Auditing Business Continuity Efforts, Part II

In last month’s column, I introduced the task of auditing business-continuity plans and disaster-recovery programs by providing an overview of what an effective program consists of, what the typical internal auditor’s roles in BCP and DR are, and what the key audit-scoping issues are. We’re going to complete the discussion this month by providing further guidance regarding audit-planning efforts, audit-fieldwork activities, and the reporting of results and improvement efforts.

Audit-Planning Phase

Having defined the scope, the audit team needs to plan the audit within the constraints of available resources from the audit department and from the business as a whole. Resourcing decisions are largely risk-based, taking account of factors such as the program management’s experience, the level of management involvement in the program efforts, the size and complexity of the program, and the potential effects on the organization if the program fails.

The availability of suitable auditors is, of course, a prerequisite. Audit teams combining business and IT auditors are recommended wherever possible, since BCP and DR span both fields of expertise.

This is also a good time for the auditors to identify and contact the primary auditees. Securing their assistance with the audit fieldwork is easier if they have an opportunity to comment on the timing and nature of the work required—provided that the audit department’s independence and objectivity are not unduly compromised in the process!

The audit approach also needs to be decided during the audit planning. For instance, will it be feasible to review all BCP and DR plans, or is it necessary to sample the plans? If so, on what basis will the sample be selected? Should auditing of BCP and DR efforts be separate and distinct audits? (For many organizations this could make sense, as they are both important activities worthy of a focused and comprehensive review.) Does auditing of outsourced activities and related BCP and DR plans need to be completed?

Most auditors generate an audit checklist at this stage, converting the agreed audit scope into a structured series of audit tests that they plan to conduct. Styles vary, but the most useful checklists aim to guide (rather than constrain) the auditors, since the extent of the audit testing required depends somewhat on what is found. Researching what’s available regarding an audit program is—as always—recommended. And of course, before fieldwork commences, audit management should review the audit plans and checklists to ensure that all of the key issues identified in the scope have been given sufficient consideration to satisfy management’s assurance needs.

Audit-Fieldwork Phase

In this phase of the audit, the auditors examine the BCP and DR program based on the goals and methods decided upon in the earlier phases. BCP helps the organization to survive a disaster by keeping critical business processes operating during the crisis, whereas DR restores the other less-critical processes following the crisis. Audit testing during the fieldwork phase gathers sufficient evidence to assess whether the program is able to meet these two fundamental requirements.

Audit tests of a BCP and DR program may include the following:

Interviewing key stakeholders and participants in the program;

Reviewing business case-, planning-, and IT-related documents;

More or less detailed reviewing of individual BCP and DR plans, checking that they are complete, accurate, and up-to-date—for example, testing a sample of the contact details for key players to confirm whether their phone numbers are correct;

Looking for defined recovery times and whether there is evidence that they can be met;

Examining training materials, procedures, guidelines, and so forth, plus any management communications regarding BCP and DR situations that might occur and what employees should do;

Reviewing testing plans and the results of any tests already conducted;

Evaluating relevant employee preparedness and familiarity with procedures;

Reviewing impact of new regulation on plan; and

Reviewing contractor and service provider “readiness” efforts.

Details of the tests are normally recorded in the audit checklist. They are accompanied by a file containing the corresponding audit evidence, such as annotated copies of BCP and DR plans, test results, and other materials that the auditors have reviewed.

Audit Analysis And Reporting Phase

Audit reporting is a straightforward process, at least in theory. This is where the auditors analyze the results of their tests, formulate their recommendations, prepare, and finally present a formal audit report to management. In the report, the auditors explain:

What they set out to do. This part of the report will introduce the risks and recap the audit scope;

The audit methods. This will describe how the auditor went about meeting the objectives;

What they found. This typically covers the key issues identified, if not the full gory details. Not all findings are reportable, but sometimes it helps to provide the completed audit checklist as an appendix to the report and invite management to review the audit evidence if it wants more information); and

The recommendations This will entail advice to management on how to address the issues identified.

At the end of the day, it is management—not the auditors—that is responsible for deciding which, if any, recommended improvements to the BCP and DR program they intend to make.

In practice, audit reporting varies widely among organizations. It requires a careful balance between the somewhat idealistic outlook of some auditors and the realities of managing the organization with limited resources and competing priorities. There is usually a fairly involved, iterative process of drafting, reviewing, and correcting the report and negotiating the details with management to reach the best possible outcome for the organization. At the end of the day, it is management—not the auditors—that is responsible for deciding which, if any, recommended improvements to the BCP and DR program they intend to make. The audit process has the advantage of systematic collection, testing, and evaluation of audit evidence by an independent yet interested function. The facts of the matter carry a lot of weight with management.

The audit report should present the purpose and objectives of the audit, the audit approach, and test performed, the key opportunities for improvement, as well as detailed findings and management’s action plans. A description of the actual BCP and DR program including its scope, mandate, role, and accomplishments also would be useful in getting everyone on the same page regarding organizational investments in BCP and DR efforts.

Investment In Resiliency

Auditors can bring considerable value to an organization by evaluating both IT and organizational aspects of the BCP and DR program. Because failure of the BCP and DR programs when needed is one of the highest risks that an organization can face, internal auditors’ independent assessment of the program will provide value far in excess of the audit’s costs.

Management always should be looking for ways to improve its BCP and DR program efforts—that is, don’t just wait for an audit. Involve internal audit in your ongoing program efforts, such as the design and execution of a testing exercise. Regular management “self assessments” should be encouraged, and comprehensive testing of the program is always strongly recommended.

Companies need to take a boardroom perspective for their BCP and DR program efforts. What absolutely must be in place to ensure the organization’s survival? And do you have the plans and programs in place to deal with a significant disruption to operations? (Including assigning responsibilities and accountabilities for business continuity efforts, and providing the program with the necessary resources to deliver when needed.)

The bottom line is whether your investment in resiliency is appropriate. What measures have been implemented to track your progress? And, finally, is management regularly assessing and improving the organization’s “preparedness” capabilities in the event of a disaster?