Stepping Through the Business Continuity Plan Audit Doug Menendez Graybar Electric Company Presentation to MidAmerica Contingency Planning Forum February 16, 2012
Introduction Whether it is from internal auditors, external auditors or government regulators, sooner or later your contingency plan will come under the scrutiny of an audit. This presentation will assist contingency planning managers in gaining an understanding of the audit approach, how to prepare for an audit, and how to work with the auditors as a team. Emphasis will be placed on data center disaster recovery and which plan components are most likely to be examined by an auditor.
Biography Doug Menendez is the Audit Manager for Graybar Electric Company. He has over thirty years of financial, operational and IT auditing experience in a variety of industries. Doug is a Certified Information Systems Auditor (CISA) and a Certified Internal Auditor (CIA). He is also a past-president of the St. Louis Chapters of the Information Systems Audit and Control Association (ISACA) and the Institute of Internal Auditors (IIA). You can contact Doug at (314) 573-6196, or at: douglas.menendez@graybar.com
The Company www.graybar.com Established: 1869 World Headquarters: St. Louis Background: One of the largest employee-owned companies in North America since 1929 Leading distributor of high-quality electrical, communications and data networking products, and specializes in related supply chain management and logistics services Founded by inventor Elisha Gray and entrepreneur Enos Barton Operations: Through its distribution network of nearly 240 North American locations, Graybar stocks and sells hundreds of thousands of items from thousands of manufacturers Worldwide Revenue 2010: $4.6 billion
Agenda Why Audit? Guidelines for Auditors: IIA GTAG ISACA COBIT
Different types of auditors: Internal External Regulatory
External Audit and SOX controls General Controls: Data Center Operations (backup and recovery) System Software Access Security Application Development and Maintenance
Audience Survey: Who has NEVER been audited? Does your BCP group work closely with your internal auditors? What has your experience been? Positive or Negative?
Internal Audit Overview
Internal Audit Reporting Relationships Board of Directors/Audit Committee Chief Executive Officer (CEO) and Chairman Chief Financial Officer (CFO) Internal not External
Why Audit? Management tool Provide INDEPENDENT assessments Protect corporate assets Improve internal controls Help achieve organizational goals
Role of Internal Audit Independence Objectivity Direct report to Senior Management Control Consultants (improve internal controls) Protect company assets Confidentiality, Integrity, Availability of data
Why am I being audited? Internal I.T. Audit: Risk Assessment, Planning and Scheduling
I.T. Audit Risk Assessment Identify the IT Audit Universe : New System Development Reviews Tier 1 list Existing Application Reviews Currently in production General Controls (Infrastructure) Reviews Everything else that supports the application, operating systems, databases, network, disaster recovery/business continuity planning
I.T. Audit Planning and Scheduling Review Tier 1 plan Utilize I.T. Audit Risk Assessment Model Identify any Infrastructure changes Identify I.T. Audit resources available Allocate resource estimation to each audit Draft out schedule by quarter Review with I.T. VP s and AVP s, CIO, CFO Schedule is confidential
Objectives of the 3 Major I.T. Audit Areas
I.T. Audit Areas New Systems Development Reviews Tier 1 projects Existing Application Reviews Currently in production General Controls Reviews Infrastructure, BCP, etc.
Stepping Through a Generic Audit Process
Stepping Through the Generic Audit Planning Fieldwork Reporting
Audit Planning Discovery Memo Kick-off meeting Preliminary planning process Develop audit program Planning Memo Audit Scope, Objectives, Timelines What you can do: Ensure availability of resources Provide requested documentation timely Help identify risks and controls
Audit Fieldwork Complete the audit program Evaluation Testing Gather documentation/evidence Identify possible recommendations What you can do: Ensure availability of resources Discuss status with auditors Help identify compensating controls
Audit Recommendations Recommendation (condition/cause) Business Impact (effect/criteria) Management Action Plan Implementation Date What you can do: Verify/validate recommendations Remediate if appropriate Begin to develop action plan
Audit Reporting Closing Meeting Draft report Management responses/action plans/target dates requested in 10 business days The Final Report Executive Summary Audit report Audit recommendations Management responses
Audit Follow-up Remediation Until the condition described in all audit recommendation has changed to reduce risk to an acceptable level, expect: Periodic Inquiry Formal Tracking Management-level reporting Follow-up Audit Generally done 12-15 months later
Audit Survival Strategies Accept the validity of the audit as a management tool. Understand the audit plan and the auditor's approach. Coordinate your team's response to the audit process. Use the reporting process to demonstrate your team s strengths.
Stepping Through a BCP Audit Process
BCP Pre-Audit Steps Preliminary Survey Questionnaires Interviews Scope Determination
BCP Audit Approach/Testing Inspection/Review Observation Participation Verification
Auditing BCP Components Initiation and Administration Emergency Preparedness User Interim Procedures Back-Up Process Recovery Procedures Documentation Testing & Training
Auditing BCP Initiation and Administration Senior Management Support Organizational Responsibility and User Involvement Key Strategies and Assumptions
Auditing BCP Emergency Preparedness Declaration & Evacuation Procedures Public Relations Damage Containment, Clean-Up and Salvaging Program
Auditing BCP User Interim Procedures Key Strategies and Assumptions Security and Audit Trails
Auditing BCP Back-Up Process Data Files Application and System Software Hardware and Support Facilities Logistics Support and Personnel
Auditing BCP Recovery Procedures Data Center Activation File Recovery Procedures Start-Up of Critical Systems
Auditing BCP Documentation Distribution and Version Control Currency Form, Style and Clarity Use of Automated Tools
Auditing BCP Testing & Training Exercise Objectives Roles and Responsibilities Types of Testing Plan Maintenance
Summary Audit is a valuable resource use it to your advantage! Management Support User Involvement Documentation Testing
Institute of Internal Auditors Global Technology Audit Guide (GTAG) The IT controls guide provides: Guidance on IT topics impacting the organization's control and audit practices. Approaches to security, control, auditing, and assurance. Guidance on compliance with relevant legislation and regulations. Topical material for CAEs' discussions with executives and management. Executive summaries addressing concerns of governance and chieflevel executives. Key elements for audit reviews, assessments, and assurance.
Institute of Internal Auditors Website: www.theiia.org Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 170,000 members. Throughout the world, The IIA is recognized as the internal audit profession's leader in certification, education, research, and technical guidance. Certification: CIA = Certified Internal Auditor
Institute of Internal Auditors GTAG-10: Business Continuity Management Guidance Provided to Internal Auditors Please let me know if you see any opportunities to improve this GTAG.
Objectives How can business continuity planning help minimize business disruptions? The components of an effective business continuity plan. How can a business impact analysis help identify which operations need to be recovered first following a business disruption? Ways to maximize internal audit s value in business continuity management audit and governance.
BCM Basics Management Support Risk Assessment and Risk Mitigation Business Impact Analysis (BIA) Business Recovery and Continuity Strategy Awareness and Training Exercises Maintenance
Crisis Management Planning Inform the general public Employees Stakeholders Suppliers Disaster Recovery of IT is a subset of BCM
What Key Ingredients are Necessary to Ensure I Have an Effective Plan? 1. Enterprise Priority 2. Support for the Cause 3. Someone to Drive 4. Materials, Labor, and a Blueprint 5. Certification 6. Maintenance
Key Challenges Getting Executive and Stakeholder Support Funding Getting all stakeholders to Agree on Risks and Impacts Getting the Business to Participate and Deliver on Time Performing Sufficient Testing Keeping the plan maintained
Related Disciplines All with different timelines: Emergency Response Crisis Management and Communications Resumption of Business Functions
BCM Lifecycle Project Initiation And Management Governance Compliance Monitoring & Auditing Risk Assessment Culture Training & Awareness Programs Continuity Life Cycle Business Impact Analysis Analysis Business Continuity Plan Testing Business Continuity Strategy Design Execution Solutions Deployment and Enhancement
BIA Pre-requisite Risk Assessment Identify potential risks to business Disasters, major disruptions, etc. Understand likely business impacts Loss of People, Operations, facilities, IT Region impact to suppliers, infrastructure Ensure Risk Mitigation is deployed Prevention: safety, maintenance, redundancies Preparation: response, Org Capabilities, standard processes
BIA Overview Identifying business processes Determining RTO and RPO based on business impact Identifying the other parties and physical resources Obtaining Sponsor and Manager approval of BIA
BIA #1: Identifying business processes Subject Matter Experts participate Identify major work processes Combine work processes when same staff, resources, suppliers Separate work processes when they have different priorities
BIA# 2: Determining RTO and RPO Understand type of impact Health/safety, environmental, customer, financial, regulatory/legal, reputational Identify likely consequences of different recovery times (RTO) Understand consequences of data loss (RPO) Discuss likely costs of each RTO and RPO Select RTO and RPO based on business impact and costs
BIA #3: Identifying other parties and resources Identify resources required to perform process Resources that must be obtained to resume process Identify other parties required to perform process Other People who must be available to provide input and/or perform work
BIA# 4: Obtaining Sponsor and Manager approval Review BIA results with leadership to verify: All processes were identified RTO and RPO are appropriate Critical resources were identified Next steps and strategies for creating recovery solutions
BIA: Business Recovery and Continuity Strategy Identify recovery alternatives Manual Work processes Alternative/Out-sourcing Disaster Recovery for IT Alternative Staffing Alternative Facilities
BIA Output is the BCP Create BCP at individual team level that maintains ownership Document recovery strategies, BCP solutions, recovery steps Maintain a log of BCP changes Link BCP to overall command structure & Crisis Management
Disaster Recovery of IT Data Center Applications and data Servers Networks Infrastructure
Recovery Solutions/Sites Hot recovery Warm recovery Cold recovery No recovery plan
Awareness and Training Sponsors Managers Coordinators Consultants Staff
Maintenance Changes in: Business priorities People Processes Technology
Exercise (not a test) Frequency Various threat scenarios Track issues and correct
Crisis Management Crisis communications Coordination with External Agencies Emergency response
The role of Internal Audit Does Sr. Management understand the current business continuity risk level? Can the organization prove the business continuity risks are mitigated to an acceptable level? If an unacceptable business continuity risk exists, but Sr. Management has decided to assume the risk, is the Board and other key partners aware? Has the decision to accept the risk been properly documented?
Maximize IA value in BCP process. Work in a Collaborative Manner with the client. Understand BCP and Management Objectives Understand the Scope of Business Continuity Approach From a Process Perspective, as Opposed to a Documentation Review Focus on the Entire BCM Life-cycle, Ranging from Standards Assessments Through Plan Testing Brainstorm Ideas for Improvement Engage the Business Continuity Coordinator
Information Systems Audit and Control Association (ISACA) www.isaca.org A nonprofit, independent membership association, ISACA is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance, control and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969 as the EDP Auditors Association, ISACA helps its members and their employers ensure trust in, and value from, information systems. ISACA has more than 95,000 constituents in more than 160 countries in Asia, Latin America, Europe, Africa, North America and Oceania. Its members include internal and external auditors, CEOs, CFOs, CIOs, educators, information security and control professionals, business managers, students, and IT consultants. Certification: CISA Certified Information Systems Auditor
COBIT COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
COBIT DS4 Ensure Continuous Service Guidance provided to IT Auditors Please let me know if you see any opportunities to improve this COBIT section
DS 4 4.1- IT Continuity Framework 4.2 IT Continuity Plans 4.3 Critical IT Resources 4.4 Maintenance of the IT Continuity Plan 4.5 Testing 4.6 Training 4.7 Distribution 4.8 IT Services Recovery and Resumption 4.9 Offsite Backup Storage 4.10 Post-resumption review
DS 4.1 IT Continuity Framework Control Objective: Develop a framework for IT continuity to support enterprise-wide business continuity management using a consistent process.
DS 4.2 Continuity Plans Control Objective: Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes.
DS 4.3 Critical IT Resources Control Objective: Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery situations.
DS 4.4 Maintenance of the IT Continuity Plan Control Objective: Encourage IT Management to define and execute change control procedures to ensure that the IT continuity plan is kept up to date and continually reflects actual business requirements.
DS 4.5 Testing of the IT Continuity Plan Control Objective: Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant
DS 4.6 IT Continuity Plan Training Control Objective: Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster
DS 4.7 Distribution of the IT Continuity Plan Control Objective: Determine that a defined and managed distribution strategy exists to ensure that plans are properly and securely distributed and available to appropriately authorized interested parties when and where needed
DS 4.8 IT Services Recovery and Resumption Control Objective: Plan the actions to be taken for the period when IT is recovering and resuming services.
DS 4.9 Offsite Backup Storage Control Objective: Store offsite all critical back up media, documentation and other IT resources necessary for IT recovery and business continuity plans.
DS 4.10 Post-resumption Review Control Objective: Determine whether IT management has established procedures for assessing the adequacy of the plan in regard to the successful resumption of the IT function after a disaster, and update the plan accordingly.
Conclusion Make auditors part of the team Communicate Seek auditor s help Let the auditors in Make the auditing process part of the BCP routine
QUESTIONS?