Areas of Audit Focus and Test Approaches
This section provides the reader with a sample of the testing approach and the techniques which an Auditor can execute during an audit. The heading for each of the samples is described in the table below:
Audit Area
|
The area of the audit focus based on the BCM Planning Methodology.
|
Test Approach
|
The type of test approach to be adopted.
|
Techniques
|
The steps to be taken to verify the audit area.
|
|
Audit Area
|
Project Management
|
|
Test Approach: Review Project Charter
Techniques
- Verify sign-off of a project by the Executive Management
- Compare to a set of organizational BCM policy and standards
|
Audit Area
|
Business Impact Analysis
|
|
Test Approach: Review BIA Report
Techniques
- Verify sign-off by the Executive Management for:
- Critical business functions
- Minimum resources needed
- RTO
- Interdependencies
- Vital records
- Verify sign-off of business units’ critical business functions by Heads of business units
|
Audit Area
|
Business Continuity Strategy
|
|
Test Approach: User Standby Continuity Provisions
Techniques
- Use verification and/or observation
- Compare with good practices and BCM standards
- Conduct simulations or tests
Test Approach: Alternate Site Facility
- Static, walkthrough and physical testing
Techniques
- Check for completeness.
- Review by verification, walkthrough and sampling of inventory for contents at off-site storage.
- Verify currency of back-ups and procedures for automatic updating of back-ups.
- Review courier/transportation arrangements and retrieval of files, programs and vital items.
- Review condition of files and whether they are stored in ready-to-use (load) form or whether any conversion would be needed (e.g. data compression form used).
Test Approach: Alternate Site Provisions
- Static, walkthrough and participatory test
Techniques
- Conduct a static review of arrangements (documentation, contract provisions).
- Perform walk-through of facilities.
- Evaluate configuration and compatibilities
Test Approach: Alternate Site Provisions
- Static and active test methods.
Techniques
- Review the latest update of a backup copy of executable (production) programs for key “critical IT applications”
- Arrange for or witness the selective test of program library contents
- Review process by which IT applications and system software programs are regularly updated, and the criteria for determining when to update.
- Review responsibility organizations on those who are specifically responsible for updates.
Test Approach: Critical IT Applications
Techniques
- Review critical IT application selection process
- Who ultimately decides what is critical?
- What is the approval process?
- Who participates in the decision?
- Verify provisions in effect for critical systems
- Review how new systems, in development, are incorporated into a “critical list”.
- Review how the “critical chain of provision” (non-critical systems that feed or support critical systems becoming critical systems themselves - domino effect) is determined.
|
Audit Area
|
Plan Development
|
|
Test Approach: Emergency Preparedness
Techniques
- Verify documentation
- Perform observation
- Compare to a sound set of BCM standards of best practices
- Conduct simulation or evacuation drills
Test Approach: IT Recovery Provisions Program
- Static, walkthrough and participatory test
Techniques
- Review thoroughness of recovery plan documentation against desirable practices.
- Review short-term recovery procedures for file destruction (batch/online systems)
- Review BC Plan and procedures for reconstruction of whole data centre and file recovery.
- Arrange for, or witness, critical IT applications recovery test in an alternate, back-up or hot-site facility.
- Evaluate the standards and procedures used.
- Spot deficiencies.
- Determine whether users are involved.
- Review reconciliation and synchronization procedures for data across processing facilities and time periods and across interdependent systems.
- Verify the existence of up-to-date log of critical files, programs and work files that reflect the latest situation for recovery.
- This list should preferably be computerised and a copy stored off-site.
- Review existence and thoroughness of a detailed IT DR plan that considers:
- System recovery for short-term
- File or logic or minor equipment failures.
- Full-scale installation disruption
- Data centre not destroyed such as flooding.
- Interim recovery of processing at hot-site or another site.
- Full reconstruction and recovery for the total destruction of data centre and/or telecommunications.
- Depending on the maturity of the plan
|
Audit Area
|
Testing and Exercising
|
|
Test Approach: Review BC Procedures
- Testing of BC Plan workability
- Static Test and Sample Static Verification
Techniques
- Verify criteria and procedures for BC Plan updating and compliance.
- Conduct of surprise audit may be helpful.
- An audit by participation in the test team and by witnessing or observation.
- The Auditor may become the instigator of testing and participate in the tests actually executed by others
- Provide independence and limited resources
|
Audit Area
|
Program Management
|
|
|
Maintenance and Updating of Plan
|
|
Test Approach: Criteria and Procedures for BC Plan Update
- Static methods of testing
- Documentation review
Techniques
- Verify the existence of a set of provisions and procedures for dealing with issues that arise after the recovery and after migration to the new processing center, if the original was totally destroyed.
- Dismantling procedures for interim backup
- Declaration of end of emergency and broadcasting to users of new order of normalcy
- Reconciliation of files and records (materiality asset issues for unexplained discrepancies)
- Restoration of full-scale critical processing.
- A BC plan for the gradual restoration of non-critical systems.
- Disposition of transactions/data collected during emergency operation in interim backup facilities and what to do with it.
- Tying up loose ends. Updating the BC Plan.
Resource
Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.
Extracted from "Appendix 6: Areas of Audit Focus and Test Approaches"
Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]