Audit Function Participating As a Business Unit During the BCM Project
Auditors’ roles and responsibilities as a business unit are seldom discussed during any BC project. Their involvement is often regarded as a post-disaster requirement, or even not critical. These are some of the areas that the audit department may not be involved in:
- As a support team within the corporate BC Plan.
- During the incident management.
Often, the exclusion from the BC project by the audit department is due to their self-proclamation that audit is not critical during a disaster. It has been observed that although routine audit functions could be delayed during a disaster, in some organizations, however, it has a critical role to play.
BC Plan Procedures for Audit
These are some samples of BC Plan procedures for the Audit Department.
Sample 1 (Financial Institution)
- Reporting to Head Office and regulators
- Pre-Crisis: Store the reporting materials in the LAN drives which are covered by the daily backup and send them to an offsite.
- Within T+4 hours: Inform Head Office and Regulators of the disaster that may result in the delay in reporting
- Scanning for potential terrorist-related transactions
- Pre-Crisis: Keep the Terrorist Scanning Tool at an alternate location
- Within T+4 hours: Contact country A’s Internal Audit to send the Tool (after zipping) to Country B’s shared email account.
- T+4 hours onwards: Load the Terrorist Scanning Tool to the designated PCs at the backup site.
Sample 2 (Gaming)
- Review of a Draw Results (Gaming)
- Pre-Crisis: Obtain a copy of the emergency operating procedures from the Draw Operations Department. Update the draw audit BC Plan and store a copy at the off-site.
- Within T+4 hours: Contact audit staff and have them on standby at the backup site. . The audit staff member is to report to the Draw Manager upon arrival.
- T+4 hours onwards: Observe the conduct of the draw and post-draw activities by the draw audit BC Plan.
- Review of Payment Operations
- Pre-Crisis: Obtain a copy of the emergency plan from Payment Operations. Update the payment audit BC Plan and store a copy at the alternate site.
- Within T+4 hours: Contact audit staff on duty to be on standby. Awaiting the commencement of payment.
- T+4 hours onwards: Start auditing the payment operations in line with the BC Plan and follow up on those reports when they are available.
Role During Incident Response
During an incident, an Auditor should be assigned to review any recovery recommendations and the BC Plan to ensure that standards and policies are maintained. He or she will also assist/consult with the controls for business units dealing with exceptions during recovery. Auditors are to:
- Report to the Crisis Management Centre as directed during the alert.
- Participate in the activation meeting conducted by the Incident Management Team.
- Acquire as much detail as possible regarding the following:
- Event-related specifics:
- Type of event
- Location of occurrence
- Time of occurrence
- Suspected cause
- Event-related specifics:
- Organization facilities potentially affected
- Building access:
- Current access
- Near-term potential access
- Any special instructions.
For the entire duration of the recovery effort, the Executive Management may direct available Audit personnel to consult and provide central advice during the recovery operations. Auditors should:
- Review changes to selected recovery processes, with respect to the BC Plan, such as:
- Financial
- Operational
- Systems
- Compliance
- Examine selected process changes that are brought to the Audit’s attention which may have been made by business units during the recovery effort. This include:
- Exception based processing
- Workflow
- Fund management
- Mail processing
- Ensure that the standards and policies are incorporated into the BC Plan:
- BCM standards and guidelines
- Financial data processing security and control policy
- Anti-fraud policy
- Information handling standards
- Document all findings.
- Provide periodic updates to the Crisis Management Team, as required, for the recovery effort.
Audit Support Procedures
- Provide audit personnel at the recovery location to monitor restoration activities.
- Designate an individual to assist with the retrieval and transportation of backup tapes to the recovery location.
- Notify the external Auditors, if necessary.
- Monitor the control and use of financial items (cheques and petty cash) during the recovery.
- Review any temporary controls established to facilitate the recovery operation.
- Assist with the investigation of the cause of the disaster.
- Review the testing, maintenance and current status of the BC Plan and recovery strategies periodically.
Resume Audit Function
During the resumption of the business units’ critical functions, these are the activities to be executed by the Audit support team:
- Re-establishing communication with business units and customers.
- Re-constructing any lost work-in-process.
- Resuming business operations as resources become available.
- Providing support to any critical business unit functions as directed by the Executive Management.
The recovery of the in-house audit functions is coordinated by assigned personnel who have to complete the following tasks:
- Create a log to track manually in-process and new audit activities.
- Notify dependent business units of new or modified procedures that will be implemented during the duration of the recovery.
- Request internal business units to re-submit documents and reports to Internal Audit, as required.
- Determine what work must be recovered and the time frame to accomplish the recovery.
- Determine the necessity of recreating documentation that has been destroyed,
- Prioritize work to be completed according to the time of month or year it is about the business requirements.
- Resume internal auditing processing functions.
- Notify the Executive Management when essential processing is re-established.
Resource
Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.
Extracted from "Chapter 3.7: Audit Function Identified as Critical" and "Appendix 1: Audit as a Support Team"
Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]
Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org |