Areas of Audit Focus and Test Approaches

Areas of Audit Focus and Test Approaches

This section provides the reader with a sample of the testing approach and the techniques which an Auditor can execute during an audit. The heading for each of the samples is described in the table below:

Test Approach: Review Project Charter

• Static and walkthrough

Techniques

• Verify sign-off of a project by the Executive Management
• Compare to a set of organizational BCM policy and standards

Test Approach: Review BIA Report

• Static and walkthrough

Techniques

• Verify sign-off by the Executive Management for:
  • Critical business functions
  • Minimum resources needed
  • RTO
  • Interdependencies
  • Vital records
• Verify sign-off of business units’ critical business functions by Heads of business units

Test Approach: User Standby Continuity Provisions

• Static and Walkthrough

Techniques

• Use verification and/or observation
• Compare with good practices and BCM standards
• Conduct simulations or tests

Test Approach: Alternate Site Facility

• Static, walkthrough and physical testing

Techniques

• Check for completeness.
• Review by verification, walkthrough and sampling of inventory for contents at off-site storage.
• Verify currency of back-ups and procedures for automatic updating of back-ups.
• Review courier/transportation arrangements and retrieval of files, programs and vital items.
• Review condition of files and whether they are stored in ready-to-use (load) form or whether any conversion would be needed (e.g. data compression form used).

Test Approach: Alternate Site Provisions

• Static, walkthrough and participatory test

Techniques

• Conduct a static review of arrangements (documentation, contract provisions).
• Perform walk-through of facilities.
• Evaluate configuration and compatibilities

Test Approach: Alternate Site Provisions

• Static and active test methods.

Techniques

• Review the latest update of a backup copy of executable (production) programs for key “critical IT applications”
• Arrange for or witness the selective test of program library contents
• Review process by which IT applications and system software programs are regularly updated, and the criteria for determining when to update.
• Review responsibility organizations on those who are specifically responsible for updates.

Test Approach: Critical IT Applications

• Static testing

Techniques

• Review critical IT application selection process
  • Who ultimately decides what is critical?
  • What is the approval process?
  • Who participates in the decision?
• Verify provisions in effect for critical systems
• Review how new systems, in development, are incorporated into a “critical list”.
• Review how the “critical chain of provision” (non-critical systems that feed or support critical systems becoming critical systems themselves - domino effect) is determined.

Test Approach: Emergency Preparedness

• Static and walkthrough

Techniques

• Verify documentation
• Perform observation
• Compare to a sound set of BCM standards of best practices
• Conduct simulation or evacuation drills

Test Approach: IT Recovery Provisions Program

• Static, walkthrough and participatory test

Techniques

• Review thoroughness of recovery plan documentation against desirable practices.
• Review short-term recovery procedures for file destruction (batch/online systems)
• Review BC Plan and procedures for reconstruction of whole data centre and file recovery.
• Arrange for, or witness, critical IT applications recovery test in an alternate, back-up or hot-site facility.
• Evaluate the standards and procedures used.
• Spot deficiencies.
• Determine whether users are involved.
• Review reconciliation and synchronization procedures for data across processing facilities and time periods and across interdependent systems.
• Verify the existence of up-to-date log of critical files, programs and work files that reflect the latest situation for recovery.
  • This list should preferably be computerised and a copy stored off-site.
• Review existence and thoroughness of a detailed IT DR plan that considers:
• System recovery for short-term
  • File or logic or minor equipment failures.
• Full-scale installation disruption
  • Data centre not destroyed such as flooding.
• Interim recovery of processing at hot-site or another site.
• Full reconstruction and recovery for the total destruction of data centre and/or telecommunications.
  • Depending on the maturity of the plan

Test Approach: Review BC Procedures

• Testing of BC Plan workability
• Static Test and Sample Static Verification

Techniques

• Verify criteria and procedures for BC Plan updating and compliance.
• Conduct of surprise audit may be helpful.
• An audit by participation in the test team and by witnessing or observation.
• The Auditor may become the instigator of testing and participate in the tests actually executed by others
• Provide independence and limited resources

Test Approach: Criteria and Procedures for BC Plan Update

• Static methods of testing
• Documentation review

Techniques

• Verify the existence of a set of provisions and procedures for dealing with issues that arise after the recovery and after migration to the new processing center, if the original was totally destroyed.
• Dismantling procedures for interim backup
• Declaration of end of emergency and broadcasting to users of new order of normalcy
• Reconciliation of files and records (materiality asset issues for unexplained discrepancies)
• Restoration of full-scale critical processing.
• A BC plan for the gradual restoration of non-critical systems.
• Disposition of transactions/data collected during emergency operation in interim backup facilities and what to do with it.
• Tying up loose ends. Updating the BC Plan.

Resource

Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.

Extracted from "Appendix 6: Areas of Audit Focus and Test Approaches"

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

	Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org