GetFledge
Full Image

THE ESCALATING REQUIREMENT FOR BUSINESS CONTINUITY AUDITS

Pandemic has shown the significance of having an efficient business continuity plan. Protiviti's Matthew Watson clarifies the role internal audit must play in scaling and highlighting business continuity audits provided the certainties and ambiguities of today's business environment.

Beside numerous uncertainties approaching 2021, there’s increased technology disruptions and cybersecurity risks to name a few - business continuity programs have engaged on a new urgency, they are intensely approaching the new year with the aim of addressing the new critical and potential risks understanding that could disrupt the already fragile business environment, and explore effective ways to integrate BCP practices into day-to-day operations.

Due to the regulator’s excessively demand resilience from companies, internal auditing becomes increasingly important to ensure that governance, risk management and controls are in order to mitigate risk and adequately improve resilience capacities. Dynamic offers internal auditing the opportunity to develop a flexible and broad approach that can be integrated into existing IT and business continuity audits.

MULTIPLE PROCESSES: THE BUSINESS CONTINUITY AUDIT

The business continuity audit, if not concluded, should be expanded, and prioritized in the 2021 audit plan to assess the structure and operational effectiveness of a program named Business Continuity Management (BCM) plan and its four stages includes Business Evaluation, Strategy Formulation, Execution and Quality Assurance.

-ASSESSMENT PLAN FOR BUSINESS

Being the part of this stage, the audit should examine the existing state of the BCM plan and the implementation of its key elements, comprising governance, continuity risk assessment activities, and business impact analysis (BIA). Identify the driving factors and develop recovery strategies and solutions. During continuity risk assessment and BIA operations, the overall business impact of key business processes as well as IT applications/systems should be assessed. The top management must use the findings to evaluate and control the entire company risk.

-EVALUATING STRATEGY DESIGN

The evaluation of strategy formulation includes analysis of IT crisis management, business recovery and disaster recovery strategies. Essentially, these are the strategies the company implements to minimize or reduce the risk of business interruption. The basic purpose is to determine whether the strategy is adequately defined. Communicate and respond to incidents and extract key business processes and technologies in a timely manner.

-IMPLEMENTATION

Analysis on how the BCM strategy is validated in documented crisis management, business recovery, and IT disaster recovery plans is the responsibility of an organization. In this exercise, audit and evaluate the content and structure of the plan and determine whether the plan defines appropriate roles and responsibilities. They confirmed that key personnel need to take some actions in the event of a business interruption.

-QUALITY ASSURANCE

This phase aims to assess how and whether IT crisis management, business resumption and tragedy recovery plans have been adequately tested. Ideally, the plan review is primarily measured against the expected load capacity. Sometimes simulations are established using probable risks. determined in a risk assessment. The main purpose of a testing program is to review the content of the recovery plans and provide reasonable assurance that the policies provide an opportunity to rehabilitate the business in a timely and successful manner.

Internal audit should evaluate the design and execution of the test program and determine whether the plans are regularly reviewed and restructured to reflect alterations in business over the time and how those amendments provide for the timely recovery of technology and critical business processes.

BUSINESS CONTINUITY MANAGEMENT: INITIAL ASPECT

-GOVERNANCE

Different levels of accountability and responsibility within an organization is what makes a BCM program successful. While some organizations eventually prefer to create a distinct business unit or function to accept the program, many choose to leverage existing resources and / or people from the business function. In practice, it is recommended that management-level responsibility for the BCM program be maintained within the organization so that the program remains visible to decision makers and influences business adoption while supporting all aspects of a program.

As part of the internal audit, you need to focus on managing the BCM to determine that the key personnel responsible for ensuring that the BCP contributes to the successful and timely disaster recovery of the enterprise have sufficient supervision and participation. The review may reveal that the company's BCM work is led by middle managers and is being carried out without sufficient funds and resources. Therefore, this governance structure explains why the company's existing continuity functions are passive in nature.

-CONTINUITY RISK ASSESSMENT

In many companies, executives and/or IT professionals have established specific recovery priorities based on perceived severity levels. Error scenarios and control assessments are often incomplete, and no metrics are created. Continuous risk assessment is designed to stimulate continuous improvement of recovery strategies. The implementation and analysis of risk assessment are best coordinated with the organization and technological change management or expected diligence process. The review of the continuous risk assessment process should emphasis on whether the results of the evaluation process are used as a guide for the BCM plan.

-BIA: BUSINESS IMPACT ANALYSIS

As a risk assessment that forms the basis of the BCM program, BIA enables companies to assess the potential impact of downtime on the business such as, BIA prioritizes the restoration of business processes and resources (for example, technology, workplace, equipment), personnel, and third parties, each of these processes relies on. The audit should evaluate the BIA to determine whether the process contains sufficient detail to identify business interruption risks, their impact, and the recovery requirements strategy that will be used to develop and plan the BCM.

CONCLUSION

Business continuity planning requires the development of guidance on various events or disasters that may affect the business, and then outlines how the organization should respond during and/or after these events or disasters.

However, the responsibility lies not only with leadership. As part of the business continuity assessment, the internal audit department can assess the employees’ awareness of their responsibilities in the event of a failure and whether they can quickly and successfully resume business operations in accordance with the planned procedures.