Previous | Table of Contents | Next |
Workpaper 11-1. Standard Business Continuity Planning Audit Program
Audit: | Auditor/Date: | ||
---|---|---|---|
Date: | Reviewed/Date: | ||
Program Step | Description | Done by | Date | W/P | |||
---|---|---|---|---|---|---|---|
1 | Evaluate the Business Impact Analysis | ||||||
A | Assess the extent to which the following issues have been addressed: | ||||||
1 | Identify relevant risks or events that could strike the enterprise. | ||||||
2 | Investigate all possible alternatives for reacting or responding to those events. | ||||||
3 | Determine the duration of any business interruption until recovery activities could restore normal operations, whether that interruption affected company personnel, company systems, or both. | ||||||
4 | Estimate the effect of having the business partially or fully interrupted based on the outage duration information from the prior step. The effect could take the form of: a.unplanned direct costs associated with the event b.increased normal operating costs c.lost or delayed revenues d.changes intangibles such as market share and public perception | ||||||
5 | Determine or estimate the unplanned costs, increased normal operating costs, lost revenues, and effect on intangibles associated for each recovery alternative. | ||||||
B | Review final analysis and recommendations presented to management. | ||||||
2 | Evaluate the Recovery Strategy | ||||||
A | The recovery strategy selected by management should be identified in a policy statement so that managements interests and intentions are clearly communicated to company personnel. | ||||||
B | The approved recovery strategy should be documented and distributed to appropriate company personnel. | ||||||
3 | Evaluate the Recovery Plan | ||||||
A | Damage assessment, plan activation, and salvage activities. | ||||||
1 | Determine local managements knowledge of plan and assessment activities required to decide whether to activate the plan, and, if activating the plan, to what extent it should be activated. | ||||||
2 | Determine the timing, communication process, and sequence of activation steps. | ||||||
3 | Review assessment of critical time deadlines needed to secure high-value transactions and data elements. | ||||||
B | Hardware restoration. Review plan for: | ||||||
1 | Complete inventory of hardware that should be recovered. | ||||||
2 | Vendor, item, and other necessary purchasing information. | ||||||
3 | Details for acquiring, installing, configuring, and otherwise restoring hardware support for business activities. | ||||||
C | Alternate office facilities. Review any plans designed to support a complete recovery of the business that require rearranging or relocating company personnel during a disaster situation. Evaluate the scope of plans for required support tools such as equipment and telecommunication. | ||||||
D | Data recovery. Review plan for two components: backward and forward data recovery. Backward recovery includes all those transactions entered or received by the system and then lost due to the disaster. Forward recovery takes in all the transactions that were in the entry process or that occurred after the disaster happened and could not be entered. | ||||||
1 | Review backward recovery issues such as identifying lost transactions, having them sequenced if necessary, and then re-entering and processing them. Ensure that checks are in place to avoid duplication. | ||||||
2 | Review forward recovery issues such as capturing those transactions that are in the entry process when the disaster happens, transactions occurring and being handled while system files are complete and accurate. | ||||||
E | Personnel issues. Review procedures to address employee safety and accessibility. | ||||||
1 | Review plan for a complete employee list so that rolls can be checked, calls to employees with instructions can be made expeditiously, and, that in the most extreme circumstances, families can be notified of injuries or other problems. | ||||||
2 | Review support contact lists that would include key vendors, customers, and other emergency contacts. | ||||||
4 | Evaluate Plan Testing and Maintenance | ||||||
A | Review frequency and thoroughness of testing plans. | ||||||
B | Determine if the plan is tested based on predetermined scenarios that include the situation, the test procedures, which will perform those procedures, and the expected results. | ||||||
C | Evaluate the documentation and reporting process surrounding testing. | ||||||
D | Evaluate the frequency and causes of plan updates that should ensure that plan strategic and tactical information is current. Confirm that the plan is redistributed after any material change. | ||||||
Audit Program for Backup, Recovery, and Contingency Planning. |
Previous | Table of Contents | Next |