Report Writing for BCP

Audit
A General Guide
 BCP Audit Report—Logic – Structure and Framework 2

Auditing the Audit Reports

BCP—Key Perspectives
Elements in the —The 5-
Process Ppronged
BCP Elements
2 3
Initiative
Recap— BCP Audit
Asking the Report—Logic
Agenda 4 – Structure
Right 1
Questions and
Framework
Writing BCP Audit Report
BCP Audit Report—Logic – Structure and
3

Framework

Questions and
Agenda Answers
Conclusion
s and
Remarks
 Do you
even have
another
Can you get your site lined Can your business
pivotal people to up? survive the losses
those applications 8 1 if you had a
even if the roads disaster today?
are closed?
7 Asking the What if the building
What losses will 2 was demolished
you incur in the Right
Questions along with the
mean time?
computers?
6 3
How long will it
take your How long will it
5 4
business to take for your
return to a level business to return
of complete Will you be able to to a level of basic
service? get critical service?
application up
within 10 days?
 The Why of BCP

Protect employees
Prevent or mitigate
the effects of a
disaster from
1 occurring wherever
possible
2 5
Restore critical Restore related
business
processes or infrastructure,
functions to operating
minimize the systems and
financial impact of applications to Protect
a disaster 3 support the 4 corporate
critical functions assets and
Minimize legal 5

exposure
 BCP Audit—Key Elements

Evidence of Plan Be Sure all risks

Validation in ensuring associated with
of the Plan business Disaster are
continuity and covered in the
recovery plan

Scrutinizing and
verifying Issues a
preventive and
facilitating
Report of Audit 6

measures for
ensuring
 Key Audit Activities
Organisational
chart and
business process
analysis
Recovery Plan
Documentation and Overall Recovery Plan
third party review Structure
(where necessary) Relevant
documentatio
ns to examine
Risk Assessment
Plan coordination list

Business Impact Analysis 7

  Was a high level business process analysis
performed?

Business  Has the Plan Unit organization structure been

Process
Analysis identified and documented?
 Is the organization and location structure current,
change management?
 Have business impact criteria been defined?
  Was a BIA performed and documented in
alignment with the criteria established?

Business  Was there an established methodology used to

Impact perform the BIA and document the results of the
Analysis analysis?

 Is there adequate documentation for assumptions

and impact scoring rationale?
  Were the final BIA results approved by senior
management?
Business  Do recovery strategies align with the results of
Impact
Analysis the BIA?

 Have Recovery Time Objectives and Recovery

Point Objectives been identified?
  Has an emergency Coordinator been appointed?

 Has a review been conducted to determine

Risk
Assessment potential risks of natural disasters and other
and
Mitigation building emergencies?

 Have mitigation strategies been identified and

implemented?
  Was a facility, Technology and Business Operations
Risk Assessment conducted that:
Risk Assessment
and Mitigation  Identifies control weaknesses and single points
Facility/Technology of failure
/Business
Operations  Identifies one or more countermeasures
 Have mitigation strategies been selected and
implemented?
  Were all critical third parties been identified and
link to the business process and related
Risk
Assessment infrastructure/technology identified in the BIA?
and
Mitigation  Have third party review criteria been established?
Third Parties
 Was a third party risk assessment performed by
vendor?
  Are Recovery roles identified?

 Has an individual and a backup been identified who

Recovery
can declare a disaster?
Plans
 Is the plan documentation current and has it been
distributed to all personnel?
  Are Emergency Notification Procedures clear and
accurate?
Recover
 Are Communication procedures in place and current
Plans…
(who talks to who)?

 Are recovery requirements and data current?

  Are there change control procedures?

 Are changes formally approved before

implementation?
Change
Control  Is there document version control procedures
established?

 Are there procedures for incorporating changes

and notification?
  Has a program been developed, implemented
and communicated that includes?
 Key elements to be maintained
Exercise,
Maintenance  Key elements to be exercised
and Training  An exercise and maintenance calendar
 Specific exercises conducted
 Recommendations and follow-up for
improvement
 Checking whether the plan covers all mission-critical
systems or is only for other, selected systems.

Ascertaining whether the plan is based on a systematic

IS Auditor
Responsibili business impact analysis that clearly understands the
ties include: impact of non-availability of the systems on the business

Examine the plan to determine whether the plan has a

good combination of preventive controls and recovery
controls.

Verify whether the BCP is updated periodically and reflects

the current business and IT environment accurately.
 Evaluate the requirement of testing the plans or
disaster recovery drills.
IS Auditor
Responsibili Verify whether the plan addresses not just
ties include:
recovery after a disaster but also restoration back
to the primary site when normalcy returns.
  Evaluate other elements, like
notifications,
IS Auditor call trees,
Responsibili
ties include: the response teams,
updating the contact information, and
the step-by-step procedures for
recovery and for appropriateness.
 Conditio
Reporting n
—the 5- Criteria
pronged
elements Cause
in
reporting Effect

Recommendation

21
 At a minimum, report should include…

Report Records of all

transmittal Action actions taken
Appendice
memorandum required. by auditor and
/executive s.
auditee
Audit summary

Report
Structure

Findings
and Exhibits. Follow-up Plan
recommend 22

ations
 Evaluate audit evidence
against audit criteria to
generate audit findings
indicate if findings represent
Report opportunities for improvement on the
Structure and
Content— BCP
audit findings Meet (audit team) to review
findings
Specify (with supporting evidence) or
summarize conformity by23 location,
function, or processes, as required by
audit plan
 Audit conclusions underway…
Scheduling of
the audit plan

If included in
Report Structure audit plan, to Audit team
To plan for
and Content— discuss audit meet prior to
closing meeting
follow-up
audit conclusion the closing
meeting to
discuss:

To prepare the
Purpose is to:
audit report and
• Review audit findings
recommendations
and other information
• Agree on audit
conclusions
 Confidentiality
statement Distribution
7
6 list
Obstacles
Audit Report encountered 5
—prepare, 2 Confirmation that audit
approve and objectives accomplished
circulate
3
4
1 Any areas in audit
scope not covered

Any unresolved issues

Plan non-
performance between the auditee and team
25
 Will normally be Hold closing meeting to
formal present audit findings
and conclusions

Keep minutes Cover situations

Closing and attendance encountered during audi
Meetings records that may decrease
reliance on BCP
Provide Discuss and resolve
recommendations for divergent audit findings
improvement on the and conclusions
Plan where specified Keep a record if
26

by audit objectives not resolved

 Audit conclusions may
require corrective,
Auditee decides and
preventive, or
carries out these
improvement actions
actions within
agreed timeframe

Follow-up These actions Audit team number

Activities are not part of should verify
…. the audit completion and
effectiveness of
actions taken

This verification
may be part of a Maintain independence
subsequent audit in subsequent audit 27

activities
 Understanding the Carry out all
main purpose of key BCP audit
BCP is essential to activities
the BCP audit
Conclusio activities Writing BCP
n Audit Report
Issue and
distribute BCP
Plan the BCP Audit audit reports
and do the
required follow-
up
28
29