The Role of Internal Audit In Business Continuity Planning Dan Bailey, MBCP Page 0
Introduction Dan Bailey, MBCP Senior Manager Protiviti Inc. dan.bailey@protiviti.com Actively involved in the Information Technology industry since 1984 Actively involved in the Business Continuity industry since 1991 Received CBCP designation in 1999; MBCP designation in 2002 Co-Founder of the Arkansas chapter of the Association of Contingency Planners 2002 President of the North Texas chapter of the Association of Contingency Planners 2003-2005 DRI International Certification Commissioner 2006-2008 DRI International Vice-Chair of the newly established Education Commission Page 1
Agenda Establishing A Framework Internal Audit Adding Value to the BCP Process Information Available to the Internal Auditor Proven Approaches to Conducting a BCP Audit SOX Section 404? Wrap-up and Summary By 2008, we believe more than 50% of the G2000 will have robust and tested BC plans, with the remainder attempting to enhance their capabilities beyond rudimentary BC and disaster recovery through 2012. - META Group (February 2003) Page 2
Section I Establishing A Framework Page 3
Business Continuity Management Defined the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise. BCM = Crisis Management + Business Resumption Planning + IT Disaster Recovery Planning Page 4
Components of A Business Continuity Process Business Strategies & Policies Business & Risk Management Processes People & Organizational Structure Management Reports Methodologies Systems & Data Contract Terms and Conditions with Suppliers Customer Service Level Agreements Governance Documentation - Process Accountability - Recurring Activities - Documentation Standards - Strategy Testing - Training & Awareness - Plan Maintenance - Succession plans Emergency Response Crisis Mgmt Crisis Communications Business Resumption Planning IT DR Planning Business Impact Analysis Risk Assessment Business Continuity Strategy Testing Training & Awareness Supplier Risk Mgmt Audit Committee Oversight Executive Mgmt Sponsorship Business Continuity Coordinator Crisis Mgmt Team Business Recovery Coordinators IT DR Coordinators Recovery Teams Internal Audit Oversight Industry / Governmental Oversight Risk Assessment Conclusions (Likelihood and Vulnerability) Business Impact Analysis Conclusions (Recovery Objectives) Strategy Design Options Strategy Cost- Benefit Analysis Strategy Test Results Diagnostic and Benchmarking Conclusions Business Continuity Governance Design and Data Gathering Risk Assessment Business Impact Analysis Strategy Design Plan Documentation Plan Validation Knowledge Transfer / Implementation Documentation Repository Plan Documentation Software Risk Assessment Conclusions Business Impact Analysis Conclusions Backup / Replication Software (IT DR Only) IT Hardware Page 5
The Continuity Life Cycle Compliance Monitoring & Auditing Training & Awareness Programs Business Continuity Plan Testing Project Initiation And Management Continuity Life Cycle Solutions Deployment & Plan Documentation Risk Assessment Business Impact Analysis Business Continuity Strategy Design Typical Participants in the Planning Process: Executive Sponsor Steering Committee Business Continuity Coordinator Business Process Owners Information Technology Human Resources Facilities Security EHS Legal Corporate Communications Risk Management Internal Audit? Page 6
BCM Capability Maturity Continuum The BCP Maturity Continuum Optimizing Characteristics of Capability Business continuity management is a competitive advantage. Management advertises the existence of the business continuity process internally and externally with customers. Continuity-related service level agreements, associated with uptime, performance and continuity, are utilized to drive efficiencies internally and build strategic relationships with customers. Method of Achievement Comprehensive, organization-wide business continuity strategies are aligned with strategic objectives and customer expectations. BCM operates as a core business function, chartered with clear accountability and responsibility. Regular BCP testing and maintenance occurs. Personnel are well trained regarding their roles and responsibilities. Metrics are collected and managed to ensure continuity-related service level agreements are met. Process Maturity Managed Defined Repeatable In addition to a customer focus and the desire to minimize financial loss and reputation impairment, management addresses regulatory compliance through the design of solutions with characteristics mandated by industry and governmental organizations. Specific compliance categories include data protection, financial reporting process continuity, strategy testing and plan maintenance processes. Business functions and IT assets supporting the delivery of products and services, as well as customer service, are protected from long-term business interruptions. Customer expectations regarding product and service delivery have been taken into account. Testing and training limitations may result in isolated recovery issues, often taking the form of recovery capacity constraints and missed recovery objectives. Management relies on untested or under-tested continuity-related processes to manage the effects of business interruptions. IT asset recovery is often the most mature aspect of the continuity process, although some organizations emphasize either crisis management or business resumption planning. Employees have limited knowledge regarding their roles during recovery, potentially impacting the likelihood of a successful response effort. Business continuity strategies address core business functions, information technology assets and supply chain relationships. Management fully supports this effort. The organization s business continuity management process, to include crisis management, crisis communications, business resumption planning and IT disaster recovery planning, operates as a single function. The BCM process reflects the current business and technology environment. A formal business continuity strategy has been designed and deployed. A risk assessment has been performed to identify and assess continuity risks. A business impact analysis (BIA) has been performed, but there are no processes to keep it current. Testing is infrequent or fails to address all aspects of the continuity process. Plan maintenance activities have not occurred in over twelve months. Metrics for key BCP tasks require refinement. The organization s business continuity strategy addresses crisis management, business resumption or IT disaster recovery. Continuity processes are designed and developed separately and lack integration. A high-level risk assessment and/or business impact analysis has been performed. Although some continuityrelated processes exist, plan maintenance and testing procedures have not been implemented. Ad Hoc Significant risk of continuity-related impacts are present. Business interruptions, ranging from isolated infrastructure failures through regional events, have the potential to cause serious financial harm and/or reputational impairment. The organization relies on force majeure clauses to minimize contractual violations. BCP goals and expectations were derived without a risk assessment or business impact analysis. Business continuity strategies are characterized as ad hoc; a formal documented plan does not exist. Business continuity accountability and responsibility remain unassigned. Business continuity testing and training and awareness processes have not been designed. The organization lacks confidence in its ability to survive following a business interruption. 2004 Protiviti Inc.
Managing Business Continuity Effectiveness Finance Direct Report to CFO Risk Management / Loss Prevention Executive Council Legal Human Resources Corporate Communications Operations Direct Report to the COO EHS Security Information Technology Internal Audit Page 8
Section II Internal Audit Adding Value to the BCP Process Page 9
In the Past, The Internal Auditor Asked if a plan was in place Reviewed the (IT Disaster Recovery) plan for currency, if they were truly IT Auditors Asked if tests were performed; didn t review the results Occasionally owned the BCP process! Page 10
The Continuity Life Cycle - Revisited Compliance Monitoring & Auditing Training & Awareness Programs Business Continuity Plan Testing Project Initiation And Management Continuity Life Cycle Solutions Deployment & Plan Documentation Risk Assessment Business Impact Analysis Business Continuity Strategy Design Ways In Which the Internal Auditor Can Add Value to the BCP Process: Keeping Management Informed on Progress Toward BCM Development and Implementation The Internal Sales Person Making the Case for Business Continuity Participation in the Risk Assessment and Business Impact Analysis Defining Key Business Functions By Assisting with the BIA Defining Key Controls and Guide Toward a Process, not a Plan Project Management Standards Help Craft Maturity Levels and Definitions Audit the BCP Process Initially and in the Future Page 11
Section III Information Available to the Internal Auditor Page 12
Guidance from the IIA www.theiia.org Practice Advisory 2110-2: Internal Audit s Role in the Business Continuity Process Business Continuity Management Auditors should evaluate business continuity readiness Internal audit should assess the organization's business continuity process on a regular basis provide preparedness summary to senior management Internal auditors can play a role in the organization s planning, to include the risk assessment Internal audit activity can help with an assessment of an organization's internal and external environment Evaluate the BCP/DRP during formulation Internal auditors have a thorough understanding of the business, the individual functions and interdependent relationships Page 13
Guidance from the IIA (cont.) Practice Advisory 2110-2: Internal Audit s Role in the Business Continuity Process Business Continuity Management Review the proposed business continuity and disaster recovery plans for design, completeness, and overall adequacy During that recovery period: Internal audit should monitor the effectiveness of the recovery and control of operations Recommend improvements to the BCP Internal audit can also provide support during the recovery activities internal auditors can assist in identifying the lessons learned from the disaster and the recovery operations Periodically audit the organization's BCPs/DRPs Adequacy to ensure the timely resumption of operations and processes after adverse circumstances Reflects the current business operating environment Page 14
Guidance from the IIA (cont.) Practice Advisory 2110-2: Internal Audit s Role in the Business Continuity Process Business Continuity Management During the audit, Internal Audit should consider: Are all plans up to date? Are all critical business functions and systems covered? Are the plans based on the risks and potential consequences of business interruptions? Are the plans fully documented? Have functional responsibilities been assigned? Is the organization capable of and prepared to implement the plans? Are the plans tested and revised based on the results? Are the plans stored properly and safely? Is the storage location known? Are the locations of alternate facilities (backup sites) known to employees? Do the plans call for coordination with local emergency services? Page 15
Regulations and Standards Regulatory Requirements Sarbanes Oxley (Governance) FEMA FERC JCAHO HIPAA GLBA FFIEC (Updated) OSHA SEC NYSE / NASD State Insurance Departments USA PATRIOT Act IRS Australian/New Zealand Standard AS/NZS 4360:1999 California 1386 BASEL II Public Utility Commissions FCC Standards and Guidelines COBIT FFIEC NIST ISO 9000 & 14000, QS 9000 ISO 17799 NFPA 1600 DRI International BCI PAS 56 ITIL Homeland Security COSO Page 16
Section IV Proven Approaches to Conducting a BCP Audit Page 17
Why Conduct a BCP Audit? Business Continuity Management Provide Management Assurance Identify Control Gaps Regulatory Compliance Identify Actions to Enhance Maturity Ensure Business Process Owners are Accountable for Their Plans and Testing Page 18
A Proven Practice BCP Audit Approach Work in a Collaborative Manner (Advise/Teach) Understand the History of BCP, Management Objectives and the Level of Maturity Up Front Understand the Scope of Business Continuity Approach From a Process Perspective, as Opposed to a Documentation Review Look for and assess key success factors such as repeatability, extensibility and maintainability Focus on the Entire BCM Life-cycle, Ranging from Standards Assessments Through Plan Testing Brainstorm Ideas for Improvement Engage the Business Continuity Coordinator Page 19
Executing A Process Oriented BCP Audit A Comprehensive Business Continuity Management Process Includes: Crisis Management Crisis Communications Business Resumption Planning IT Disaster Recovery Planning Evaluate the Following: Standards, Policies and Procedures Relationships with External Agencies and Authorities Training and Awareness Materials Budgetary Documentation Documented plans Recovery Location / Hot-site Contracts Test Results Service Level Agreements Regulatory Requirements Supply Chain / Vendors Network Page 20
The Assessment Approach The Approach Confirm Assessment Expectations / Collect Business Requirements Evaluate the Business Continuity Process Process Management Risk Assessment and Business Impact Analysis Define Recovery Strategies and Business Continuity Procedures Training and Awareness, Plan Testing Process, Auditing and Plan Maintenance Collect Benchmarking Data to Reinforce Findings Validate, Present and Report Page 21
Industry Benchmarking Data Nothing Reinforces a Recommendation Like Benchmarking Data Same Industry Same Size Company We maintain information in the following areas: BCM Process Description and Scope Who Owns the BCM Process Budgetary Data Number of Personnel Addressing Business Continuity Recovery Objectives (Business and IT) Benchmarking Data Is Available Through Third-party Specialists, Vendors and Informal Contacts (Like This Session) Page 22
Participants in the BCP Audit Business Continuity Management In addition to a review of documentation, we recommend discussions with Business Continuity Management owners, as well as the Business Process owners whom they support (In order to better understand their expectations) Page 23
Presenting the Findings Business Continuity Management Reinforce Scope and Focus Focus on Process Maturity Highlight Strengths and Weaknesses Tie Findings to Business Impact, to Include Regulatory Compliance Provide Action Items and Recommend Points of Contact for Each Offer to Track Completion of Each Finding / Action Item Next Steps What Will Next Year s Audit Focus On? Page 24
Section V Sarbanes Oxley? Page 25
Internal Audit and SOX Section 404? Furthermore, management s plans that could potentially affect financial reporting in future periods are not controls. For example, a company s business continuity or contingency planning has no effect on the company s current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company s business continuity or contingency planning is not part of internal control over financial reporting. PCAOB Release No. 2004-001, March 9, 2004 Section 404 had become a driver for conducting some audits Standard may change audit priority Business continuity will remain a key business issue regardless of Section 404 scope Page 26
Section V Presentation Summary Page 27
Wrap-up and Summary Business Continuity Management Establishing A Framework What is Business Continuity? Components of a Business Continuity Process The Business Continuity Life Cycle The BCP Maturity Continuum Internal Audit Adding Value to the BCP Process In the Past Today: Revisiting the Continuity Life Cycle Information Available to the Internal Auditor Regulations and Standards Proven Approaches to Conducting a BCP Audit Why Conduct An Audit? Proven Practice Audit Approaches Executing A Process Oriented BCP Audit Participants in the BCP Audit Industry Benchmarking Presenting Findings Wrap-up and Summary Page 28
Questions & Answers Page 29
Contact Information Dan Bailey, MBCP Protiviti Inc. Senior Manager National Leadership Team - Business Continuity Management Services dan.bailey@protiviti.com 469.374.2509 (office) 214.207.4543 (mobile) Page 30