Auditing the Unthinkable: Business Continuity and Disaster Recovery The Institute of Internal Auditors Moderator: Paul J. Sobel, CIA, CPA Vice President, Internal Audit Mirant Corporation Agenda Introduction and Overview Preparing an Effective Business Continuity Program Molly Latham Internal Audit Drivers in Business Continuity Michael Keating Auditing the Business Continuity Plan Matthew Gagnon First Hand Experience: Internal Audit s Role In a Disaster Kevin Piccoli Break Question & Answer Summary of Main Points
CPE Requirements Two CPE credits. Interactive polling and knowledge check questions. 75 percent response required to receive credit. Be sure to scroll down and read all of the possible answers, and then click the submit button for your answer to count. Must view the entire webcast, including the Q&A. Only registered participants will be eligible to receive credit. If viewing this webcast as a recording, an additional final exam must be passed; please ensure pop-up blocking software is disabled. Please Note: The corresponding slides may not be in exact sync with the panelist presentations because of system refresh delays; slides and resources are available for download/print from the webcast lobby page.
Key Questions for Today 1. What are some of the key items to a meaningful business continuity plan? 2. What are the benefits of using a business continuity model and how can it be used to improve the business continuity maturity level of an organization? Key Questions (cont.) 3. What are the drivers of internal audit s growing involvement in the business continuity management lifecycle? What is the significance of business continuity risk relative to risks covered in other audits? 4. Are there business continuity standards that internal auditors should be aware of, and if so, is compliance mandatory? 5. How can internal auditors get involved in business continuity management and what are some specific roles that chief audit executives, audit managers, and IT auditors should take?
Questions for Today (cont.) 6. Why are business continuity exercises important and what are some common testing exercises to assess the effectiveness of a business continuity program? 7. What are some key areas that internal auditors should review when performing a business continuity and disaster recovery audit? 8. What are the opportunities for internal auditors to add value during and after a disaster to help ensure successful recovery? Preparing an Effective Business Continuity Program Molly Latham, CIA, CCSA Manager, Business Continuity Planning Southern California Edison Co. Rosemead, Calif.
Agenda The importance of an effective business continuity plan (BCP) Keys to a meaningful business continuity program BCP scope Existing BCP models The Importance of an Effective Business Continuity plan Recent catastrophes (9-11, Katrina, Asian tsunami) demonstrate that events can and do happen Effective business continuity is a key internal control, with or without regulatory mandates What could be more important than surviving? If the program is sub-par, management needs to take corrective action before the next disaster
Keys to a Meaningful BCP Ensure the business continuity program (BCP) scope is broad An effective BCP must be holistic Reviewing just one piece of the program will not produce assurance that the overall program is sound Plans need to be tested to assure the quality of the business continuity program Ensure that management, the audit committee, and audit staff have a clear understanding of key business continuity concepts BCP Scope 1 Organizational issues Leadership Employee awareness Program structure and pervasiveness Performance issues Metrics Staffing Coordination with internal and external resources Incident management and communications Technology recovery Business recovery 1 Adapted from the Complete Public Domain Business Continuity Maturity Model sm, Virtual Corporation 2007
S. Calif. Edison s BC Model Business Continuity Maturity Model -Virtual Corporate Straight forward assessment tool Establishes six maturity levels Self-governed Supported self-governed Centrally governed Enterprise awakening Planned growth Synergistic Allows for online assessment www.virtual-corp.net/html/business_continuity.html Existing Models National Fire Protection Association Standard on Disaster/Emergency and Business Continuity Programs A nonmandatory national standard Focuses more heavily on emergency management rather than business recovery processes www.nfpa.org/assets/files/pdf/nfpa1600.pdf
BC Models Business Continuity Guideline ASIS International A five-phase model that includes Readiness Prevention Response Recovery / Resumption Testing and training Provides basic examples of business continuity work products www.asisonline.org/guidelines/guidelinesbc.pdf BC Models (cont.) British Standard 25999 - Recently adopted by the British Standards Institute Provides for a benchmark by which British companies may assess key suppliers and partners Establishes the business continuity process, principles and terminology Reflects the maturity of the British business continuity community www.bsi-global.com
In Closing More than ever, there are enormous resources available to anyone who wants to learn more about this field Business continuity planning is here to stay; it is worthwhile to invest in BC certification for some audit staff Disaster Recovery Institute International www.drii.org/drii/courses/certification_cbcp.aspx Business Continuity Institute www.thebci.org/join.htm Knowledge Check # 1 Organizations should consider using a business continuity model to develop their business continuity program because: a. It is a mandatory regulatory requirement b. Many business continuity models provide processes for varying maturity levels c. Most models guarantee minimal business interruption
Knowledge Check # 2 When developing a business continuity plan, which of the following would be considered a performance issue, versus an organizational issue? a. Leadership b. Employee awareness c. Program structure d. Technology recovery Knowledge Check # 3 An evaluation of an organization's business continuity plan is sufficient to attest to the program's adequacy. a. True b. False
Internal Audit Drivers in Business Continuity Michael Keating, CBCP Associate Director Protiviti Atlanta, GA Agenda The growing role of internal auditing in business continuity management (BCM) Drivers of internal audit s growing involvement in BCM How internal auditing can be involved throughout the BCM lifecycle
Growing Standards U.S. National Preparedness Standard and British Standard 25999 More than 71% of respondents knew about the U.S. National Preparedness Standard More than 30% were already changing their BCM programs as a result (2007 KPMG/Continuity Insights Magazine Survey) Most other standards addressing BCM have become more rigid since 2004 Riskier World Despite a down year in 2006, most climatologists expect bad hurricane seasons for 10-20 more years. Terrorism, especially smaller scale events, are a continuing threat. New threats such as pandemic influenza and single/sole source supplier failures are growing exposures.
Continuity Risks Growing in Consequence Continuity risks are appearing in more enterprise risk assessments. Consolidation, outsourcing, and offshoring creates risk concentrations that must be monitored and mitigated. Continuity-related risks are appearing in SEC 10-Ks and other investor disclosures. Implications of the Risk Environment: Greater Expectation of Preparedness Greater director and officer exposure is driving audit committees to increase their attention More external auditors are inquiring about continuity issues Customer mandates are rapidly becoming the norm in some industry segments Push toward more consensus in reasonable level of preparedness All of these issue require an periodic, objective assessment of the BCM program
What Should IA do in BCM? (in addition to BCM audits) Assist in the development and compliance monitoring of a BCM policy Incorporate continuity issues in existing risk assessment projects Sponsor and perform business impact analyses Assist with cost benefit analyses of BCM strategy options Develop BCM program maturity goals with management and the board IA and BCM Exercises Exercises are the key to demonstrating BCM capability Exercise formats vary and are equally valid depending on purpose Desk review Tabletop Component Simulation IA can observe exercises, and also assist in performance metrics and monitoring
Internal Audit Impact Almost 22% of respondents expected IA to measure the performance of their BCM programs Almost 50% of respondents cited some specific third party requirement for their BCM program Almost 2% of respondents indicated BCM actually reported to IA (2007 KPMG/Continuity Insights Magazine Survey) In Closing Business continuity continues to be driven by high profile issues In many cases, IA can add value by simply expanding areas they already audit As continuity becomes more of a strategic issue, IA s role in its maturity and compliance will only grow
Knowledge Check # 4 Which of the following creates the greatest concentration of business continuity risk? a. Consolidations and outsourcing b. Subsidiary and multiple branch operations c. Regional retail and manufacturing operations d. Application service providers Knowledge Check # 5 Which of the following is NOT a role that internal auditors should take in the business continuity process? a. Assist in compliance monitoring of the business continuity policy b. Incorporate continuity issues in existing risk assessment projects c. Perform business impact analysis d. Set business continuity maturity goals for the organization
Knowledge Check # 6 Internal auditors are increasingly including business continuity risk into their risk assessments and audit plans because it is: a. A regulatory requirement b. An integral part of the enterprise risk management process. c. A fairly easy fix that takes few audit resources Auditing the Business Continuity Plan Matthew Gagnon, CPA, CISA VP, Director of Internal Audit Fieldstone Investment Corp. Columbia, Md.
Agenda Auditing the business continuity plan How mature is your company s BCP Get BCP on your internal audit plan Update/document your understanding Finalize the audit scope Testing Communicate results to stakeholders BCP Maturity BCP maturity is a key factor in planning the nature and extent of audit testing. Has a Business Impact Assessment (BIA) been performed? Is it up-to-date? Does a formal BCP exist? Has a comprehensive set of disaster scenarios been documented? Have BCP roles been defined? Is crisis management included in the BCP? Disaster recovery planning? Business resumption planning? Is regular/periodic testing performed?
Get BCP on your Internal Audit Plan Identify business risks/quantify exposure Evaluate the significance of these risks relative to risks covered in other possible audit projects Determine the amount of audit resources you should allocate to complete this review IIA Standards: 1220 - Due Professional Care / 1220.A1 2010 Planning Obtain AC approval to audit BCP 2020 Communication and Approval 2600 Management s Acceptance of Risks Document Your Understanding Corporate BCP objectives Owners/participants Current state Business Impact Assessment Covered entities/business units Inter-relationships/dependencies defined Process prioritization/sequencing Recovery Time Objectives (RTOs) Risk management techniques for scenarios Extent of BCP testing executed Management evaluation of effectiveness
Finalize Scope Objectives may include: BIA: complete and accurate BCP design: includes comprehensive set of disaster scenarios; covers all business critical processes; plus those performed by 3 rd parties Risk management techniques: defined, approved, and implemented for all relevant risks RTOs: recovery sequences are consistent with BCP objectives and reduce impact to a level consistent with management s risk appetite Test plans: provide a reasonable basis for a conclusion regarding BCP effectiveness Test results:accurate, reported, timely addressed Testing Business Impact Assessment (BIA) Business Continuity Plan (BCP) Disaster Recovery Plan (DRP) Business Resumption Plan (BRP) Crisis Management (CM) BCP Test Results
BIA Testing Completeness Impact assessment calculations Financial Operational Change management Plan completeness BCP Testing Business/time critical processes Personnel roles & responsibilities Recovery manuals/procedures Offsite data/records storage and retrieval Recovery facilities Testing/disaster scenarios Change management
Plan completeness DRP Testing Personnel roles & responsibilities Recovery manuals/procedures Applications Data Hardware Networking Recovery facilities Change management Testing scenarios Plan completeness BRP Testing Personnel roles & responsibilities Recovery manuals/procedures Recovery facilities Telecommunications Change management Testing scenarios
Crisis Management Testing Plan completeness Personnel roles & responsibilities Recovery manuals/procedures Communications plan Recovery team members Employees Customers Shareholders Business partners Press Change management Testing scenarios Evaluating BCP Test & Results Is testing properly planned? Scenario selected/defined Goals established/communicated Appropriate personnel involved Interdependent entities tested simultaneously Business units; IT; 3 rd parties Results documented Appropriate actions planned/taken? - Conclusions accurate - Conclusions support assumptions - Action plans appropriate
Communicating Results Clearly describe observed BCP deficiencies and management s plan to address Executive summary; observation Criteria for concluding the observation constitutes a deficiency Likelihood and potential impact Action plan; person responsible; expected resolution date Distribute report to all stakeholders Audit committee Senior management; process owners 2400-2440 Communicating/Disseminating Results In Closing Know the state of your company s BCP. Evaluate the significance of BCP risks relative to risks covered in other audits. Review the accuracy and completeness of the company s business impact analysis. Ensure the BCP considers a comprehensive set of disaster conditions. Determine that tests provide a reasonable basis for concluding on BCP effectiveness.
Knowledge Check # 7 Which of the following is generally NOT part of a business continuity plan (BCP)? a. Comprehensive set of disaster scenarios are documented b. Management roles are defined c. Ongoing testing is performed d. Documented approval of the BCP by the audit committee Knowledge Check # 8 A legitimate ERM role that internal auditors may undertake, with safeguards, includes: a. Coordinating ERM activities b. Imposing risk management processes c. Implementing risk management responses on management s behalf d. Owning and being accountable for the company s risk management process
First Hand Experience: Internal Audit s Role In a Disaster Kevin C. Piccoli, CPA Executive Vice President The Bank of New York New York, NY Agenda Bank of New York s experience in the 9-11 disaster How internal auditing added value to the disaster recovery efforts Opportunities Keys to a successful recovery
Impact on The Bank of New York 8,300 employees displaced Four buildings evacuated World Headquarters Operations Center Trading Center Three primary data centers abandoned Data/telecommunications infrastructure in lower Manhattan destroyed Evaluate the Team Capitalize on the strength of the team Knowledge of the business Cradle to grave approach Intuitive Resourceful Problem solving Focus of the audit team Chief audit executive: Advisor to CEO Audit managers: Advisors to business heads Audit staff: Part of business team IT audit: Data security, change control
Chief Audit Executive Role Advisor to CEO Control issues Status of recovery progress Trouble shooting Communication link Flexibility Policy decisions Risk assessment Observer; look for areas to assist Report to the board of directors Audit Managers Role Business advisor Assess the control environment Establish compensating controls Develop tools Software; reports; logs Assess business resources Coordinate with other business units Observe; identify areas for focus Develop the plan Part of the management team, NOT an auditor
Audit Staff Role Consider them the business employees Use their skills to: Research issues Develop reports Design reconciliation process Free up day-to-day personnel IT Audit Role Understand the recovery process What happened Strategy and priority of the fix Data security Change control Develop research tools Provide support to recovery efforts
Opportunities Be open and alert Reconciliation assistance Develop recovery plan for each business Foster communication Develop customer communications Be available for consultation Facilities coordinator Opportunities (cont.) Prepare for insurance claim Review press releases Communicate with customers Develop telephone lists Cheerleader Develop employee communications Develop policy Corporate governance & committees
Keys to a Successful Recovery Stick to the plan Cream rises to the top Communication Prioritize Systems Telecommunication Customers; Wall Street Fluid, constant redesigning of the process & plan Think of the people Other Exposures Avian Flu Approach is similar to other disasters but prolonged (3 months) Theft/loss of confidential information Assess situation Determine nature of data compromised Escalate immediately to bring all parties together Determine legal requirements Evaluate reputation exposure
In Closing Because of our business knowledge, internal auditing is invaluable to disaster recovery efforts. Serve as part of the management team, NOT as an auditor. Be flexible when assisting with policy decisions and risk assessment. Look for opportunities to help. Think of the people. Knowledge Check # 9 In the event of a disaster, internal auditors should: a. Continue to execute the approved annual audit plan b. Assess the control environment c. Immediately perform a disaster recovery audit d. Stay out of the way and wait for further instructions
Knowledge Check # 10 Audit managers should serve as part of the management team in a disaster recovery mode, rather than in an internal audit role. a. True b. False Panelist Q&A Click the Ask Question link below this slide image. Type your question in the text box. If your question is to a specific panelist please state the panelist in your question. Click the Submit button
In Summary 1. As business continuity becomes more of a strategic issue, internal auditors role in its maturity and compliance will only grow. 2. During the risk assessment process, internal auditors should document the organization s current state of business continuity preparedness and incorporate business continuity planning objectives into their audits. In many cases, internal auditors can add value by simply expanding areas they already audit. Summary (cont.) 3. A formal business continuity plan should document business critical processes, personnel roles and responsibilities, recovery procedures, offsite records storage and retrieval, and recovery facilities. 4. Internal auditors can add value by helping to ensure the business continuity program scope is broad enough and that management has a clear understanding of business continuity concepts.
Summary (cont. 2) 5. During a business continuity audit, internal auditors should review the accuracy and completeness of the company s business impact analysis and determine that the business continuity plan considers a comprehensive set of disaster scenarios. 6. During a disaster, internal auditors should be flexible when assisting with policy decisions and risk assessment and look for opportunities to help. Summary (final) 7. There are enormous resources available to learn more about business continuity preparedness and disaster recovery planning. It is worthwhile to invest in business continuity training for audit staff.
Thank you for participating! Please complete the webcast evaluation Live webcast when you close your browser the evaluation will open in a new window. On-demand viewers when you close this window your quiz will appear in a new window; upon completion of the quiz you will be presented an evaluation to complete.