Approach
The Approach Confirm Assessment Expectations / Collect Business Requirements Evaluate the Business Continuity Process
Process Management Risk Assessment and Business Impact Analysis
Define Recovery Strategies and Business Continuity Procedures Training and Awareness, Plan Testing Process, Auditing and Plan
Maintenance Collect Benchmarking Data to Reinforce Findings Validate, Present and Report
-
8/12/2019 Role of IA in BCP
23/31
Page 22 2005 Protiviti Inc.
Nothing Reinforces a Recommendation Like Benchmarking Data Same Industry Same Size Company
We maintain information in the following areas: BCM Process Description and Scope Who Owns the BCM Process
Budgetary Data Number of Personnel Addressing Business Continuity Recovery Objectives (Business and IT)
Benchmarking Data Is Available Through Third-party Specialists, Vendors andInformal Contacts (Like This Session)
Industry Benchmarking Data
-
8/12/2019 Role of IA in BCP
24/31
Page 23 2005 Protiviti Inc.
In addition to a review of documentation, werecommend discussions with Business
Continuity Management owners, as well as theBusiness Process owners whom they support(In order to better understand their expectations)
Participants in the BCP Audit
Business
ContinuityManagement
-
8/12/2019 Role of IA in BCP
25/31
Page 24 2005 Protiviti Inc.
Presenting the Findings
Business
ContinuityManagement
Reinforce Scope and Focus Focus on Process Maturity Highlight Strengths and Weaknesses
Tie Findings to Business Impact, to IncludeRegulatory Compliance
Provide Action Items and Recommend Points ofContact for Each
Offer to Track Completion of Each Finding /Action Item
Next Steps What Will Next Years Audit FocusOn?
-
8/12/2019 Role of IA in BCP
26/31
Page 25 2005 Protiviti Inc.
Section V
Sarbanes Oxley?
-
8/12/2019 Role of IA in BCP
27/31
Page 26 2005 Protiviti Inc.
Internal Audit and SOX Section 404?
Section 404 had become a driver for conducting some audits Standard may change audit priority Business continuity will remain a key business issue regardless of Section 404
scope
Furthermore, managements plans that could potentially affect financial reporting infuture periods are not controls. For example, a companys business continuity or
contingency planning has no effect on the companys current abilities to initiate,authorize, record, process, or report financial data. Therefore, a companys businesscontinuity or contingency planning is not part of internal control over financial reporting.
PCAOB Release No. 2004-001, March 9, 2004
-
8/12/2019 Role of IA in BCP
28/31
Page 27 2005 Protiviti Inc.
Section V
Presentation Summary
-
8/12/2019 Role of IA in BCP
29/31
Page 28 2005 Protiviti Inc.
Wrap-up and Summary
Business
ContinuityManagement
Establishing A Framework What is Business Continuity? Components of a Business Continuity Process
The Business Continuity Life Cycle The BCP Maturity Continuum
Internal Audit Adding Value to the BCP Process In the Past Today: Revisiting the Continuity Life Cycle
Information Available to the Internal Auditor Regulations and Standards
Proven Approaches to Conducting a BCP Audit Why Conduct An Audit? Proven Practice Audit Approaches Executing A Process Oriented BCP Audit Participants in the BCP Audit Industry Benchmarking Presenting Findings
Wrap-up and Summary
-
8/12/2019 Role of IA in BCP
30/31
Page 29 2005 Protiviti Inc.
Questions & Answers
-
8/12/2019 Role of IA in BCP
31/31
Page 30 2005 Protiviti Inc.
Dan Bailey, MBCPProtiviti Inc.
Senior ManagerNational Leadership Team - Business Continuity Management Services
[email protected] (office)
214.207.4543 (mobile)
Contact Information