Business Continuity Management Audit/Assurance Program
Business Continuity Management Audit/Assurance Program ISACA® With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor ® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT ® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT ®, which helps IT professionals and enterprise leaders fulfil their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business. Disclaimer ISACA has designed and created the Business Continuity Management Audit/Assurance Program (the “Work”) primarily as an informational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, audit and assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment. Reservation of Rights © 2011 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail:
[email protected] Web site: www.isaca.org
ISBN 978-1-60420-186-4 Business Continuity Management Audit/Assurance Program Printed in the United States of America CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.
© 2011 ISACA. All rights reserved. Page 2
Business Continuity Management Audit/Assurance Program
ISACA wishes to recognize: Author Norm Kelson, CISA, CGEIT, CPA, CPE Interactive Inc., USA, Jeff Kalwerisky, CISA, CA (SA), CPE Interactive Inc., USA Subject Matter Expert Harvey Betan, CPCB, Riskmasters Inc., USA Expert Reviewers Sunil Bakshi, CISA, CISM, CGEIT, CRISC, AMBCI, BS25999LI, CFE, CISSP, ISO 27001 LA, MCA, PMP, National Stock Exchange, India Diane D. Bili, USCI, Canada Bok Hai Suan, CISM, CGEIT, PM, Singapore Michael D. Hansen, CISA, CFE, Public Employees Retirement Association of New Mexico, USA Le Thi Mai Huong, CISA, BNP Paribas PF, France Gary Langham, CISA, CISM, CGEIT, CISSP, CPFA, Australia Lucio Augusto Molina Focazzio, CISA, CISM, CRISC, ITIL, Colombia Vipin Sehgal, CISA, Sun Life Financial, Canada Tariq Shaikh, CUISA, Tim Hortons Inc., Canada ISACA Board of Directors Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, International President Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Vice President Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Vice President Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt. Ltd., India, Vice President Jeff Spivey, CRISC, CPP, PSP, Security Risk Management, Inc., USA, Vice President Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia, Vice President Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, Past International President Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International President Allan Neville Boardman, CISA, CISM, CGEIT, CRISC, CA, CISSP, J.P. Morgan Chase, UK, Director Marc Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, Director Knowledge Board Marc Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, Chairman Michael A. Berardi Jr., CISA, CGEIT, Nestle USA, USA John Ho Chi, CISA, CISM, CFE, CBCP, Ernst & Young LLP, Singapore Phil Lageschulte, CGEIT, CPA, KPMG LLP, USA Jon Singleton, CISA, FCA, Canada Patrick Stachtchenko, CISA, CGEIT, Stachtchenko & Associates SAS, France Guidance and Practices Committee Phil Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, 6 Sigma, Quest Software, Spain Meenu Gupta, CISA, CISM, CBP, CIPP, CISSP, Mittal Technologies, USA Yongdeok Kim, CISA, IBM Korea Inc., Korea Perry Menezes, CISM, CRISC, Deutsche Bank, USA Mario Micallef, CGEIT, CPAA, FIA, Advisory in GRC, Malta Salomon Rico, CISA, CISM, CGEIT, Deloitte Mexico, Mexico Nikolaos Zacharopoulos, Geniki Bank, Greece ISACA and IT Governance Institute® Affiliates and Sponsors American Institute of Certified Public Accountants ASIS International
© 2011 ISACA. All rights reserved. Page 3
Business Continuity Management Audit/Assurance Program The Center for Internet Security Commonwealth Association for Corporate Governance Inc. FIDA Inform Information Security Forum Institute of Management Accountants Inc. ISACA chapters ITGI Japan Norwich University Solvay Brussels School of Economics and Management Strategic Technology Management Institute (STMI) of the National University of Singapore University of Antwerp Management School ASI System Integration Hewlett-Packard IBM SOAProjects Inc Symantec Corp. TruArx Inc.
Table of Contents I. II. III. IV. V. VI.
Introduction.......................................................................................................................................4 Using This Document........................................................................................................................5 Controls Maturity Analysis................................................................................................................8 Assurance and Control Framework....................................................................................................9 Executive Summary of Audit/Assurance Focus...............................................................................10 Audit/Assurance Program................................................................................................................12 1. Planning and Scoping the Business Continuity Audit..................................................................12 2. Business Continuity Plan Management........................................................................................14 3. BCM Policy, Standards and Procedures.......................................................................................16 4. Business Impact Assessment........................................................................................................19 5. Risk Assessment..........................................................................................................................20 6. Documentation.............................................................................................................................22 7. Plan Testing..................................................................................................................................24 VII. Maturity Assessment........................................................................................................................26 VIII. Assessment Maturity vs. Target Maturity........................................................................................27
I. Introduction Overview ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good-practicesetting model. ITAF provides standards that are designed to be mandatory and are the guiding principles under which the IT audit and assurance profession operates. The guidelines provide information and direction for the practice of IT audit and assurance. The tools and techniques provide methodologies, tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose The audit/assurance program is a tool and template to be used as a road map for the completion of a specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use by IT audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF section 4000—IT Assurance Tools and Techniques.
© 2011 ISACA. All rights reserved. Page 4
Business Continuity Management Audit/Assurance Program
Control Framework The audit/assurance programs have been developed in alignment with the ISACA COBIT framework— specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT Audit and Assurance Management. Many organizations have embraced several frameworks at an enterprise level, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The importance of the control framework has been enhanced due to regulatory requirements by the US Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and similar legislation in other countries. Enterprises seek to integrate control framework elements used by the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename these columns to align with the enterprise’s control framework.
Governance, Risk and Control of IT Governance, risk and control of IT are critical in the performance of any assurance management process. Governance of the process under review will be evaluated as part of the policies and management oversight controls. Risk plays an important role in evaluating what to audit and how management approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program. Controls are the primary evaluation point in the process. The audit/assurance program will identify the control objectives and the steps to determine control design and effectiveness.
Responsibilities of IT Audit and Assurance Professionals IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.
II. Using This Document This audit/assurance program was developed to assist the audit and assurance professional in designing and executing a review. Details regarding the format and use of the document follow.
Work Program Steps The first column of the program describes the steps to be performed. The numbering scheme used provides built-in work paper numbering for ease of cross-reference to the specific work paper for that section. The physical document was designed in Microsoft ® Word. The IT audit and assurance professional is encouraged to make modifications to this document to reflect the specific environment under review. Step 1 is part of the fact-gathering and prefieldwork preparation. Because the prefieldwork is essential to a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g., 1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the purpose for the substeps.
© 2011 ISACA. All rights reserved. Page 5
Business Continuity Management Audit/Assurance Program
Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the program, the audit/assurance objective—the reason for performing the steps in the topic area—is described. The specific controls follow. Each review step is listed below the control. These steps may include assessing the control design by walking through a process, interviewing, observing or otherwise verifying the process and the controls that address that process. In many cases, once the control design has been verified, specific tests need to be performed to provide assurance that the process associated with the control is being followed. The ISACA audit/assurance programs have adopted a maturity assessment process as documented in the IT Assurance Guide: Using COBIT. This audit/assurance program is technical in scope and does not lend itself to the maturity assessment. Accordingly, the maturity assessment will not appear in this document. The audit/assurance plan wrap-up—those processes associated with the completion and review of work papers, preparation of issues and recommendations, report writing, and report clearing—has been excluded from this document because it is standard for the audit/assurance function and should be identified elsewhere in the enterprise’s standards.
COBIT Cross-reference The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the specific COBIT control objective that supports the audit/assurance step. The COBIT control objective should be identified for each audit/assurance step in the section. Multiple cross-references are not uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a structure parallel to the development process. COBIT provides in-depth control objectives and suggested control practices at each level. As professionals review each control, they should refer to COBIT 4.1 or the IT Assurance Guide: Using COBIT for good-practice control guidance.
COSO Components As noted in the introduction, COSO and similar frameworks have become increasingly popular among audit and assurance professionals. This ties the assurance work to the enterprise’s control framework. While the IT audit/assurance function uses COBIT as a framework, operational audit and assurance professionals use the framework established by the enterprise. Since COSO is the most prevalent internal control framework, it has been included in this document and is a bridge to align IT audit/assurance with the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control components within their report and summarize assurance activities to the audit committee of the board of directors. For each control, the audit and assurance professional should indicate the COSO component(s) addressed. It is possible, but generally not necessary, to extend this analysis to the specific audit step level. The original COSO internal control framework contained five components. In 2004, COSO was revised as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The primary difference between the two frameworks is the additional focus on ERM and integration into the business decision model. ERM is in the process of being adopted by large enterprises. The two frameworks are compared in figure 1.
© 2011 ISACA. All rights reserved. Page 6
Business Continuity Management Audit/Assurance Program Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks Internal Control Framework ERM Integrated Framework Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management’s operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
Risk Assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, and, thus, risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control Activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Information and Communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders. Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
Internal Environment: The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective Setting: Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. Event Identification: Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. Risk Assessment: Risks are analyzed, considering the likelihood and impact, as a basis for determining how they could be managed. Risk areas are assessed on an inherent and residual basis.
Risk Response: Management selects risk responses—avoiding, accepting, reducing or sharing risk—developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. Control Activities: Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Information and Communication: Relevant information is identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.
Monitoring: The entirety of enterprise risk management is monitored and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both.
Information for figure 1 was obtained from the COSO web site, www.coso.org/aboutus.htm.
The original COSO internal control framework addresses the needs of the IT audit and assurance professional: control environment, risk assessment, control activities, information and communication, and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/ assurance programs. As more enterprises implement the ERM model, the additional three columns can be added, if relevant. When completing the COSO component columns, consider the definitions of the components as described in figure 1.
Reference/Hyperlink Good practices require the audit and assurance professional to create a work paper for each line item, which describes the work performed, issues identified and conclusions. The reference/hyperlink is to be used to cross-reference the audit/assurance step to the work paper that supports it. The numbering system
© 2011 ISACA. All rights reserved. Page 7
Business Continuity Management Audit/Assurance Program of this document provides a ready numbering scheme for the work papers. If desired, a link to the work paper can be pasted into this column.
Issue Cross-reference This column can be used to flag a finding/issue that the IT audit and assurance professional wants to further investigate or establish as a potential finding. The potential findings should be documented in a work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal finding, or waived).
Comments The comments column can be used to indicate the waiving of a step or other notations. It is not to be used in place of a work paper describing the work performed.
III. Controls Maturity Analysis One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire to understand how their performance compares to good practices. Audit and assurance professionals must provide an objective basis for the review conclusions. Maturity modeling for management and control over IT processes is based on a method of evaluating the enterprise, so that it can be rated from a maturity level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software development. The IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control, in figure 2, provides a generic maturity model showing the status of the internal control environment and the establishment of internal controls in an enterprise. It shows how the management of internal control, and an awareness of the need to establish better internal controls, typically develops from an ad hoc to an optimized level. The model provides a high-level guide to help COBIT users appreciate what is required for effective internal controls in IT and to help position their enterprise on the maturity scale.
Maturity Level 0 Non-existent 1 Initial/ad hoc
2 Repeatable but Intuitive
3 Defined
4 Managed and Measurable
Figure 2—Maturity Model for Internal Control Status of the Internal Control Environment Establishment of Internal Controls There is no recognition of the need for internal control. Control is not part of the organization’s culture or mission. There is a high risk of control deficiencies and incidents. There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganized, without communication or monitoring. Deficiencies are not identified. Employees are not aware of their responsibilities. Controls are in place but are not documented. Their operation is dependent on the knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can be severe. Management actions to resolve control issues are not prioritized or consistent. Employees may not be aware of their responsibilities. Controls are in place and adequately documented. Operating effectiveness is evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is not documented. While management is able to deal predictably with most control issues, some control weaknesses persist and impacts could still be severe. Employees are aware of their responsibilities for control. There is an effective internal control and risk management environment. A formal, documented evaluation of controls
There is no intent to assess the need for internal control. Incidents are dealt with as they arise. There is no awareness of the need for assessment of what is needed in terms of IT controls. When performed, it is only on an ad hoc basis, at a high level and in reaction to significant incidents. Assessment addresses only the actual incident. Assessment of control needs occurs only when needed for selected IT processes to determine the current level of control maturity, the target level that should be reached and the gaps that exist. An informal workshop approach, involving IT managers and the team involved in the process, is used to define an adequate approach to controls for the process and to motivate an agreed-upon action plan. Critical IT processes are identified based on value and risk drivers. A detailed analysis is performed to identify control requirements and the root cause of gaps and to develop improvement opportunities. In addition to facilitated workshops, tools are used and interviews are performed to support the analysis and ensure that an IT process owner owns and drives the assessment and improvement process. IT process criticality is regularly defined with full support and agreement from the relevant business process owners.
© 2011 ISACA. All rights reserved. Page 8
Business Continuity Management Audit/Assurance Program
Maturity Level
Figure 2—Maturity Model for Internal Control Status of the Internal Control Environment Establishment of Internal Controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls.
5 Optimized
An enterprisewide risk and control program provides continuous and effective control and risk issues resolution. Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap and root cause analyses. Employees are proactively involved in control improvements.
Assessment of control requirements is based on policy and the actual maturity of these processes, following a thorough and measured analysis involving key stakeholders. Accountability for these assessments is clear and enforced. Improvement strategies are supported by business cases. Performance in achieving the desired outcomes is consistently monitored. External control reviews are organized occasionally. Business changes consider the criticality of IT processes and cover any need to reassess process control capability. IT process owners regularly perform self-assessments to confirm that controls are at the right level of maturity to meet business needs and they consider maturity attributes to find ways to make controls more efficient and effective. The organization benchmarks to external best practices and seeks external advice on internal control effectiveness. For critical processes, independent reviews take place to provide assurance that the controls are at the desired level of maturity and working as planned.
The maturity model evaluation is one of the final steps in the evaluation process. The audit and assurance professional can address the key controls within the scope of the work program and formulate an objective assessment of the maturity levels of the control practices. The maturity assessment can be a part of the audit/assurance report and can be used as a metric from year to year to document progression in the enhancement of controls. However, it must be noted that the perception as to the maturity level may vary between the process owner and the auditor. Therefore, an auditor should obtain the concerned stakeholder’s concurrence before submitting the final report to management. At the conclusion of the review, once all findings and recommendations are completed, the professional assesses the current state of the control framework, using the main topics of the program, and assigns it a maturity level using the six-level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity model. To provide further value to the client/customer, the professional can also obtain maturity targets from the client/customer. Using the assessed and target maturity levels, the professional can create an effective graphic presentation that describes the achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last page of the document (section VIII), based on sample assessments.
IV. Assurance and Control Framework ISACA IT Assurance Framework and Standards This audit program is not IT-focused. The ITAF section most relevant to Business Continuity Management is 3630.9 Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). The scope of this audit/assurance program is significantly wider than the IT Continuity Plan. ITAF’s focus should not limit the scope of this audit/assurance program
ISACA Control Framework COBIT is a framework for the governance of IT and supporting tool set that allows managers to bridge the gap among control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout enterprises. Utilizing COBIT as the control framework from which IT audit/assurance activities are based aligns IT audit/assurance with good practices as developed by the enterprise.
© 2011 ISACA. All rights reserved. Page 9
Business Continuity Management Audit/Assurance Program
Business Continuity Management aligns with DS4, Ensure Continuous Service. However, the scope is wider and does not lend itself to a direct comparison on a specific control objective level. The COBIT cross-reference is indicated where applicable.
V. Executive Summary of Audit/Assurance Focus A business continuity plan is an enterprisewide group of processes and instructions to ensure the continuation of business processes – including, but not limited to, Information Technology - in the event of an interruption. It provides the plans for the enterprise to recover from minor incidents (e.g., localized disruptions of business components) to major disruptions (e.g., fire, natural disasters, extended power failures, equipment and/or telecommunications failure). The plan is usually owned and managed by the business units and a disaster management or risk prevention function in the enterprise. Functional continuity plans are subsets of the enterprise business continuity planning and support the delivery of essential business services The business continuity plan must ensure that: Risks are appropriately identified and evaluated by focusing on the impact of known and potential risks on business processes The costs of implementing and managing continuity assurance are less than the expected losses and within management’s risk tolerance The business priorities are addressed: critical applications, interim processes, restoration activities and mandated deadlines Manual interfaces to automated processes are identified, personnel are trained and practice drills are conducted Expectations are managed with realistic goals
Business Impact and Risk Business reliance on automated solutions, employee knowledge and manual process are tightly woven into the DNA of the enterprise. The risks and potential impacts to the enterprise of failure to establish a good-practice continuity plan and align it with the business continuity plan include inability of the enterprise to conduct normal business functions after a disruption due to: Failure of plans to reflect changes to business needs, applications portfolio, compliance requirements or technology Inadequate planning and consideration of significant enterprise risk Failure to plan for or inability to assess the situation and implement alternate processes to fit unforeseen situations Inappropriate or incomplete recovery plans and processes, resulting in delayed restoration of business functions Incomplete or untested interim logistics plans Inadequate training and/or staff not prepared to execute the plan effectively and quickly Inadequate or unavailable staffing resources to restore business processes to meet Recovery Time or Recovery Point objectives (RTOs, RPOs) Lack of plan change control, resulting in out-of-date continuity plans Regulatory violations resulting in fines or censure Reputational risk resulting in loss of customer confidence Inability to comply with legal electronic discovery
© 2011 ISACA. All rights reserved. Page 10
Business Continuity Management Audit/Assurance Program
Increased costs for continuity management due to ineffective focus on risks and costs or failure to prioritize services recovery based on business need Lack of development of realistic threat scenarios that may potentially disrupt business processes Lack of consideration of all possible threat scenarios based upon potential circumstances and events
Objective and Scope Objective—The continuity planning audit/assurance review will: Provide management with an evaluation of the enterprise’s preparedness in the event of a major business disruption Identify issues that may limit interim business processing and restoration of same Provide management with an independent assessment of the effectiveness of the business continuity plan and its alignment with subordinate continuity plans Scope—The review will focus on the enterprise business continuity plan, policies, standards, guidelines, procedures, laws and regulations that address maintaining continuous business services. This will include: Development, maintenance and testing of the business continuity plan Ability to provide interim business services and the effective and timely restoration of same Risk management and costs related to the business continuity plan
Minimum Audit Skills The audit and assurance professional should have an understanding of good-practice systems business continuity management framework and processes. In addition, a solid understanding of the enterprise’s business functions and industry risks is necessary to perform the review. The business continuity management audit/assurance review is best performed as an integrated audit, by professionals with business, operational, and technology skill sets.
© 2011 ISACA. All rights reserved. Page 11
Business Continuity Management Audit/Assurance Program
VI. Audit/Assurance Program
1. PLANNING AND SCOPING THE BUSINESS CONTINUITY AUDIT 1.1 Define Audit/Assurance Objectives The audit/assurance objectives are high level and describe the overall audit goals. 1.1.1 Review the audit/assurance objectives in the introduction to this business continuity management (BCM) audit/assurance program. 1.1.2 Modify the audit/assurance objectives to align with the audit universe, annual plan and charter. 1.2 Define Boundaries of Review The review must have a defined scope. The reviewer should understand the operating environment and prepare a proposed scope, subject to a later risk assessment. 1.2.1 Obtain BCM policy documentation. 1.2.2 Obtain and review the enterprise BCM plans. 1.2.3 Determine if the BCM audit will include the enterprise or be limited to specific business units. 1.2.4 Identify limitations and/or constraints affecting the ability to audit specific departments, locations or entities. 1.3 Identify and Document Audit Risks The risk assessment is necessary to evaluate where audit resources should be focused. In most enterprises, audit resources are not available for all processes. The risk-based approach assures the most effective utilization of audit resources. 1.3.1 Determine if the risk assessment rating assigned by the audit department is reasonable. 1.3.2 Evaluate the overall risk profile for performing the review. 1.3.3 Determine if BCM audits have been performed previously. If yes then determine the following. 1.3.3.1 Determine the status of issues previously identified. 1.3.3.2 Determine if the status of previously identified issues requires adjustment to the audit risk rating and priority of the audit. 1.3.4 Based on the audit risk assessment, identify changes to the scope. 1.3.5 Discuss the risks with appropriate management, and adjust the audit risk assessment as needed. © 2011 ISACA. All rights reserved. Page 12
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO Reference Issue HyperCross- Comments link reference
Business Continuity Management Audit/Assurance Program
1.4 Define the Audit Change Process The initial audit approach is based on the reviewer’s understanding of the operating environment and associated risks. As further research and analysis are performed, changes to the scope and approach will result. 1.4.1 Identify the senior assurance resource responsible for the review. 1.4.2 Establish the process for suggesting and implementing changes to the BCM audit/assurance program and the authorizations required. 1.5 Define Assignment Success The success factors need to be identified. 1.5.1 Identify the drivers for a successful review. (This should exist in the assurance function’s standards and procedures.) 1.5.2 Communicate success attributes to the process owner or stakeholder, and obtain agreement. 1.6 Define Audit Resources Required The resources required are defined in the introduction to this BCM audit/assurance program. 1.6.1 Determine the audit skills necessary for the review. 1.6.2 Consider how the audit/assurance process will integrate internal audit resources based on subject matter expertise. 1.6.3 Estimate the total audit resources (hours) and time frame (start and end dates) required for the review. 1.7 Define Deliverables The deliverable is not limited to the final report. BCM is also not limited to a single stakeholder. Communication between the audit/assurance team and the various stakeholders is essential to assignment success. 1.7.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due dates for responses or meetings and the final report. 1.7.2 Determine who are the key representatives of each affected organization and identify their participation in the status and final reporting process. 1.8 Communications The audit/assurance process must be clearly communicated to the organization. 1.8.1 Identify the recipients of status reports and other communications. 1.8.2 Schedule status meetings and status reporting procedures. © 2011 ISACA. All rights reserved. Page 13
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO Reference Issue HyperCross- Comments link reference
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
Business Continuity Management Audit/Assurance Program
2. BUSINESS CONTINUITY PLAN MANAGEMENT 2.1 Business Continuity Management Organization Audit/Assurance Objective: The business continuity management plan team must be organized to represent all appropriate business functions. Business Continuity Management Organization Control: The BCM team has a designated leader, reporting to a senior executive with crossorganization responsibilities. Membership of the BCM team includes the major segments of the enterprise’s business units, as well as critical support functions such as legal, human resources, public relations, supply and logistics chain management, manufacturing, information security, IT operations, internal and external auditors. 2.1.1.1 Obtain an organization chart describing the BCM job descriptions, reporting relationships, level of authority, and incumbent and back-up personnel assigned to each position and determine whether all personnel are active in the enterprise. 2.1.1.2 Obtain the documents relating to the processes and procedures to be followed by the BCM group in the event of a contingency, the composition of the group, frequency of meetings, and communications requirements. 2.1.1.3 Determine if the following functions are represented on the BCM team: Team management Finance Human resources Facilities Legal Public relations Technology Operations Supply and logistics chain management Communications Critical third parties, e.g., contractors, technology vendors Internal and external audit 2.1.1.4 Determine if the representatives regularly participate in or are consulted on strategic and operational issues affecting business continuity. © 2011 ISACA. All rights reserved. Page 14
PO4.6 DS4.1
X
X
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO Reference Issue HyperCross- Comments link reference
Business Continuity Management Audit/Assurance Program
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO
2.1.1.5 Obtain minutes of meetings, organization charts and other documentation as evidence of participation. 2.1.1.6 Determine if the team manager reports to an appropriate senior level (Csuite) executive with cross-organization responsibilities 2.1.1.7 Identify the form and process for the reporting relationship.
3.
BCM POLICY, STANDARDS AND PROCEDURES 3.1 Policy and Standards Audit/Assurance Objective: Policies affecting business continuity are implemented to ensure completeness and appropriate coverage for business risks. Policy Definition Control: Determine if the BCM function is actively involved in the establishment of business continuity policy. 3.1.1.1 Obtain corporate policies and standards. 3.1.1.2 Determine if BCM is based upon recognized standards or frameworks, e.g., BS 25999 Guideline for Incident Preparedness and Operational Continuity Management or NIST SP800-34 Contingency Planning Guide for Federal Information Systems 3.1.1.3 Obtain minutes of BCM meetings to verify involvement in, and familiarity with, corporate policies and standards. 3.1.1.4 Determine if the BCM documentation reflects appropriate reports, dashboards, etc., to ensure BCM governance as per corporate policies 3.1.1.5 Determine if the BCM team is involved in the development of policies and standards. 3.1.1.6 Review policy approval procedures for inclusion of BCM in the process. 3.2 BCM Procedures Audit/Assurance Objective: BCM procedures are defined, implemented and monitored. Procedures Control: The BCM procedures include a charter or scope and objectives. 3.2.1.1 Obtain the BCM charter or scope and objectives. 3.2.1.2 Determine if the charter or scope and objectives includes the business units within the organization either requiring or providing BCM services. © 2011 ISACA. All rights reserved. Page 15
X X X
PO6.3 DS4.1 DS4.2
X
X
X
Reference Issue HyperCross- Comments link reference
Business Continuity Management Audit/Assurance Program
Personnel Policies Control: Personnel policies are established and include skills assessment and training programs for the BCM function. 3.2.1.3 Determine if resources assigned to the BCM function have appropriate skills to perform their duties. 3.2.1.4 Determine if resources assigned to the BCM function have requirements, training schedules and monitoring of training completion. 3.2.1.5 Obtain training records for BCM resources. 3.2.1.6 Evaluate training records; determine if they address the identified skills assessment deficiencies. Incident Response Control: Incident response responsibilities are clearly defined and exercises are routinely executed.
PO7 DS4.3 DS7
x
DS4.1 DS8.3 DS8.4 DS10
X
3.2.1.7 Obtain the incident response policies and procedures. 3.2.1.8 Determine if incident responsibilities are clearly identified. 3.2.1.9 Determine if alternate resources for key responsibilities are defined. 3.2.1.10 Determine if incident drills are regularly scheduled. 3.2.1.11 Determine if incident drills adequately consider foreseeable incidents and disaster scenarios. 3.2.1.12 Determine if the policies and procedures are up to date and are regularly reviewed BCM Procedure Monitoring ME1 Control: BCM processes are routinely monitored, and results are reported to and evaluated by ME2 responsible management. ME4 3.2.1.13 Determine if BCM policies and procedures are monitored. 3.2.1.14 Determine if the monitoring reporting process includes the use of scorecards and self-assessments. 3.2.1.15 Obtain and review self-assessments for effectiveness. 3.2.1.16 Obtain and review scorecards. Determine if issue-monitoring procedures are in effect to ensure resolution of identified issues. © 2011 ISACA. All rights reserved. Page 16
X
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO
X
Reference Issue HyperCross- Comments link reference
Business Continuity Management Audit/Assurance Program
3.2.1.17 Determine how often reports are generated and the appropriateness of the individual(s) who receives the reports. 3.3 BCM Maintenance Audit/Assurance Objective: The BCM policies and procedures are subject to routine review to ensure they address current business continuity issues. BCM Maintenance Reviews Control: Periodic reviews of the BCM policies and procedures are regularly scheduled, performed, and the results evaluated. 3.3.1.1 Obtain a list of all BCM documentation. 3.3.1.2 Determine if the BCM documentation has been updated regularly and changes or effective dates appear on each page of the documentation. 3.3.1.3 Determine if reviewers document completion of the review process with their initials or signature. 3.3.1.4 Determine if personnel reviewing documents are qualified. 3.3.1.5 Determine if a senior executive has formally approved all recent material changes to BCM policies procedures, and documentation. 3.3.1.6 Determine if BCM policies, procedures and documentation are available in appropriate form independent of the internal infrastructure, e.g., hard copy or electronic maintained off-site or in a cloud-based online version. 3.3.1.7 Determine if key business continuity, line of business and supporting staff all have access to the documentation.
4.
BUSINESS IMPACT ASSESSMENT (BIA) 4.1 BIA Defines Business Continuity Needs Audit/Assurance Objective: A comprehensive Business Impact Analysis is the basis for business continuity decisions. BIA Methodology Defined Control: A BIA methodology is defined and implemented. 4.1.1.1 Obtain the BIA methodology. 4.1.1.2 Review the processes for implementing modifications to reflect changes in the business and processing environments and incident history.
© 2011 ISACA. All rights reserved. Page 17
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO
PO8 AI4 DS4.4
X X X
DS4.1 DS4.2
X
Reference Issue HyperCross- Comments link reference
Business Continuity Management Audit/Assurance Program
4.1.1.3 Determine that the organization has determined RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives) for each critical application. 1 4.1.1.4 Assess that the RTOs and RPOs are practical and reasonable for each application and line of business or function. BIA Supports BCM Control: BIA justifies BCM alternatives. 4.1.1.5 Obtain management reports, minutes of meetings, emails, etc., that formally document BIA communications and status reports. BIA Continually Assesses Business Continuity Needs Control: The BIA is updated, at least annually, by the business and support units. 4.1.1.6 Obtain management reports, minutes of meetings, etc., that document periodic updates to the BIA. 4.1.1.7 Review the management reports to ensure all business and support units perform the annual assessment. 4.1.1.8 Select specific annual reports from high-risk functional units; determine that the annual updates for the selected units were performed as required and include a fresh assessment of the business continuity needs. 4.1.1.9 Determine that the business unit managers document the completion of an annual (or more frequent) BIA review. 4.1.1.10 Determine if BIAs are performed in response to significant business process change and when business units are acquired or sold. Single Points of Failure Control: The BIA includes a detailed analysis of all single points of failure in the business and support functions. 4.1.1.11 Obtain analyses of single points of failure within the business and support units, e.g., supply chain, logistics chain, financial reporting, technology stacks (all levels of technology supporting a business function from hardware through networks to application layers, databases, Web interfaces, etc.) 4.1.1.12 Determine that all single points of failure have either been fully remediated or the enterprise has formally accepted the risks or the risks have been laid off (typically 1
Application is defined as a group of business processes, not an IT application. © 2011 ISACA. All rights reserved. Page 18
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO
DS4.1 DS4.2
X
X
DS4.4
X
X
DS4.3 DS4.4
X
Reference Issue HyperCross- Comments link reference
Business Continuity Management Audit/Assurance Program
by purchasing suitable insurance cover.) 5. RISK ASSESSMENT 5.1 Integration With Enterprise Risk Management (ERM) Audit/Assurance Objective: BCM is an integral component of the ERM program. 5.1.1 Risk Management Control: Management must participate in an active risk management program. 5.1.1.1 Determine that the BCM team (or other appropriate team) performs annual or more frequent risk assessments, based on current business conditions. 5.1.1.2 Determine if risk assessments included supply chain and logistics chain issues as well as mission-critical third party relationships. 5.1.1.3 Determine if identified hazards are being monitored. 5.1.1.4 Determine that BCM team prepares a residual risk profile identifying significant risks, and review the documents to determine management follow-up. 5.1.1.5 Obtain risk management meeting minutes and other documentation to determine the involvement of the BCM function. 5.1.1.6 Determine that the BCM function participates in the risk management function. Enterprise Risk Management (ERM) Control: Business continuity management is a process within the ERM. 5.1.1.7 If the BCM risk assessments utilize the enterprise risk management process, perform the following: 5.1.1.8 Obtain and inspect risk assessment documentation. 5.1.1.9 Determine that risk assessment assigns reasonable probabilities to incidents affecting business continuity. 5.1.1.10 Review the risk assessment to determine if the risk assessment is performed in an impartial manner and is supported by fact or reasonable management justification. 5.1.1.11 Determine that the risk management process assigns residual risk ratings 5.1.1.12 Determine how the residual risk ratings drive the decision of which processes are included in the business continuity plans. 5.1.1.13 Determine if ERM and residual risk ratings are in alignment with Internal Audit's annual risk assessment, identify any material differences and obtain explanations © 2011 ISACA. All rights reserved. Page 19
PO9
X X
PO9
X X
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO Reference Issue HyperCross- Comments link reference
Business Continuity Management Audit/Assurance Program
5.1.1.14 Determine if key business units and support units are included in the ERM. 5.1.1.15 If an ERM system has not been established, perform the following. 5.1.1.16 Determine whether critical business units and support units required for inclusion in a risk assessment (i.e., risk dependent units) have been considered. 5.1.1.17 Determine whether these risk dependent units perform their own risk assessments. 5.1.1.18 Determine the processes used for the independent risk assessments. 5.1.1.19 Determine whether the individual unit residual risk ratings are in alignment with Internal Audit's annual risk assessment, identify any material differences, and obtain explanations. Risk Management Issue Monitoring Control: Identified risks are entered into an issue monitoring system for inclusion in a business continuity plan. 5.1.1.20 Review the process for including risks into an issue monitoring system for inclusion in the business continuity management program. 5.1.1.21 Obtain the most recent issue monitoring report. 5.1.1.22 Determine whether identified issues have been appropriately addressed by BCM. 5.1.1.23 Evaluate open items and assess risk rating associated with each item. Determine if the ratings are appropriate. 5.1.1.24 Determine the frequency of issue monitoring follow-up and assess its appropriateness. 6. DOCUMENTATION 6.1 Appropriate Documentation Audit/Assurance Objective: The business continuity plan is adequately documented to conduct effective interim business activities and recovery procedures after a declared business interruption. Documentation is Adequate to Support Business Continuity Control: The entire business continuity plan is documented and available during a declared emergency. 6.1.1.1 Obtain business continuity plan documentation. © 2011 ISACA. All rights reserved. Page 20
PO9
PO8 AI4 DS4.4 DS4.7
X X
X
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO
X
Reference Issue HyperCross- Comments link reference
Business Continuity Management Audit/Assurance Program
6.1.1.2 Determine that the plan has been kept current and reflects changes in the business processes, environment, technology, third-party relationships, relevant contracts and regulatory and other compliance requirements. 6.2 Documentation is Adequate to Support Recovery Recovery Plan Documentation Control: The entire business recovery plan is documented and available during a declared emergency. 6.2.1.1 Determine whether a recovery plan is in place. 6.2.1.2 Obtain recovery plan documentation. 6.2.1.3 Determine that the plan has been kept current and reflects relevant changes in the business processes, environment, third-party relationships, relevant contracts and regulatory and other compliance requirements. 6.2.1.4 Determine if contact information has been kept current. 6.2.1.5 Determine if it is available in an appropriate form independent of internal infrastructure. 6.2.1.6 Determine if key recovery personnel have access to the documentation. 7. PLAN TESTING 7.1 Plan Testing Audit/Assurance Objective: The plan should be tested regularly, and the tests should include a comprehensive verification of continuity processes and situational drills to test the assumptions and alternate procedures within the plan. Testing Policies Control: Testing policies define test frequency, types of tests, use of situational drills and other recognized processes. 7.1.1.1 Obtain testing policies document. 7.1.1.2 Determine that the following policies are stated and documented: Minimum test frequency Conditions requiring more frequent testing Types of scenarios to be tested
© 2011 ISACA. All rights reserved. Page 21
DS4.4 DS4.7
X
X
DS4.5 DS4.6
X
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO Reference Issue HyperCross- Comments link reference
Business Continuity Management Audit/Assurance Program
Testing Methods Control: Testing includes both walkthroughs and full-scale drills of the interim process and recovery plans. 7.1.1.3 Determine that walkthrough tests are performed regularly and include all facets of the plan. 7.1.1.4 Determine that full-scale tests are performed regularly and include higher risks events. 7.1.1.5 Determine if an after-hours call list exists and is current. 7.1.1.6 Determine if a program of continuity awareness exists and is executed regularly. Analysis of Test Results Control: The results from the plan tests are analyzed to identify issues that require BCP DS4.10 revision, additional training or additional resources. 7.1.1.7 Verify that changes to recovery plans have been made as a result of testing and lessons learned. 7.1.1.8 Determine if the results have been communicated to management. 7.1.1.9 Determine that stakeholders and assurance functions monitor and receive post-test analysis. Testing Management DS4 Control: BCM tests are documented and provide the structure for identifying lapses and gaps. DS5 DS9 7.1.1.10 Obtain documentation of exercise performed. 7.1.1.11 Determine if the exercises had been effective in identifying possible shortcomings in the BCM. 7.2 Testing of Recovery Service Levels DS4.5 Control: Plan testing includes verification that the tests were completed within the intervals DS4.8 established in the BIA and BCP. 7.2.1 Determine if test results are compared against test criteria (RTOs, RPOs, etc.). 7.3 Test Frequency DS4.6 Control: The continuity plan is tested routinely, according to the policy. The tests address the DS4.8 requirements within the BCP and are documented. 7.3.1 Verify that the recovery plans are tested periodically. 7.3.2 Review the test criteria to determine if it will appropriately test the plan against the © 2011 ISACA. All rights reserved. Page 22
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO
X X X
X
X
X
Reference Issue HyperCross- Comments link reference
Business Continuity Management Audit/Assurance Program
requirements identified in the BIA. Plan Stress Testing Control: The business continuity tests utilize situational drills where anticipated resources are not available for the test, or the circumstances of the test are modified unannounced to verify the recovery team’s ability to adapt to unplanned situations. 7.3.3 Verify that the tests include unannounced situations to stress test the recovery plan's assumptions and the staff’s ability to react to unplanned events.
© 2011 ISACA. All rights reserved. Page 23
DS4.5
X
Monitoring
CommunicationInformation and
Control Activities
Crossreference
Risk Assessment
Audit/Assurance Program Step
COBIT
Control Environment
COSO Reference Issue HyperCross- Comments link reference
Business Continuity Management Audit/Assurance Program
VII. Maturity Assessment The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance review, and the reviewer’s observations, the reviewer assigns a maturity level to each of the following control practices.
Control Practice
Assessed Target Maturity Maturity
Business Continuity Plan Management BCM Policy, Standards, and Procedures Business Impact Assessment Risk Assessment Documentation Plan Testing
© 2011 ISACA. All rights reserved. Page 24
Reference Hyperlink
Comments
VIII. Assessment Maturity vs. Target Maturity This spider graph is an example of the assessment results and maturity target for a specific enterprise.
© 2011 ISACA. All rights reserved. Page 25