Stepping Through the Business Continuity Plan Audit

Transcription

1 Stepping Through the Business Continuity Plan Audit Doug Menendez Graybar Electric Company Presentation to MidAmerica Contingency Planning Forum February 16, 2012

2 Introduction Whether it is from internal auditors, external auditors or government regulators, sooner or later your contingency plan will come under the scrutiny of an audit. This presentation will assist contingency planning managers in gaining an understanding of the audit approach, how to prepare for an audit, and how to work with the auditors as a team. Emphasis will be placed on data center disaster recovery and which plan components are most likely to be examined by an auditor.

3 Biography Doug Menendez is the Audit Manager for Graybar Electric Company. He has over thirty years of financial, operational and IT auditing experience in a variety of industries. Doug is a Certified Information Systems Auditor (CISA) and a Certified Internal Auditor (CIA). He is also a past-president of the St. Louis Chapters of the Information Systems Audit and Control Association (ISACA) and the Institute of Internal Auditors (IIA). You can contact Doug at (314) , or at: douglas.menendez@graybar.com

4 The Company Established: 1869 World Headquarters: St. Louis Background: One of the largest employee-owned companies in North America since 1929 Leading distributor of high-quality electrical, communications and data networking products, and specializes in related supply chain management and logistics services Founded by inventor Elisha Gray and entrepreneur Enos Barton Operations: Through its distribution network of nearly 240 North American locations, Graybar stocks and sells hundreds of thousands of items from thousands of manufacturers Worldwide Revenue 2010: $4.6 billion

5 Agenda Why Audit? Guidelines for Auditors: IIA GTAG ISACA COBIT

6 Different types of auditors: Internal External Regulatory

7 External Audit and SOX controls General Controls: Data Center Operations (backup and recovery) System Software Access Security Application Development and Maintenance

8 Audience Survey: Who has NEVER been audited? Does your BCP group work closely with your internal auditors? What has your experience been? Positive or Negative?

9 Internal Audit Overview

10 Internal Audit Reporting Relationships Board of Directors/Audit Committee Chief Executive Officer (CEO) and Chairman Chief Financial Officer (CFO) Internal not External

11 Why Audit? Management tool Provide INDEPENDENT assessments Protect corporate assets Improve internal controls Help achieve organizational goals

12 Role of Internal Audit Independence Objectivity Direct report to Senior Management Control Consultants (improve internal controls) Protect company assets Confidentiality, Integrity, Availability of data

13 Why am I being audited? Internal I.T. Audit: Risk Assessment, Planning and Scheduling

14 I.T. Audit Risk Assessment Identify the IT Audit Universe : New System Development Reviews Tier 1 list Existing Application Reviews Currently in production General Controls (Infrastructure) Reviews Everything else that supports the application, operating systems, databases, network, disaster recovery/business continuity planning

15 I.T. Audit Planning and Scheduling Review Tier 1 plan Utilize I.T. Audit Risk Assessment Model Identify any Infrastructure changes Identify I.T. Audit resources available Allocate resource estimation to each audit Draft out schedule by quarter Review with I.T. VP s and AVP s, CIO, CFO Schedule is confidential

16 Objectives of the 3 Major I.T. Audit Areas

17 I.T. Audit Areas New Systems Development Reviews Tier 1 projects Existing Application Reviews Currently in production General Controls Reviews Infrastructure, BCP, etc.

18 Stepping Through a Generic Audit Process

19 Stepping Through the Generic Audit Planning Fieldwork Reporting

20 Audit Planning Discovery Memo Kick-off meeting Preliminary planning process Develop audit program Planning Memo Audit Scope, Objectives, Timelines What you can do: Ensure availability of resources Provide requested documentation timely Help identify risks and controls

21 Audit Fieldwork Complete the audit program Evaluation Testing Gather documentation/evidence Identify possible recommendations What you can do: Ensure availability of resources Discuss status with auditors Help identify compensating controls

22 Audit Recommendations Recommendation (condition/cause) Business Impact (effect/criteria) Management Action Plan Implementation Date What you can do: Verify/validate recommendations Remediate if appropriate Begin to develop action plan

23 Audit Reporting Closing Meeting Draft report Management responses/action plans/target dates requested in 10 business days The Final Report Executive Summary Audit report Audit recommendations Management responses

24 Audit Follow-up Remediation Until the condition described in all audit recommendation has changed to reduce risk to an acceptable level, expect: Periodic Inquiry Formal Tracking Management-level reporting Follow-up Audit Generally done months later

25 Audit Survival Strategies Accept the validity of the audit as a management tool. Understand the audit plan and the auditor's approach. Coordinate your team's response to the audit process. Use the reporting process to demonstrate your team s strengths.

26 Stepping Through a BCP Audit Process

27 BCP Pre-Audit Steps Preliminary Survey Questionnaires Interviews Scope Determination

28 BCP Audit Approach/Testing Inspection/Review Observation Participation Verification

29 Auditing BCP Components Initiation and Administration Emergency Preparedness User Interim Procedures Back-Up Process Recovery Procedures Documentation Testing & Training

30 Auditing BCP Initiation and Administration Senior Management Support Organizational Responsibility and User Involvement Key Strategies and Assumptions

31 Auditing BCP Emergency Preparedness Declaration & Evacuation Procedures Public Relations Damage Containment, Clean-Up and Salvaging Program

32 Auditing BCP User Interim Procedures Key Strategies and Assumptions Security and Audit Trails

33 Auditing BCP Back-Up Process Data Files Application and System Software Hardware and Support Facilities Logistics Support and Personnel

34 Auditing BCP Recovery Procedures Data Center Activation File Recovery Procedures Start-Up of Critical Systems

35 Auditing BCP Documentation Distribution and Version Control Currency Form, Style and Clarity Use of Automated Tools

36 Auditing BCP Testing & Training Exercise Objectives Roles and Responsibilities Types of Testing Plan Maintenance

37 Summary Audit is a valuable resource use it to your advantage! Management Support User Involvement Documentation Testing

38 Institute of Internal Auditors Global Technology Audit Guide (GTAG) The IT controls guide provides: Guidance on IT topics impacting the organization's control and audit practices. Approaches to security, control, auditing, and assurance. Guidance on compliance with relevant legislation and regulations. Topical material for CAEs' discussions with executives and management. Executive summaries addressing concerns of governance and chieflevel executives. Key elements for audit reviews, assessments, and assurance.

39 Institute of Internal Auditors Website: Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 170,000 members. Throughout the world, The IIA is recognized as the internal audit profession's leader in certification, education, research, and technical guidance. Certification: CIA = Certified Internal Auditor

40 Institute of Internal Auditors GTAG-10: Business Continuity Management Guidance Provided to Internal Auditors Please let me know if you see any opportunities to improve this GTAG.

41 Objectives How can business continuity planning help minimize business disruptions? The components of an effective business continuity plan. How can a business impact analysis help identify which operations need to be recovered first following a business disruption? Ways to maximize internal audit s value in business continuity management audit and governance.

42 BCM Basics Management Support Risk Assessment and Risk Mitigation Business Impact Analysis (BIA) Business Recovery and Continuity Strategy Awareness and Training Exercises Maintenance

43 Crisis Management Planning Inform the general public Employees Stakeholders Suppliers Disaster Recovery of IT is a subset of BCM

44 What Key Ingredients are Necessary to Ensure I Have an Effective Plan? 1. Enterprise Priority 2. Support for the Cause 3. Someone to Drive 4. Materials, Labor, and a Blueprint 5. Certification 6. Maintenance

45 Key Challenges Getting Executive and Stakeholder Support Funding Getting all stakeholders to Agree on Risks and Impacts Getting the Business to Participate and Deliver on Time Performing Sufficient Testing Keeping the plan maintained

46 Related Disciplines All with different timelines: Emergency Response Crisis Management and Communications Resumption of Business Functions

47 BCM Lifecycle Project Initiation And Management Governance Compliance Monitoring & Auditing Risk Assessment Culture Training & Awareness Programs Continuity Life Cycle Business Impact Analysis Analysis Business Continuity Plan Testing Business Continuity Strategy Design Execution Solutions Deployment and Enhancement

48 BIA Pre-requisite Risk Assessment Identify potential risks to business Disasters, major disruptions, etc. Understand likely business impacts Loss of People, Operations, facilities, IT Region impact to suppliers, infrastructure Ensure Risk Mitigation is deployed Prevention: safety, maintenance, redundancies Preparation: response, Org Capabilities, standard processes

49 BIA Overview Identifying business processes Determining RTO and RPO based on business impact Identifying the other parties and physical resources Obtaining Sponsor and Manager approval of BIA

50 BIA #1: Identifying business processes Subject Matter Experts participate Identify major work processes Combine work processes when same staff, resources, suppliers Separate work processes when they have different priorities

51 BIA# 2: Determining RTO and RPO Understand type of impact Health/safety, environmental, customer, financial, regulatory/legal, reputational Identify likely consequences of different recovery times (RTO) Understand consequences of data loss (RPO) Discuss likely costs of each RTO and RPO Select RTO and RPO based on business impact and costs

52 BIA #3: Identifying other parties and resources Identify resources required to perform process Resources that must be obtained to resume process Identify other parties required to perform process Other People who must be available to provide input and/or perform work

53 BIA# 4: Obtaining Sponsor and Manager approval Review BIA results with leadership to verify: All processes were identified RTO and RPO are appropriate Critical resources were identified Next steps and strategies for creating recovery solutions

54 BIA: Business Recovery and Continuity Strategy Identify recovery alternatives Manual Work processes Alternative/Out-sourcing Disaster Recovery for IT Alternative Staffing Alternative Facilities

55 BIA Output is the BCP Create BCP at individual team level that maintains ownership Document recovery strategies, BCP solutions, recovery steps Maintain a log of BCP changes Link BCP to overall command structure & Crisis Management

56 Disaster Recovery of IT Data Center Applications and data Servers Networks Infrastructure

57 Recovery Solutions/Sites Hot recovery Warm recovery Cold recovery No recovery plan

58 Awareness and Training Sponsors Managers Coordinators Consultants Staff

59 Maintenance Changes in: Business priorities People Processes Technology

60 Exercise (not a test) Frequency Various threat scenarios Track issues and correct

61 Crisis Management Crisis communications Coordination with External Agencies Emergency response

62 The role of Internal Audit Does Sr. Management understand the current business continuity risk level? Can the organization prove the business continuity risks are mitigated to an acceptable level? If an unacceptable business continuity risk exists, but Sr. Management has decided to assume the risk, is the Board and other key partners aware? Has the decision to accept the risk been properly documented?

63 Maximize IA value in BCP process. Work in a Collaborative Manner with the client. Understand BCP and Management Objectives Understand the Scope of Business Continuity Approach From a Process Perspective, as Opposed to a Documentation Review Focus on the Entire BCM Life-cycle, Ranging from Standards Assessments Through Plan Testing Brainstorm Ideas for Improvement Engage the Business Continuity Coordinator

64 Information Systems Audit and Control Association (ISACA) A nonprofit, independent membership association, ISACA is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance, control and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969 as the EDP Auditors Association, ISACA helps its members and their employers ensure trust in, and value from, information systems. ISACA has more than 95,000 constituents in more than 160 countries in Asia, Latin America, Europe, Africa, North America and Oceania. Its members include internal and external auditors, CEOs, CFOs, CIOs, educators, information security and control professionals, business managers, students, and IT consultants. Certification: CISA Certified Information Systems Auditor

65 COBIT COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.

66 COBIT DS4 Ensure Continuous Service Guidance provided to IT Auditors Please let me know if you see any opportunities to improve this COBIT section

67 DS IT Continuity Framework 4.2 IT Continuity Plans 4.3 Critical IT Resources 4.4 Maintenance of the IT Continuity Plan 4.5 Testing 4.6 Training 4.7 Distribution 4.8 IT Services Recovery and Resumption 4.9 Offsite Backup Storage 4.10 Post-resumption review

68 DS 4.1 IT Continuity Framework Control Objective: Develop a framework for IT continuity to support enterprise-wide business continuity management using a consistent process.

69 DS 4.2 Continuity Plans Control Objective: Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes.

70 DS 4.3 Critical IT Resources Control Objective: Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery situations.

71 DS 4.4 Maintenance of the IT Continuity Plan Control Objective: Encourage IT Management to define and execute change control procedures to ensure that the IT continuity plan is kept up to date and continually reflects actual business requirements.

72 DS 4.5 Testing of the IT Continuity Plan Control Objective: Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant

73 DS 4.6 IT Continuity Plan Training Control Objective: Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster

74 DS 4.7 Distribution of the IT Continuity Plan Control Objective: Determine that a defined and managed distribution strategy exists to ensure that plans are properly and securely distributed and available to appropriately authorized interested parties when and where needed

75 DS 4.8 IT Services Recovery and Resumption Control Objective: Plan the actions to be taken for the period when IT is recovering and resuming services.

76 DS 4.9 Offsite Backup Storage Control Objective: Store offsite all critical back up media, documentation and other IT resources necessary for IT recovery and business continuity plans.

77 DS 4.10 Post-resumption Review Control Objective: Determine whether IT management has established procedures for assessing the adequacy of the plan in regard to the successful resumption of the IT function after a disaster, and update the plan accordingly.

78 Conclusion Make auditors part of the team Communicate Seek auditor s help Let the auditors in Make the auditing process part of the BCP routine

79 QUESTIONS?