Contingency Planning and Disaster Recovery Internal Control Questionnaire

Transcription

1 Contingency Planning and Disaster Recovery Internal Control Questionnaire [Institution s name] [Departments under review] [Heads of departments under review] A. POLICY AND SUPERVISION REVIEW 1. Was the policy reviewed for changes made since the last audit? 2. Did the board of directors minutes indicate that the changes were authorized? a. Were the changes implemented through appropriate adjustments to related internal controls? b. Were affected personnel notified of the changes in a timely manner? 3. Did the board of directors review and approve the contingency planning and disaster recovery policy? 4. Has the board of directors requested a completed disaster recovery plan and, thereafter, has the board reviewed and approved the plan? 5. After the internal audit was performed, were all deviations from prescribed controls noted and followed up with the appropriate management level? B. GENERAL GOALS 1. Are there planning procedures for the contingency planning and disaster recovery policy with senior management? a. Is there supporting memoranda and individual plans as evidence that senior management has complied with planning procedures? b. Have the CEO and also the contingency planning officer carried out their responsibilities with respect to: Assigning key personnel? Assigning authorization responsibilities? Prioritizing bank operations? 2. Do the board of directors minutes since the last audit indicate that the CEO has followed through with contingency planning and disaster recovery policy testing, evaluation, and reports? C. SPECIFIC GOALS 1. Are there specific plans for each department? 2. Do the specific plans for each department have the following items addressed in their plans: Disaster Recovery/Contingency Planning E2-1

2 a. Departmental management and other employees with various assigned responsibilities when an emergency is occurring? Do individuals within each department understand what their emergency responsibilities are and at what point during an emergency they are to assume them? b. Individuals designated to provide alternative and compatible equipment to replace destroyed equipment? c. Management guidelines on providing initial ongoing off-site backup, on a timely basis, of: Software? Data files? Documentation? Forms? Supplies? 3. Review testing memoranda and, if possible, observe the testing of backup systems and equipment by the disaster planning committee to answer the following: a. Has the committee performed periodic testing per its schedule? b. Was the testing performed by the committee to ascertain that prescribed procedures are being followed? 4. Is an annual report prepared by the disaster planning committee? 5. Does the annual report contain the following: a. Items tested and items scheduled to be tested in the same time period? 6. Do the board of directors minutes provide evidence that the board reviewed the annual report? 7. Does the board s meeting minutes indicate that the following were discussed: a. Variances in the schedule, if any? b. Problems that may have been discovered during the testing? c. Solutions to the problems? D. DESIGNATION OF AUTHORITY 1. Review the composition of the disaster planning committee and verify that officers representing each of the following functions are members of the committee: a. Commercial loans? b. Accounting? c. Human resources? d. Investment/trading? e. ALCO? f. Operations? E2-2 Disaster Recovery/Contingency Planning

3 g. Electronic data processing? 2. Review the contingency planning and disaster recovery policy with the officers sitting on the disaster planning committee and determine that they are aware of their responsibilities as members. Do committee members list the following responsibilities for the committee: a. Development and documentation of systems or plans to facilitate operations in the event of a disaster? b. Designation of personnel and their responsibilities during an emergency? Does the structure of this designation compare roughly as follows: A disaster recovery team composed of designated employees with specific assignments during a disaster? A disaster recovery administrator overseeing the disaster recovery team? An alternative disaster recovery administrator (called the disaster recovery coordinator) in case the disaster incapacitates the formerly mentioned disaster recovery administrator? c. Setting up alternative sites for operations if current sites are destroyed or substantially disabled in an emergency? d. Notification of personnel in the event of a disaster? E. DISASTER RECOVERY ADMINISTRATOR RESPONSIBILITIES 1. Does the contingency planning and disaster recovery policy require that the disaster recovery administrator perform a variety of duties? Does the disaster recovery administrator duties include, at a minimum, the following responsibilities: a. To notify personnel immediately in case of a disaster? b. To establish the command and control center in its designated site, or to select an alternative site for establishment of the control center? c. To implement the disaster recovery plan after determining the extent of the disaster? d. To establish communication with key personnel? e. To provide managerial support for key personnel during the recovery? f. To monitor progress during the course of the disaster? g. To document the actions taken and the progress made? Disaster Recovery/Contingency Planning E2-3

4 F. DISASTER RECOVERY COORDINATOR RESPONSIBILITIES 1. Does the contingency planning and disaster recovery policy require the disaster recovery coordinator to assist the disaster recovery administrator in performing his or her duties? Does the disaster recovery coordinator list, at a minimum, the following responsibilities: a. To assist the disaster recovery administrator? b. To notify the other disaster recovery team members that there is a disaster? c. To activate general notification procedures? d. To notify personnel of the site selected as the command and control center? e. To provide managerial support for key personnel during the recovery? Do key personnel perform the following tasks: Supervise the recovery activities? Document activities that the disaster recovery administrator has not handled directly? f. Keep team members informed of the progress of all recovery activities, since each area depends on the others? 2. Review and determine whether the disaster recovery coordinator confirms on a regular basis that backup systems remain in place and are adequate to meet the needs of the bank in the event of a disaster? G. DESIGNATED EMPLOYEE RESPONSIBILITIES IN DISASTER 1. Has the disaster recovery committee designated disaster recovery employees and their alternates in each division? Are these designations noted as follows: a. The annual report to the board of directors? b. The disaster recovery committee minutes? 2. Do the listings of designated employees and their alternates include home phone numbers? 3. In different data processing memoranda and/or committee minutes, has the disaster recovery committee provided for: a. Adequate training for designated employees? b. Periodic testing of designated employees performing disasterrelated responsibilities? c. Adequate support and guidance from committee members? 4. Through interviews of designated employees, determine whether they are aware of their duties and responsibilities? Are designated employees able to specifically detail: E2-4 Disaster Recovery/Contingency Planning

5 a. What their responsibilities are in a disaster including: Helping to coordinate the recovery process at a lower level than the disaster recovery coordinator? Helping to assess the nature and extent of the disaster? Activating recovery plans at an operations level? Informing bank managers of progress and problems encountered during the recovery process? Documenting steps taken and progress made during the recovery process? b. Whom they would report to in a disaster situation? c. What timing they would follow when initiating their responsibilities? d. What priority their responsibilities and division have in relation to other areas of the bank? H. PRIORITIZING OPERATIONS 1. Does the contingency planning and disaster recovery policy require the disaster planning committee to prioritize operations? Review the method used by the committee to assign priority status and consider the following: a. Are the assigned priorities reasonable, regarding the methodology used to prioritize? b. Is each department is aware of its status? c. Does each department understand the implications of its priority status? 2. Does a review of the board of directors minutes indicate evidence that the board reviewed and approved the priority listing? 3. Are the areas with the highest priority sufficiently prepared to begin operations as quickly as possible in the event of a disaster? I. BACKUP SYSTEMS 1. Through a review of the backup procedures with the officers and other appropriate employees within each division, is it evident that they are aware of their responsibilities, especially with respect to protection of data and software? 2. Are employees fully aware of the fact that the effectiveness of the backup program depends on the consistent and timely backup of data? 3. For each division affected, do the following operations occur as indicated: a. Customer data, including daily account balances and transactions, are backed up twice daily? Disaster Recovery/Contingency Planning E2-5

6 b. A review, on a sample basis, of the computer transaction log details evidence that the backup operation has consistently been performed on a regular basis? c. Customer data, including daily account balances and transactions, are backed up hourly on Fridays? d. System modifications and changes are copied immediately, electronically documented, and supplied immediately thereafter to an off-site storage facility? e. Have system modifications made since the last policy audit been copied and have copies of the modifications been stored in the off-site location? f. Were internal audit staff present when system modifications occurred and, therefore, have documentation that represent copies are held off-site? 3. Do personnel obtain proper authorization before releasing corporate or customer information? a. Is the information release procedures manual readily available to personnel? b. Do information release procedures, as followed by electronic data processing personnel and off-site storage personnel, ensure that information will not be released without proper authorization? J. OFF-SITE STORAGE 1. Per discussions with appropriate personnel regarding the procedures for establishing and maintaining off-site storage, are the following steps part of their duties: a. Making sure that backup systems and files are stored off-site? b. Ensuring that transfer of data occurs immediately after backup by armored car? c. Reviewing all forms quarterly? d. Destroying obsolete forms after new forms are available? 2. Is the application of the prior procedures regularly occurring during the transfer of files, per a sampling of divisions? 3. Are copies of the disaster recovery plan maintained in off-site storage? 4. Do both the bank president and the CEO each have the most recent copy of the disaster recovery plan? 5. Has the most recent copy of the disaster recovery plan been also placed in a safe deposit box at the bank? K. COMMUNICATION PROCEDURES AND CHANNELS 1. Do the responsibilities of the public relations manager during a disaster include the following: a. Make all outside announcements? E2-6 Disaster Recovery/Contingency Planning

7 b. Obtain management review and approval before making public announcements? c. Ensure that disaster damage assessment is published as soon as possible? 2. Has a disaster recovery team member been appointed to be responsible for activating communication procedures? 3. Does he/she have a clear understanding regarding timing and extent of those responsibilities? a. Does activation occur only after a physical inspection of the disaster site and an assessment of damages? b. Are there specific procedures utilized when the disaster occurs after hours? L. TESTING CONTINGENCY PLANS 1. Has the contingency plan been tested with as many steps as are practical? a. Has the internal audit staff been an active participant in the management and evaluation of the plan? 2. Were all key personnel involved in the test? 3. Were the following areas, at a minimum, tested: a. Data files? b. Equipment? c. Backup equipment? 4. Do testing memoranda provide details to indicate that: a. The test was evaluated? b. Any cited deficiencies were documented? c. Deficiencies were corrected? d. Deficiencies were retested? 5. Review the board of directors minutes and determine that when deficiencies were resolved, the board approved the final plan? 6. Once the final disaster recovery plan has been approved, has the disaster recovery committee been testing the plan on a semiannual basis? M. FINANCIAL CONDITION OF THE SERVICE PROVIDERS 1. Do the disaster recovery committee minutes indicate that the committee has reviewed all service providers on an annual basis? a. Does documentation indicate a review of service providers financial statements? b. Does the documentation indicate that a financial analysis was performed on those statements? c. Does the documentation of the service providers also include a review of copies of their backup plans? Disaster Recovery/Contingency Planning E2-7

8 d. Is there an analysis of the feasibility of the service providers backup plans? e. Are service providers backup plans fully integrated into the bank s disaster recovery plans? f. Have the service providers backup plans been tested with respect to backup of the bank s services? E2-8 Disaster Recovery/Contingency Planning