Audit of Business Continuity Planning

Transcription

1 Cumbria Office of the Police & Crime Commissioner Audit of Business Continuity Planning 0 Cumbria Shared Internal Audit Service Images courtesy of Carlisle City Council except: Parks (Chinese Gardens), Monument (Market Cross), Jason Friend, The Courts (Citadel), Jonathan Becker 13 April May 2015 Page 1

2 Audit Resources Title Name Telephone Audit Manager Emma Toyne Lead Auditor(s) Diane Lowry Audit Report Distribution For Action: For Information: Joanne Head (Governance and Business Services Manager) Linda McGinley (Engagement and Communications Officer) Stuart Edwards (Chief Executive) Audit Committee The Joint Audit & Standards Committee, which is due to be held on 23 June 2015 will receive the report. Note: Audit reports should not be circulated wider than the above distribution without the consent of the Audit Manager. 1 Cumbria Shared Internal Audit Service Images courtesy of Carlisle City Council except: Parks (Chinese Gardens), Monument (Market Cross), Jason Friend, The Courts (Citadel), Jonathan Becker Page 1

3 Executive Summary COPCC Audit of Business Continuity Planning 1. Background 1.1. This report summarises the findings from the audit of Cumbria Office of the Police and Crime Commissioner (COPCC) Business Continuity Planning. This was a planned audit assignment which was undertaken in accordance with the 2014/15 Audit Plan Business continuity planning is the process of planning for possibly unexpected, but nevertheless, foreseeable, events. Business continuity planning is important as it provides the COPCC with ways to minimise the effects of unexpected disruptions or emergencies as well as planning a return to normality as soon as practicable The Police and Crime Commissioner has a statutory responsibility for holding the Chief Constable to account and good practice would include ensuring that adequate and effective business continuity arrangements are in place within the Constabulary. 2. Audit Approach 2.1. Audit Objectives and Methodology Compliance with the mandatory Public Sector Internal Audit Standards requires that internal audit activity evaluates the exposures to risks relating to the organisation s governance, operations and information systems. A risk based audit approach has been applied which aligns to the five key audit control objectives which are outlined in section 4; detailed findings and recommendations are reported within section 5 of this report Audit Scope and Limitations The Audit Scope was agreed with management prior to the commencement of this audit review. The Client Sponsor for this review was the Governance and Business Services Manager and the agreed scope areas for consideration were identified as follows: Roles and responsibilities for business continuity planning and management; Adequacy and effectiveness of business continuity plans; Arrangements for testing of and training on plans; Ensuring continuity of service when staff roles and responsibilities change or people leave the organisation Arrangements for ensuring effective use of technology and; Arrangements for holding the Constabulary to account. 2 Cumbria Shared Internal Audit Service: Internal Audit Report Page 2

4 Executive Summary COPCC Audit of Business Continuity Planning The business continuity plan was in the process of being developed during the audit review so the scope of the audit focussed on the arrangements for the preparation and implementation of the plan. 3. Assurance Opinion 3.1. Each audit review is given an assurance opinion and these are intended to assist Members and Officers in their assessment of the overall level of control and potential impact of any identified system weaknesses. There are 4 levels of assurance opinion which may be applied. The definition for each level is explained in Appendix A The OPCC has recognised that this is an area that needs to be addressed and has allocated resources to creating a business continuity plan and work is now underway on this. However, there is a lack of a corporately agreed approach and the organisation has not yet defined its business continuity arrangements, we have therefore concluded that, from the areas examined and tested as part of this audit review, we consider the current controls operating within business continuity planning provide Limited assurance. Note: as audit work is restricted by the areas identified in the Audit Scope and is primarily sample based, full coverage of the system and complete assurance cannot be given to an audit area. 4. Summary of Recommendations, Audit Findings and Report Distribution 4.1. There are three levels of audit recommendation; the definition for each level is explained in Appendix B There are five audit recommendations are arising from this audit review and these can be summarised as follows: No. of recommendations Control Objective High Medium Advisory 1. Management - achievement of the organisation s strategic objectives achieved (see section 5.1.) Cumbria Shared Internal Audit Service: Internal Audit Report Page 3 3

5 COPCC Audit of Business Continuity Planning 2. Regulatory - compliance with laws, regulations, policies, procedures and contracts (see section 5.2.) Information - reliability and integrity of financial and operational information Security - safeguarding of assets Value - effectiveness and efficiency of operations and programmes Total Number of Recommendations Areas for development: Improvements in the following areas are necessary in order to strengthen existing control arrangements: High priority issues: There is a need for a defined approach to business continuity planning within the Commissioner s Office and a business continuity policy should be established. Governance and management oversight of the preparation of the business continuity plan should be defined and documented to ensure that the plan is appropriate to the needs of the organisation and is appropriately signed off at senior management level. The organisation should define its business continuity requirements to ensure that the plan is developed in line with the organisation s business continuity needs. Documented and tested business continuity plans need to be in place to ensure that the organisation is complying with its own Financial Regulations which place a responsibility on Chief Officers to maintain appropriate business continuity plans Medium priority issues: Arrangements for the Commissioner to receive assurance over the Constabulary s business continuity plans need to be formalised Advisory issues: No advisory issues were identified Cumbria Shared Internal Audit Service: Internal Audit Report Page 4 4

6 COPCC Audit of Business Continuity Planning Comment from the Chief Finance Officer / Deputy Chief Executive The OPCC recognises that further work is needed to formally document and consolidate the arrangements for business continuity and this is being given priority over the next few months. Whilst there is a clear need to complete and formally test an OPCC corporate business continuity plan, operational arrangements (off site contact records, remote ICT access, finance service BCP including critical finance activities) are in place to facilitate key activities in the event of a business continuity incident arising during this time. Cumbria Shared Internal Audit Service: Internal Audit Report Page 5 5

7 Management Action Plan COPCC Audit of Business Continuity Planning 5. Matters Arising / Agreed Action Plan 5.1. Management - achievement of the organisation s strategic objectives. Medium priority Audit finding (a) Assurance from the Constabulary The Police and Crime Commissioner is accountable under the Police Reform and Social Responsibility Act 2011 for securing an effective and efficient police force for Cumbria. Whilst there are no specific requirements on the Commissioner to receive assurance over the Constabulary s Business Continuity Planning arrangements, good practice would include assurance over this area. At the time of the audit, discussions were underway between the Governance and Business Services Manager, the Engagement and Communications Officer and the Temporary Superintendent (Operations) to determine the best method for implementing this process. We consider that the OPCC should define its assurance requirements in relation to business continuity and then work with the Constabulary to establish how these will be delivered. Management response Agreed management action: We will define the requirements of the Commissioner to ensure appropriate arrangements are in place. The Engagement and Communications Officer will meet with the Temporary Superintendent Operations to set out our requirements. The outcome will be reported to the Commissioner at the Executive Board in August. Recommendation 1: The Commissioner s office should set out its business continuity plan assurance requirements from the Chief Constable and work with the Constabulary to ensure there are appropriate arrangements in place for these to be met. Risk exposure if not addressed: Failure to respond appropriately to a significant business continuity incident. Reputational damage if business continuity arrangements fail. Responsible manager for implementing: Engagement and Communications Officer Date to be implemented: End September 2015 Cumbria Shared Internal Audit Service: Internal Audit Report Page 6 6

8 COPCC Audit of Business Continuity Planning High priority Audit finding (b) Arrangements for the preparation of the business continuity plan Effective business continuity management relies on the organisation being clear about its business continuity requirements and establishing appropriate policies and strategies for business continuity. At present the OPCC does not have these in place, resulting in a business continuity plan being created in isolation and without regard for the organisation s requirements. We recommend that the organisation defines its business continuity requirements through a policy and strategy and that the plan is then prepared on this basis. The draft business continuity plan, being prepared at the time of the audit, appears to adopt the model used by the Constabulary. This may not be the most appropriate approach for the Commissioner s office where legislative requirements are less prescriptive and the organisation is much smaller. Management response Agreed management action: Recommendation 2: We will codify the existing documentation to illustrate the OPCC s approach and will include some elements of recommendation 4 within this document. Recommendation 3: We will define our requirements within the overarching document above. Recommendation 2: The OPCC s approach to business continuity planning should be defined and a policy and strategy based on this. Recommendation 3 The OPCC s business continuity requirements should be defined by management prior to the plan being prepared. Risk exposure if not addressed: Business continuity arrangements are not adequate because the organisation has not defined its requirements. Business continuity arrangements may be excessive for the size of the organisation without the organisation having defined its requirements. Responsible manager for implementing: Engagement and Communications Officer Date to be implemented: End July 2015 Cumbria Shared Internal Audit Service: Internal Audit Report Page 7 7

9 COPCC Audit of Business Continuity Planning High priority Audit finding (c) Draft business continuity plan The OPCC s draft business continuity plan evolved during the period the audit took place. There are currently no approved arrangements for preparing the business continuity plan. Roles and responsibilities for preparation of the plan have not been clearly defined and there are no monitoring arrangements in place to ensure that a plan is prepared and implemented on time and to a defined specification. Arrangements for sign off have not been formally documented, although we were informed that the arrangements for approval are sign-off by the Executive Team prior to final approval by the Commissioner. Management response This will be incorporated within the document detailed in recommendation 2 and will include: A high level project plan with timeline stating what will be delivered and when; Sign-off and reporting arrangements. Whilst we recognise that a business continuity plan completion and implementation activity timeline has been prepared we consider that the arrangements for management oversight of the development of the plan(s) should be defined and documented to ensure that plans are developed in line with agreed timescales and organisational requirements. Recommendation 4: Once a policy and strategy and organisational requirements have been defined, we recommend that a project plan is implemented for the development of business continuity plan(s) within the OPCC with clearly defined reporting and sign-off arrangements. Risk exposure if not addressed: Business continuity arrangements are ineffective because appropriate governance arrangements are not in place. Responsible manager for implementing: Engagement and Communications Officer Date to be implemented: End July 2015 Cumbria Shared Internal Audit Service: Internal Audit Report Page 8 8

10 COPCC Audit of Business Continuity Planning 5.2 Regulatory - compliance with laws, regulations, policies, procedures and contracts High priority Audit finding (d) Compliance with Financial Regulations Management response Completing actions 1 to 4 will address this. The OPCC s Financial Regulations place a responsibility on Chief Officers to ensure that appropriate business continuity plans are developed, implemented and tested on a regular basis. Without business continuity plans in place, the organisation is not complying with its own Financial Procedure Rules. The OPCC s Chief Finance Officer has input to the financial services business continuity arrangements which cover part of the overall business continuity arrangements. Recommendation 5: Arrangements should be introduced to give the OPCC assurance that the requirements of the Financial Regulations in relation to Business Continuity Planning are being complied with. Risk exposure if not addressed: Non-compliance with internal rules and regulations. Responsible manager for implementing: Chief Executive Date to be implemented: End September 2015 Cumbria Shared Internal Audit Service: Internal Audit Report Page 9 9

11 Appendix A Audit Assurance Opinions There are four levels of assurance used; these are defined as follows: Substantial Reasonable Partial Limited / None Definition: There is a sound system of internal control designed to achieve the system objectives and this minimises risk. There is a reasonable system of internal control in place which should ensure that system objectives are generally achieved, but some issues have been raised which may result in a degree of risk exposure beyond that which is considered acceptable. The system of internal control designed to achieve the system objectives is not sufficient. Some areas are satisfactory but there are an unacceptable number of weaknesses which have been identified and the level of non-compliance and / or weaknesses in the system of internal control puts the system objectives at risk. Fundamental weaknesses have been identified in the system of internal control resulting in the control environment being unacceptably weak and this exposes the system objectives to an unacceptable level of risk. Rating Reason The controls tested are being consistently applied and no weaknesses were identified. Recommendations, if any, are of an advisory nature in context of the systems and operating controls & management of risks. Generally good systems of internal control are found to be in place but there are some areas where controls are not effectively applied and/or not sufficiently developed. Recommendations are no greater than medium priority. There is an unsatisfactory level of internal control in place as controls are not being operated effectively and consistently; this is likely to be evidenced by a significant level of error being identified. Recommendations may include high and medium priority matters for address. Significant non-compliance with basic controls which leaves the system open to error and/or abuse. Control is generally weak/does not exist. Recommendations will include high priority matters for address. Some medium priority matters may also be present. Cumbria Shared Internal Audit Service: Internal Audit Report Page 10 10

12 Appendix B Grading of Audit Recommendations Audit recommendations are graded in terms of their priority and risk exposure if the issue identified was to remain unaddressed. There are three levels of audit recommendations used; high, medium and advisory, the definitions of which are explained below. Definition: High Significant risk exposure identified arising from a fundamental weakness in the system of internal control Medium Some risk exposure identified from a weakness in the system of internal control Advisory Minor risk exposure / suggested improvement to enhance the system of control Recommendation Follow Up Arrangements: High priority recommendations will be formally followed up by Internal Audit and reported within the defined follow up timescales. This follow up work may include additional audit verification and testing to ensure the agreed actions have been effectively implemented. Medium priority recommendations will be followed with the responsible officer within the defined timescales. Advisory issues are for management consideration. Cumbria Shared Internal Audit Service: Internal Audit Report Page 11 11