Coleg Gwent. Business Continuity Plan Test - Post Implementation Review (PIR) Internal Audit Report (12.09/10)

Transcription

1 Internal Audit Report 1 June 2010

2 Business Continuity Plan Test Post Implementation Review (PIR) CONTENTS Section Page Executive Summary 1 Action Plan 4 Findings and Recommendations 5 Debrief meeting 28 April 2010 Draft report issued 19 May 2010 Responses received 1 June 2010 Final report issued 1 June 2010 Auditors Client sponsor Distribution Helen Cargill, IA Associate Director Stephen Temple, ISA Director Heather Wheatley, IA Manager Colin Alexander, ISA Manager Lisa Swanger, ISA Senior Consultant Lynda Roberts, Vice Principal Finance, Estates & Information Services Lynda Roberts, Vice Principal Finance, Estates & Information Services Robert Bates, Director of Estates & Facilities Audit Committee This review has been performed using RSM Tenon s bespoke internal audit methodology, i-ris. The matters raised in this report are only those which came to our attention during our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist, or of all the improvements that may be required. Whilst every care has been taken to ensure that the information provided in this report is as accurate as possible, based on the information provided and documentation reviewed, no complete guarantee or warranty can be given with regard to the advice and information contained herein. Our work does not provide absolute assurance that material errors, loss or fraud do not exist. This report is prepared solely for the use of Board and senior management of Coleg Gwent. Details may be made available to specified external agencies, including external auditors, but otherwise the report should not be quoted or referred to in whole or in part without prior consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended for any other purpose RSM Tenon Limited RSM Tenon Limited is a member of RSM Tenon Group RSM Tenon Limited is an independent member firm of RSM International an affiliation of independent accounting and consulting firms. RSM International is the name given to a network of independent accounting and consulting firms each of which practices in its own right. RSM International does not exist in any jurisdiction as a separate legal entity. RSM Tenon Limited (No ) is registered in England and Wales. Registered Office 66 Chiltern Street, London W1U 4GB. England

3 1 Business Continuity Plan Test Post Implementation Review (PIR) 1 EXECUTIVE SUMMARY 1.1 INTRODUCTION This post implementation review of the recent business continuity test carried out in February 2010 was undertaken as part of the approved internal audit periodic plan for 2009/10. Coleg Gwent (the College ) comprises of five main campuses with approximately 1,400 members of staff and approximately 30,000 learners (including community based learners). The College has invested in the development of a robust yet flexible business continuity plan to help reduce the impact of a disaster at the college. However, the College recognises that this plan will only be effective and usable if sufficient testing demonstrates its operational success. During February 2010, the College engaged a third party, Zurich (insurance providers) to aid the planning and execution of a business continuity test. This consisted of a bespoke scenario posed to members of the Crisis Control and Management Team (CC&MT). The CC&MT then undertook an interactive desktop exercise to evaluate the plan. The specific risks considered as part of this review were: Inadequate testing procedure documentation is maintained; Tests are not planned on an appropriately regular basis; The test scenario is unrealistic and does not include appropriate representation of business areas and staff; The test is un-coordinated and responsibilities are not clearly assigned; Issues and lessons learned are not captured; Planned as well as unplanned events are not captured and reported upward adequately; and The BCP documentation is not updated in a timely manner to reflect the results of test exercises. These risks relate to the objective of providing assurance that the business continuity test was undertaken in an appropriate manner to ensure the business continuity plan is up to date and functioning as expected.

4 2 Business Continuity Plan Test Post Implementation Review (PIR) 1.2 CONCLUSION Taking account of the issues identified, in our opinion the Corporation can take substantial assurance that the testing processes upon which Coleg Gwent relies upon to aid management of the business continuity plan, as currently laid down and operated, are well designed and complied with. This assurance level has been formulated on the basis of conclusions drawn on the individual elements of effectiveness, design and application of controls in place: Substantial Adequate Limited Design of control framework Application of and compliance with control framework OVERALL OPINION X X X The above conclusions feeding into the overall assurance level are based on the evidence obtained during our review. A number of well-designed control procedures to ensure the adequate testing of the business continuity plan were found to be in place, in particular: Full test procedural documentation was maintained, which reduces the risk that the objectives of the test are not carried out therefore rendering the test ineffective; The test scenario developed was of a realistic nature. This reduces the risk that the scenario is not taken seriously and therefore lessons learnt are not productive; The test was co-ordinated and responsibilities were clearly assigned. This reduces the risk that the scenario is just a basis for a general discussion and is not structured enough to test the individuals involved; Lessons learnt were captured. This reduces the risk that the results from the test are not reflected in the business continuity plan therefore it could fail in a real life scenario at the same points it did during testing, therefore the benefit has not been realised; and Events are captured and reported upward appropriately. This reduces the risk that incidents which could affect the business continuity plan are not being incorporated into the plan thus it may not be effective should an incident occur. However, we did identify a number of areas where we consider that the control framework in operation over the testing arrangements of the business continuity plan could be improved, principally: Tests are not scheduled on a periodic basis. However we are pleased to note that it is the stated intention of the Director of Estates & Facilities to conduct annual testing. Unless the plan is formally tested on a regular basis, there is a risk that expected controls and processes do not function as intended, leading to an ineffective plan as potential failures are unknown; Staff representation was limited to the members of the Crisis Control and Management Team (CC&MT). However we are pleased to note that it is the intention of the Director of Estates & Facilities to expand testing going forward to include a wider range of staff. Unless a wide range of CC&MT and general staff are involved in the business continuity testing, there is potential risk that operational inconsistencies or errors are not flagged up and not all staff are aware of the College s business continuity arrangements; and

5 3 Business Continuity Plan Test Post Implementation Review (PIR) Business continuity documentation is not updated in a timely manner to reflect the results of testing. Unless business continuity documentation is updated in a timely manner, an incident could occur which does not benefit from the lessons learnt during the test. 1.3 SCOPE OF THE REVIEW The objective of our review was to evaluate the adequacy of risk management and control of the recent business continuity plan test, and the extent to which controls have been applied, with a view to providing an opinion. Control activities are put in place to ensure that risks to the achievement of the organisation s objectives are managed effectively. Control activities relied upon: Test Documentation; Communication; Change Control; Planned and Unplanned Events; and Incident Management. Limitations to the scope of the review: The review focused on the most recent business continuity test undertaken (February 2010); and This review did not re-perform the test or examine the adequacy or otherwise of individual business continuity plans including the IT disaster recovery input. The approach taken for this review tested key controls only and included the following: Our work was undertaken through discussion with nominated staff and a high level review of documentation; Detailed testing was not undertaken; and Reviewing the adequacy and application of the controls in place to mitigate the risks.

6 4 Business Continuity Plan Test Post Implementation Review (PIR) 1.4 RECOMMENDATIONS SUMMARY The following table highlights the number and categories of recommendations made. The Action Plan at Section 2 details the specific recommendations made as well as agreed management actions to implement them. Recommendations made during this review: Risk Fundamental Significant Merits Attention Inadequate testing procedure documentation is maintained Tests are not planned on a regular basis The test scenario is unrealistic and does not include appropriate representation of business areas and staff. The test is un-coordinated and responsibilities are not clearly assigned. Issues and lessons learned are not captured. Planned and unplanned events are not captured and reported upward adequately. The BCP documentation is not updated in a timely manner to reflect the results of test exercises Total 0 0 3

7 5 2 ACTION PLAN The priority of the recommendations made is as follows: Fundamental Significant Merits Attention Action is imperative to ensure that the objective for the area under review is met Requires action to avoid exposure to significant risk in achieving the objective for the area under review. Action is advised to enhance control or improve operational efficiency Ref Recommendation Categorisation Accepted (Y/N) Management Comment Implementation Date Manager Responsible 2.1 Management should ensure that business continuity testing is undertaken on a regular basis (at least annually). Furthermore, the requirement to test and a schedule of testing should be documented within the business continuity plan. Merits Attention Y The College BCP was completed in September 2009 and the first test of the Plan was scheduled in February As noted in your review, annual tests of the Plan were anticipated although not formally stated in the document. The Director, Estates & Facilities would therefore have ensured that such tests were undertaken in the future at those intervals. However, test arrangements are now confirmed in the latest revision of the BCP. May 2010 Director, Estates & Facilities 3.2 Management should ensure that future testing considers the need to involve all staff within the Crisis Control and Management Team (CC&MT) function and staff outside of it. Merits Attention Y As noted in the Review it was / is the College s intention to involve all CC&MT colleagues in the BCP test and this will be undertaken over future tests of the Plan. However it is May 2012 Director, Estates & Facilities

8 6 Ref Recommendation Categorisation Accepted (Y/N) Management Comment Implementation Date Manager Responsible recognised by the College that to involve all of the CC&MT on every test is neither necessary nor practicable and indeed may lessen the realism of a test situation. The requirements for involvement of all CC&MT members however are now recorded in the revised BCP. 7.1 Management should document within the business continuity plan, a full test process. This should include the expected and accepted timescales within which the plan should be updated following a test. Merits Attention Y It is anticipated that the BCP will be updated regularly and at maximum twelve monthly intervals and in any case following a test scenario, in order to reflect any actions / recommendations / lessons learnt from the test. The latest revision of the BCP records that the updating should be completed within eight weeks following any such test. May 2010 Director, Estates & Facilities

9 7 3 FINDINGS AND RECOMMENDATIONS Controls (actual and/or missing) Adequate Design (yes/no) Test Result / Implications Recommendation Categorisation Risk 1: Inadequate testing procedure documentation is maintained. 1.1 Full test procedural documentation was maintained. Yes Full test procedural documentation was found to be in place. Documentation observed included: Meeting notes/ s between the College and Zurich developing the test procedure; The original proposal from Zurich detailing a proposed test procedure; and The test presentation provided by Zurich, which led the participants through the actual scenario. The procedure documentation was confirmed as being followed in practice by a sample of four members of the CC&MT.

10 8 Controls (actual and/or missing) Adequate Design (yes/no) Test Result / Implications Recommendation Categorisation Risk 2: Tests are not planned on an appropriately regular basis. 2.1 Tests are not planned and preformed on a regular basis. Furthermore, the business continuity plan itself does not include reference to the need to test the plan regularly. However we are pleased to note that it is the stated intention of the Director of Estates & Facilities to conduct annual testing. No Unless the plan is formally tested on a regular basis, there is a risk that expected controls and processes do not function as intended, leading to an ineffective plan as potential failures are unknown. Management should ensure that business continuity testing is undertaken on a regular basis (at least annually). The requirement to test and a schedule of testing should be documented within the business continuity plan. Merits Attention Risk 3: The test scenario is unrealistic and does not include appropriate representation of business areas and staff. 3.1 The test scenario developed was of a realistic nature. The test scenario was developed by the College in conjunction with Zurich. The test was centred on a fire in the server room at the Cross Keys campus. This was based on a real event that occurred at Westminster University in Yes The test procedure documentation details the fire scenario at Cross Keys. This was confirmed with a sample of four members of the CC&MT who all advised this was the scenario used.

11 9 Controls (actual and/or missing) Adequate Design (yes/no) Test Result / Implications Recommendation Categorisation 3.2 Staff representation was limited to the members of the Crisis Control and Management Team (CC&MT). However we are pleased to note that it is the intention of the Director of Estates & Facilities to expand testing going forward to include a wider range of staff. No Unless a wide range of CC&MT and general staff are involved in the business continuity testing, there is potential risk that operational inconsistencies or errors are not flagged up and not all staff are aware of the College s business continuity arrangements. Management should ensure that future testing considers the need to involve all staff within the CC&MT function and staff outside of it. Merits Attention Risk 4: The test is un-coordinated and responsibilities are not clearly assigned. 4.1 The test was co-ordinated by the Zurich representative and responsibilities within the College were clearly assigned. Yes A sample of four staff involved in the test all confirmed that they were clear on their roles within the test. Furthermore, the test utilised an action plan proforma. This captured the actions taken throughout the test and this included staff initials, thereby demonstrating assigned responsibilities. Risk 5: Issues and lessons learned are not captured. 5.1 Lessons Learnt were captured in the form of an 'Issues Board' which was later developed into a lessons leant spreadsheet by the Director of Estates & Facilities. Yes Evidence of the Issues Board, development into a lesson learnt log and the completed log were observed. A sample of four staff involved in the test were interviewed and confirmed their participation in developing the lessons learnt log during the test period.

12 10 Controls (actual and/or missing) Adequate Design (yes/no) Test Result / Implications Recommendation Categorisation Risk 6: Planned as well as unplanned events are not captured and reported upward adequately. 6.1 Events are captured and reported upward appropriately. There are Health and Safety Officer's at each campus who record all incidents that occur. These are reported into the campus Health and Safety Committee and then the Headquarters Health and Safety Committee. Through this reporting process any points of significance are fed into the business continuity plan via the monthly Estates meeting that the College Health and Safety Manager attends. Furthermore, the plan was tested by a recent snow incident which caused the closure of a number of campuses. The Director of Marketing and Communications and the Director of Estates & Facilities drafted a lessons learnt report which details the updates required to the business continuity plan. Yes Incident pro-formas, reports and associated meeting minutes confirmed the capture and reporting of incidents to the Director of Estates & Facilities.

13 11 Controls (actual and/or missing) Adequate Design (yes/no) Test Result / Implications Recommendation Categorisation Risk 7: The BCP documentation is not updated in a timely manner to reflect the results of test exercises. 7.1 Business continuity documentation is not updated in a timely manner to reflect the results of testing. No Unless business continuity documentation is updated in a timely manner, an incident could occur which does not benefit from the lessons learnt during the test. Management should document within the business continuity plan, a full test process. Merits Attention The test took place on the 8th of February 2010 and the plan is expected to be updated by the middle of May This is approximately 3 months from the date of the test. This could mean that the plan fails at the same points previously identified. However in a real-life scenario this could delay the resumption of service provision. This should include the expected and accepted timescales within which the plan should be updated following a test.