BCM Audit Series
Blog_Jan_Ban.jpg

Areas of Audit Focus and Test Approaches

This is a sample set of testing approaches and techniques which an Auditor can execute during a BCM audit. The heading for each of the samples is described in the table within the blog.
Moh Heng Goh
BCMS Audit Certified Planner-Specialist-Expert

Areas of Audit Focus and Test Approaches

This section provides the reader with a sample of the testing approach and the techniques which an Auditor can execute during an audit. The heading for each of the samples is described in the table below:

 

Audit Area

The area of the audit focus based on the BCM Planning Methodology.

Test Approach

The type of test approach to be adopted.

Techniques

The steps to be taken to verify the audit area.

 

 
Audit Area
Project Management
 
IC_Morepost_Areas of Audit Focus and Test Approaches

Test Approach: Review Project Charter
  • Static and walkthrough
Techniques
  • Verify sign-off of a project by the Executive Management
  • Compare to a set of organizational BCM policy and standards
 
 
Audit Area
Business Impact Analysis
 
Test Approach: Review BIA Report
  • Static and walkthrough
Techniques
  • Verify sign-off by the Executive Management for:
    • Critical business functions
    • Minimum resources needed
    • RTO
    • Interdependencies
    • Vital records
  • Verify sign-off of business units’ critical business functions by Heads of business units

 
Audit Area
Business Continuity Strategy
 
Test Approach: User Standby Continuity Provisions
  • Static and Walkthrough
Techniques
  • Use verification and/or observation
  • Compare with good practices and BCM standards
  • Conduct simulations or tests

Test Approach: Alternate Site Facility
  • Static, walkthrough and physical testing
Techniques
  • Check for completeness.
  • Review by verification, walkthrough and sampling of inventory for contents at off-site storage.
  • Verify currency of back-ups and procedures for automatic updating of back-ups.
  • Review courier/transportation arrangements and retrieval of files, programs and vital items.
  • Review condition of files and whether they are stored in ready-to-use (load) form or whether any conversion would be needed (e.g. data compression form used).

Test Approach: Alternate Site Provisions
  • Static, walkthrough and participatory test
Techniques
  • Conduct a static review of arrangements (documentation, contract provisions).
  • Perform walk-through of facilities.
  • Evaluate configuration and compatibilities

Test Approach: Alternate Site Provisions
  • Static and active test methods.
Techniques
  • Review the latest update of a backup copy of executable (production) programs for key “critical IT applications”
  • Arrange for or witness the selective test of program library contents
  • Review process by which IT applications and system software programs are regularly updated, and the criteria for determining when to update.
  • Review responsibility organizations on those who are specifically responsible for updates.

Test Approach: Critical IT Applications
  • Static testing
Techniques
  • Review critical IT application selection process
    • Who ultimately decides what is critical?
    • What is the approval process?
    • Who participates in the decision?
  • Verify provisions in effect for critical systems
  • Review how new systems, in development, are incorporated into a “critical list”.
  • Review how the “critical chain of provision” (non-critical systems that feed or support critical systems becoming critical systems themselves - domino effect) is determined.

 
Audit Area
Plan Development
 
Test Approach: Emergency Preparedness
  • Static and walkthrough
Techniques
  • Verify documentation
  • Perform observation
  • Compare to a sound set of BCM standards of best practices
  • Conduct simulation or evacuation drills
Test Approach: IT Recovery Provisions Program
  • Static, walkthrough and participatory test
Techniques
  • Review thoroughness of recovery plan documentation against desirable practices.
  • Review short-term recovery procedures for file destruction (batch/online systems)
  • Review BC Plan and procedures for reconstruction of whole data centre and file recovery.
  • Arrange for, or witness, critical IT applications recovery test in an alternate, back-up or hot-site facility.
  • Evaluate the standards and procedures used.
  • Spot deficiencies.
  • Determine whether users are involved.
  • Review reconciliation and synchronization procedures for data across processing facilities and time periods and across interdependent systems.
  • Verify the existence of up-to-date log of critical files, programs and work files that reflect the latest situation for recovery.
    • This list should preferably be computerised and a copy stored off-site.
  • Review existence and thoroughness of a detailed IT DR plan that considers:
  • System recovery for short-term
    • File or logic or minor equipment failures.
  • Full-scale installation disruption
    • Data centre not destroyed such as flooding.
  • Interim recovery of processing at hot-site or another site.
  • Full reconstruction and recovery for the total destruction of data centre and/or telecommunications.
    • Depending on the maturity of the plan

 

 
Audit Area
Testing and Exercising
 
Test Approach: Review BC Procedures
  • Testing of BC Plan workability
  • Static Test and Sample Static Verification
Techniques
  • Verify criteria and procedures for BC Plan updating and compliance.
  • Conduct of surprise audit may be helpful.
  • An audit by participation in the test team and by witnessing or observation.
  • The Auditor may become the instigator of testing and participate in the tests actually executed by others
  • Provide independence and limited resources

 

 
Audit Area
Program Management
 
 
Maintenance and Updating of Plan
 
Test Approach: Criteria and Procedures for BC Plan Update
  • Static methods of testing
  • Documentation review
Techniques
  • Verify the existence of a set of provisions and procedures for dealing with issues that arise after the recovery and after migration to the new processing center, if the original was totally destroyed.
  • Dismantling procedures for interim backup
  • Declaration of end of emergency and broadcasting to users of new order of normalcy
  • Reconciliation of files and records (materiality asset issues for unexplained discrepancies)
  • Restoration of full-scale critical processing.
  • A BC plan for the gradual restoration of non-critical systems.
  • Disposition of transactions/data collected during emergency operation in interim backup facilities and what to do with it.
  • Tying up loose ends. Updating the BC Plan.

A Manager’s Guide to Auditing & Reviewing Your Business Continuity Management Program

Resource

Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.

Extracted from "Appendix 6: Areas of Audit Focus and Test Approaches"

 

 

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action TMM [BL-A-5] Register [BL-A-5]
FAQ for BL-A-3 Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org New call-to-action

For Your Comments

More Posts

New Call-to-action