AUDIT REPORT. Business Continuity Plan. August 31, Report Number: OIA 2016-AUD-16 Business Continuity Plan

Similar documents
AUDIT REPORT. Citizens Insurance Suite Check Printing Audit Opinion: Needs Improvement. June 11, 2015

AUDIT REPORT. Corporate Access and Identity Management Project Audit Opinion: Satisfactory. July 31, 2015

AUDIT REPORT. Cloud Software as a Service (SaaS) Procurement and Governance Audit. June 9, 2016

AUDIT REPORT. Service Desk and Problem Management Audit Opinion: Satisfactory. November 14, Report Number: 2014-IT-04

MANAGEMENT ADVISORY SERVICE REPORT

INVESTIGATION REPORT. Secondary Employment Policy Violation. Date: May 23, Report Number: CPIC Report Number: CPIC

AUDIT REPORT. Legal Billing Compliance. July 29, Report Number: 2015-AUD-09 Legal Billing Compliance

AUDIT REPORT. Citizens Data Warehouse Audit Opinion: Needs Improvement. Date: June 9, Report Number: 2014-AUD-IT-01

FORENSIC AUDIT REPORT. Legal Defense Billing Audit Opinion: Unsatisfactory. Date: May 31, Report Number: 2013-AUD-15

SUMMARY MINUTES OF THE INFORMATION SYSTEMS ADVISORY COMMITTEE MEETING Friday, September 12, 2014

FLORIDA COMMISSION ON OFFENDER REVIEW (formerly Florida Parole Commission)

03/14/2013 Compensation Update Citizens Property Insurance Corporation Board of Governors Meeting March 22, 2013

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

Business Continuity Plans

BUSINESS CONTINUITY MANAGEMENT POLICY

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

MULTI-AGENCY EMERGENCY PREPAREDNESS AT SELECTED STATE AGENCIES. Report 2007-S-29 OFFICE OF THE NEW YORK STATE COMPTROLLER

Legislative Audit Division State of Montana. Criminal Justice Information Network (CJIN)

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

STATE OF NORTH CAROLINA

PARKES SHIRE COUNCIL BUSINESS CONTINUITY POLICY

DEPARTMENT OF ALCOHOLIC BEVERAGE CONTROL REPORT ON AUDIT FOR THE YEAR ENDED JUNE 30, 2012

Business Continuity Management

Business Continuity Policy & Plans

Audit Plan Update. Percentage of Total Budgeted Hours. Adjusted Budgeted Hours. Actual YTD. Audit & MAS 8,066 8,366 38% 7, % 2012 Carry Over

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy Business Continuity Policy Statement 2015

5/25/2011. Citizens Property Insurance Corporation:

January 12, Dr. Hobson Wildenthal, President ad interim Ms. Lisa Choate, Chair of the Institutional Audit Committee:

Council Policy Business Continuity Management

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Subject: Internal Audit of Information Technology Disaster Recovery Plan

INFORMATION TECHNOLOGY CONTROLS OF SELECTED SYSTEMS UTILIZED BY THE CITIZENS PROPERTY INSURANCE CORPORATION. Information Technology Operational Audit

Major IT Projects: Continue Expanding Oversight and Strengthen Accountability

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

Business Continuity Planning (800)

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

How To Manage A Disruption Event

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

May 2012 Report No

IT Disaster Recovery Plan Template

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

Office of Internal Audit. Quarterly Report. Quarter Ending September 30, Internal Audit Team. Stefanie Powell, CPA, CISA Interim Director

Appendix 1 - Leicester City Council s Business Continuity Management Strategy and Policy Statement

Why Should Companies Take a Closer Look at Business Continuity Planning?

NCUA LETTER TO CREDIT UNIONS

Virginia Commonwealth University School of Medicine Information Security Standard

Offsite Disaster Recovery Plan

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

Information Security Policy. Chapter 11. Business Continuity

Creating a Business Continuity Plan. What We ll Cover... What is a BCP? Micky Hogue, CRM

Unit Guide to Business Continuity/Resumption Planning

,"ENT 0..- ~ Q c. ;:* *1 ~ J U.S. DEPARTMENTOF HOUSINGAND URBAN DEVELOPMENT THEDEPUTYSECRETARY WASHINGTON, DC

Technology Recovery Plan Instructions

Disaster Recovery Plan Documentation for Agencies Instructions

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

North Carolina's Information Technology Consolidation Audit

MINUTES WEST VIRGINIA COUNCIL FOR COMMUNITY AND TECHNICAL COLLEGE EDUCATION. January 25, 2008

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Emergency Contact Person - Firm Policy And Operation

William Rider Manager Disaster Recovery & Data Security The Johns Hopkins Health System & University

Evaluation of the Railroad Retirement Board s Disaster Recovery Plan Report No , August 14, 2006 INTRODUCTION

BCP and DR. P K Patel AGM, MoF

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-up Audit of Information Technology Services Department. IT Contingency Planning

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

Review of Information Technology s Data System Backup and Disaster Recovery Process Page 2 of 10 September 30, 2013

Disaster Recovery & Business Continuity Related, but NOT the Same! Teri Stokes, Ph.D., Director GXP International

University of Massachusetts Medical School's Data Center Relocation For the period July 1, 2008 through August 31, 2010

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Veterans Florida Request for Proposals for the Florida VETS Entrepreneurship Program Network Partner University

Office of the Chief Information Officer

STATE OF ARIZONA OFFICE OF THE AUDITOR GENERAL. April 1, 2008

UNITED STATES COMMISSION ON CIVIL RIGHTS. Fiscal Year 2012 Federal Information Security Management Act Evaluation

AUDIT REPORT INTERNAL AUDIT DIVISION. Audit of business continuity and disaster recovery planning at UNON

Office of the Auditor General

The Emergency Operations Plan provides guidance for managing emergency communications resources.

Tufts Health Plan Corporate Continuity Strategy

BUSINESS CONTINUITY STRATEGY

Office of Inspector General

Business continuity management and planning

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Disaster Recovery Policy

Risk Management Report. Thirty-Third Board Meeting. GF/B33/05 Board Information

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

STATE HUMAN RESOURCES COMMISSION MEETING LEARNING AND DEVELOPMENT CENTER, COMMISSION CONFERENCE ROOM 101 WEST PEACE STREET - RALEIGH, NORTH CAROLINA

INTERNAL AUDIT DIVISION AUDIT REPORT 2013/073

Business Continuity Plan

Business Continuity Planning

EMERGENCY MANAGEMENT PERFORMANCE AND STATE HOMELAND SECURITY PROGRAM FEDERAL GRANTS

FINAL AUDIT REPORT WITH RECOMENDATIONS Information Technology No

Disaster Recovery/Business Continuity

chieving organizational and management excellence

Internal Audit Department NeighborWorks America. Audit Review of the Business Continuity Plan (BCP) Management and Documentation

Statement of Guidance

Risk Management & Business Continuity Manual

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY FREQUENTLY ASKED QUESTIONS OVERVIEW CORPORATE CONTINUITY PROGRAM.

Transcription:

AUDIT REPORT Business Continuity Plan August 31, 2016

Table of Contents: Page Executive Summary Background 1 Audit Objectives and Scope 2 Audit Opinion 2 Appendix Definitions 4 Distribution 5 Audit Performed By 5

Executive Summary Background Business continuity planning (BCP) is an organization s preparation process to ensure critical business functions can be performed and available to customers, vendors and other entities in the event of a business interruption, an emergency or incident which damages or prevents access to operational facilities and/or key processing equipment. Some critical business functions at Citizens include customer service, claims adjusting, underwriting, remittance processing and claims check processing. An effective BCP develops a roadmap for maintaining service levels, consistency and recoverability for these operational activities. In addition, BCP involves determining the strategy and methodology by which desired continuity will be achieved. A Business Continuity Framework was developed to provide guidance to management and staff on how to conduct business continuity (BC) activities across the organization and to familiarize staff where necessary. The framework was approved by Citizens Risk and Audit Committees in September 2015. In the past, Citizens relied on the availability of multiple office locations in Jacksonville and Tallahassee in the event of a business interruption; therefore, resources and operational activities could be easily relocated to another building. However, that option is no longer available due to the office consolidation to EverBank Center in Jacksonville and the upcoming office consolidation in Tallahassee to Citizens Centre I which is scheduled to begin third quarter of 2016. In July 2016 the Relocation Resources Requirement Analysis initiative for the EverBank Center began, which consisted of a cross-functional team of individuals from Business Continuity (BC), Information Technology (IT), Human Resources (HR) and Facilities Management (FM). The team met with various business units in Jacksonville to identify critical business functions and to determine what resources are needed in the event the EverBank Center is not available for an extended period of time. The business unit managers are required to document the critical periods, outage times, staffing, equipment, and records in the Relocation Resources Requirement Analysis document which will be used to develop strategy options in support of an interim business process recovery. In January 2016, Citizens hired a Business Continuity Manager who is responsible for providing leadership in coordinating, assessing, developing and communicating recovery requirements and contingency plans associated with Citizens business units to protect the organization in the event the facilities or technology resources are unavailable due to a business interruption. On August 8th, during the course of the audit, Business Continuity was realigned from Enterprise Risk Management to the System and Operations function in order to have a concerted effort around the organization s BCP. Audit Objectives and Scope The objective of the audit is to evaluate the completeness and appropriateness of the business continuity planning (BCP) process for the organization as administered by the Business Continuity Office. Our scope included the following areas: Policies and procedures around key aspects of business continuity programs have been documented and implemented. 1 P a g e

Executive Summary Risks and threats to critical services have been identified and assessed. Business resumption and continuity strategies have been developed. Business continuity plans have been completed and approved by the executive leadership team to ensure mission critical services can continue during an emergency event. There is an agreed process in place for activating Citizens business continuity plans when emergencies occur. Business continuity plans have been communicated to relevant staff and published where appropriate. Business continuity plans are adequately monitored and maintained. A formalized business continuity training program exists, and all individuals responsible for developing and implementing BCP have been adequately trained. Business continuity plans are tested periodically and the test results and lessons learned are reviewed, documented, and applied. Audit Opinion The overall effectiveness of the processes and controls evaluated during this audit is rated Needs Improvement. Results from our audit work indicate that there are documented business continuity plans in place for the Tallahassee and Tampa office locations; however these plans are not comprehensive and have not been updated since 2013. Discussions from management indicated that short term contingency plans have been developed which includes a telecommuting strategy where staff would work remotely in the event of a business interruption. In addition, there has, not been a coordinated effort provided by the Business Continuity function to facilitate and motivate business units to refresh their business continuity plans prior to and in conjunction with the move to EverBank Center. As a result, the organization may not be able to adequately and timely recover from a business interruption. Executive Management is aware of the risk and has recently initiated a program to develop an interim plan to address immediate deficiencies that exist with EverBank BCP. Following the initiation of the Relocation Resources Requirement Analysis some business units (such as Remittance Processing, Claims, Underwriting, Agency Services, Facilities, and Information Technology) took initiative and unilaterally revised their plans to provide some level of readiness. These plans however do not holistically anticipate all business continuity needs following the move to the new office location. Some of the plans identified critical elements that were addressed with the move to one office building, positive focused actions taken by these units include: Remittance Processing contingency plans includes relocating the Burroughs equipment which is used to process premium payments, to the Tampa office location on October 29, 2015. The machine was installed by the vendor on April 8, 2016 and testing was performed by Remittance Processing management with assistance from a Senior System Administrator to provide IT support to ensure the machine is fully operational. The equipment will be tested on a quarterly basis to ensure equipment is operational. Claims Check Processing contingency plans include printing the claims checks by the Accounting Department in Tallahassee. The checks will be mailed overnight to the Tampa 2 P a g e

Executive Summary office location where the Check Processing Team from Jacksonville and contingent staff in Tampa will print the claims documentation and manually collate the checks and documentation in envelopes to mail to the policyholders. Underwriting and Agency Services contingency plans includes the staff working remotely or reassigning the work to vendors or the Tampa office location until the building is restored. Claims has a program for many of their people to work remotely in case of an event and have been executing on equipment replacement (Desktops to Laptops), to facilitate such a scenario. The Facilities plan is currently being used as the basis for the EverBank BCP scenario currently being developed. Following management intervention the Business Continuity function, in conjunction with individuals from Information Technology (IT), Human Resources (HR) and Facilities Management (FM), commenced a relocation resources requirement analysis during July 2016 for EverBank Center. The objective of this analysis is to identify critical business functions and to determine what resources are needed in the event the EverBank Center is not available for an extended period of time. The critical business functions identified during this initiative will be used to develop new recovery strategy options in support of business process recovery for Citizens operations housed at EverBank Center. 3 P a g e

Appendix 1 Definitions Audit Ratings Satisfactory: The control environment is considered appropriate and maintaining risks within acceptable parameters. There may be no or very few minor issues, but their number and severity relative to the size and scope of the operation, entity, or process audited indicate minimal concern. Needs Minor Improvement: The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some minor areas of weakness in the control environment that need to be addressed. Once the identified weaknesses are addressed, the control environment will be considered satisfactory. Needs Improvement: The audit raises questions regarding the appropriateness of the control environment and its ability to maintain risks within acceptable parameters. The control environment will require meaningful enhancement before it can be considered as fully satisfactory. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some noteworthy areas of weakness. Unsatisfactory: The control environment is not considered appropriate, or the management of risks reviewed falls outside acceptable parameters, or both. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate pervasive, systemic, or individually serious weaknesses. 4 P a g e

Appendix 2 Distribution Addressee(s) John Rollins, Chief Risk Officer Copies Business Leaders: Barry Gilway, President/CEO/Executive Director Kelly Booten, Chief Systems and Operations Jennifer Montero, Chief Financial Officer Dan Sumner, Chief Legal Officer & General Counsel Christine Turner Ashburn, VP-Communications, Legislative & External Affairs Bruce Meeks, Inspector General Steve Bitar, Chief Consumer and Agent Services Jay Adams, Chief Claims Violet Bloom, VP- Human Resources Curt Overpeck, Chief Information Officer Robert Sellers, VP- IT Infrastructure & Operations March Fisher, Sr. Director of Enterprise Risk and Analytic Sandy Allison, Business Continuity Manager Audit Committee (Exec summary to be distributed by Betty) Juan Cocuy, Citizens Audit Committee Chairman Bette Brown, Citizens Audit Committee Member Jim Henderson, Citizens Audit Committee Member Following Audit Committee Distribution The Honorable Rick Scott, Governor The Honorable Jeff Atwater, Chief Financial Officer The Honorable Pam Bondi, Attorney General The Honorable Adam Putnam, Commissioner of Agriculture The Honorable Andy Gardiner, President of the Senate The Honorable Steve Crisafulli, Speaker of the House of Representatives The External Auditor Audit Performed By Auditor in Charge Audit Director Under the Direction of Angela Smith John Fox Joe Martins Chief of Internal Audit 5 P a g e

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information