control, and governance
Is Your Organization's Business Continuity Plan Effective?
Identifying key problem areas during audits of business continuity plans can enhance an organization's disaster recovery efforts and ensure the quick return of business activities and services.
Syed Salman, CISA
Senior Information Systems Auditor
Ford Rhodes Sidat Hyder & Co. Chartered Accountants
As dependence on IT systems continues to grow, businesses are becoming particularly concerned about the availability of their IT systems year-round. Regulatory pressures also are directing business attention to this area. Business continuity management requirements found in initiatives such as the U.S. Health Insurance Portability and Accountability Act of 1996, BASEL II Accord, and National Association of Securities Dealers (NASD) 3510 Rule are forcing companies to mitigate operational risks effectively and provide evidence that controls are working properly. Not surprisingly, the business continuity plan (BCP) has become an important document in most organizations and a main area of concern for internal auditors. Because of their role, auditors are in the perfect position to help companies improve the effectiveness of business continuity management plans by identifying current and possible problem areas and providing recommendations aimed at preparing organizations before a disaster strikes.
IDENTIFYING BUSINESS CONTINUITY PROBLEMS
When reviewing an organization's business continuity management efforts, internal auditors may find that even though the BCP is of dire importance to the organization, the plan is in poor shape or rendered useless by the passage of time. Sometimes auditors may find that employee attitude toward the BCP is casual. This may be true in organizations with a large number of business units or sites where employees are unconcerned about resuming operations quickly or are under the impression that the organization can sustain a financial loss. In addition, auditors may discover that although the BCP is implemented and tested in some parts of the organization, not all business units have tested the plan or developed similar processes, especially isolated or remote business locations.
Other problem areas identified during audits of business continuity management procedures include:
Auditors may find that these problems occur simultaneously throughout the organization or in isolated business areas, and lead to a slow, costly, and disorganized recovery process.
IMPROVING BUSINESS CONTINUITY EFFORTS
In companies that do not have an established BCP, implementing effective business continuity management initiatives is best accomplished through a combination of management support and elimination of problem areas. Internal auditors can help organizations accomplish both objectives by recommending that organizations conduct a comprehensive assessment of their business continuity processes and vulnerable areas. An internal auditor or an external consultant can conduct the review.
Once the assessment is conducted and issues are identified, organizations should:
In organizations with an established BCP, auditors can review the plan's effectiveness and draft a report that outlines how plan discrepancies should be resolved. In addition to enhancing the plan, this will draw management's attention to the issues or inefficiencies identified during the review process. Auditors also can work with senior managers to identify the root causes of any business continuity problems and provide recommendations that can help the organization eliminate any short- and long-term issues.
Main Factors Leading to Ineffective BCPs
A key factor leading to poor business continuity planning is the inappropriate delegation of planning activities and the lack of senior-level management involvement during the plan's development, implementation, and maintenance phases — as exemplified by the 2005 Business Continuity Survey conducted by CPM Group and Deloitte and Touche LLP (see "Executive Management and Business Continuity" below). For instance, some executives may think that BCPs only encompass procedures pertaining to recovery of IT systems or automated routine processes. Because these activities typically are performed by low-level IT staff, executives erroneously believe there is no need for them to be involved in the planning process, and thus delegate planning responsibilities to IT managers or other mid-level managers.
Executive Management and Business Continuity
According to the 2005 Business Continuity Survey by CPM Group and Deloitte and Touche LLP, only 18.7 percent of executive managers are actively involved in setting business continuity program priorities. In addition, only 38 percent of executives understand the effect of regulatory issues on business continuity management efforts or know whether the organization is fully compliant with audit requirements. Regulatory mandates can increase management’s focus on business continuity governance and enhance risk management controls. To review the complete 2005 Business Continuity Survey, visit Deloitte's Web site.
Once the tone at the top is more supportive, the organization's awareness of the plan's content will improve significantly. These efforts increase the likelihood that the BCP document truly achieves its overall objective: To form a complete executable plan that minimizes the time it takes to recuperate in the event of a disaster by using the least amount of corporate resources necessary.
THE ROLE OF AUDITORS
In addition to identifying problem areas, it is important for auditors to know how they can help during the business continuity process. Key areas auditors should keep in mind include evaluating the company's business continuity readiness, how to review recovery activities, and action items to consider during the BCP audit.
To evaluate the company's business continuity readiness, internal auditors should assess the organization's internal and external environment. In addition, auditors can help evaluate the formulation of the entire BCP and review the proposed document for its design, completeness, and overall adequacy. Auditors should then present a summary of their assessment and recommendations to senior managers.
During the recovery period, auditors should monitor the effectiveness of recovery and control operations, and recommend improvements to the BCP. Auditors also can assist by identifying lessons learned from disaster and recovery events. Finally, auditors should review the plan's adequacy in ensuring the timely resumption of business operations after a disaster and determine whether the plan reflects the current business operating environment.
Questions auditors should ask while reviewing the organization's BCP include:
A POSITIVE OUTLOOK
Many organizations are starting to pay more attention to business continuity management, perhaps in part due to the Sept. 11, 2001 attacks that crippled New York City and the 2004 train bombings in Madrid, Spain. Business continuity management has received additional spotlight after recent natural disasters, including the 2005 tsunami that killed approximately 150,000 people in Asia and the 2005 destruction caused in the United States by Hurricane Katrina in New Orleans.
This increased attention was evident in the CPM Group and Deloitte survey. According to the study, executive management involvement is slowly increasing in organizations: Management support increased by 2 percent last year — from 17 percent in 2004 to 19 percent in 2005, and the number of formal steering BCP committees increased as well — from 19 percent in 2004 to 22 percent in 2005. Companies also are allocating more funding to business continuity efforts: Budget allocations in excess of US $1 million increased by 11 percent in 2005. This involvement and interest by top management levels is projected to continue increasing in the years to come, says the study.
As part of their role, auditors can provide recommendations that can enhance business continuity efforts, thus becoming an integral part of the process. Identifying problem areas, such as lack of executive-level involvement, and recommending effective courses of action are some of the many ways in which auditors can help organizations get back on their feet quickly when disasters strike and ensure the continuing and smooth operation of vital business functions.
Syed M. Salman, CISA, is a senior information systems auditor for Ford Rhodes Sidat Hyder & Co. Chartered Accountants, an Ernst & Young International member firm in Pakistan. Previously, he worked for Deloitte in Karachi, Pakistan. Salman has conducted reviews of general computer controls in companies where computer processing environments play a dominant role in business operations and has been a part of business continuity planning efforts at major financial institutions.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.