Global Technology Audit Guide (GTAG) 10: Business Continuity Management. This section requires evidence of senior management and the board's role in business continuity, its level of support and its commitment to the BC program. Walkthrough the entire audit process of people, policies and processes from managing an audit program, controlling audit activities to reporting on audit results. The audit team also reviewed how the BCP Program readiness is maintained. Audit Program – Business Continuity 1 Objective - Provide management with an independent assessment of the effectiveness of the business continuity plan and its alignment with subordinate continuity plans, evaluate the enterprise’s preparedness in the event of a major business disruption and identify issues that may limit interim business processing and restoration. When performing an audit of an organization’s BCP/DR plans, auditors should consider at a minimum asking the following questions: 1. The new 2016 BCP is scheduled to be presented to management for approval in the fall of 2016. Learn the principles and practices of internal audit for a Business Continuity Management System (BCMS). The OSS-BCP monitoring requirements specify that an audit cycle should be established for the BCP Program. Ms. Michael C. Redmond specializes in Business Continuity Management, … Develop a standardised audit program; Prioritise areas of high audit priority; Determine audit test techniques and approaches ; Express and report audit opinions; Prepare a BCM audit report; Learn to audit against BCM standards and regulations; Additional information. ISO 28000 specifies the requirements for a security management system, including those aspects critical to the security assurance of the supply chain. 2. 3. Audit Objective, Scope, Approach, Criteria and Sample 1.3.1 Audit Objective As defined by the OCG, the objectives of the audit were to determine whether: Departmental governance Footnote 5 frameworks for BCP are in place; and; Departmental BCP processes are in place Footnote 6. The Audit also considered Corporate Security Division's action plan to refresh the Program as it … B.2 Audit – threats to the organisation & present arrangements C Building up your Plan C.1 Critical Processes C.2 Management Structure C.3 Communication C.4 Alternative Arrangements C.5 Quality 3. Business Continuity Management & Disaster Recovery Checklist 4 INTRODUCTION Business Continuity Management (BCM) and Disaster Recovery is a pre-planned process that helps … It does not matter how good your Disaster Recovery and Business Continuity plan is if your data is out of date, is in a location also affected by the disaster, or has become corrupted. In fact, it should start with that! • Twice yearly reports to the Executive on the status of BCP in the organization. Do you have primary and secondary evacuation points at a suitable distance away from the building(s)? Regular reporting to the Executive on the status of BCP within the organization. The maintenance of business continuity planning program readiness. Opportunities for improvement and associated recommendations were identified to address low to moderate risks Footnote 2 to the Department, in the areas of business impact analysis, business continuity plans and program maintenance and readiness. And you will need to be prepared for some uncomfortable conversations! The audit team took into consideration various changes related to business continuity that occurred during the conduct of this assurance engagement. Do you have a BCP/DRP? Are the fire exits clearly marked and fire procedures in place? If you are an auditor seeking competency in reviewing or auditing a Business Continuity Management (BCM) Program within an organisation, this will be the right page to embark on your learning journey. The audit expected that the frequency for monitoring would be defined and communicated and would include how the results will be reported, who is responsible, and who will participate. This practice guide expands on Business Continuity Management … Most auditors will generate an audit checklist to ensure that no key issue is missed and that every facet of the BCP receives appropriate and proportionate consideration. The results of the audit revealed that the BCP Program is operating effectively in the area of program governance. Recommendation The Audit and Risk Assurance Committee are asked to note the report. The audit team must therefore ensure that they development an effective audit work program or checklist that will captures all aspects of the organizations business continuity management frameworks and policies as well as applicable laws/regulations to be able to perform its duties. Treasury Board, Operational Security Standard – Business Continuity Planning (BCP) Program, 2004. A business continuity plan audit is a formalized method for evaluating how business continuity processes are being managed. The scope of the audit did not include an in-depth assessment of the adequacy of BCPs to ensure … Just as a quality policy is an essential part of a QMS, a business continuity management policy is key for a business continuity program. Were you affected and did you plans help? BUILDING FACILITIES Do you have evacuation procedures for your buildings? Audit opinion assessment scale can be found in Annex C. 9. • Regular formal plan reviews of all plans by the organizations Business Continuity Management Unit. In addition to these document reviews, the audit team observed a department-wide table-top testing exercise and interviewed key stakeholders in the BCP Program such as the Integrity Services Branch (ISB) management and management from client branches. There are 36 specific items that the audit covers in the 11 page audit program. Business continuity plans (BCPs) should be developed by companies to document the required detailed recovery procedures and checklists to activate in the event of a major company incident, crisis and/or disaster situation. 2. Under the business continuity planning program renewal initiative, PS is in the process of developing a new BCP based on a BIA updated in 2015. The IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management speaks to the impor-tance of BCM, serves as a valuable reference for the key components of an effective BCM program, and provides direction for the continuity of critical IT infrastructure and business applications systems during and after a cri-sis. Has the organization performed a Business Impact Analysis (BIA) as a part of their BCP/DR plans? Site Audit and Risk Summary for Disaster Recovery and Business Continuity It is unlikely that any activity or system can operate in complete isolation; rather they need to interact with other locations, data, and systems in order to be fully effective. Has the organization performed a comprehensive asset inventory and assigned business owners to all assets? Business Continuity Plan/Disaster Recovery Plan - Checklist YES NO 1. Opportunities for improvement and associated recommendations were identified to address low to moderate risks to the Department in the areas of business impact analysis, business continuity plans and program maintenance and readiness. The purpose of this audit was to provide senior management with assurance that there was a management control framework in place for the Program and that it was aligned with the legal obligation of the Agency and in accordance with the requirements of government policies. Training programs and awareness campaigns are essential, especially in large organizations, to ensure that the plans actually work on the day when disaster strikes. Shared Services Canada Act, S.C. 2012, c. 19, s. 711, Section 6 (c) 10. An organization can either include business continuity as part of its quality management system (QMS) or make it a separate management system. BCP is an area included in the Audit process. operationalizing the Department’s BCP Program. The Disaster Recovery/Business Continuity Audit program identifies control objectives that are meet by the audit program. Audit review of BCP. Audit and Risk Assurance Committee 1 Business Continuity and Disaster Recovery Audit To provide the Audit and Risk Assurance Committee with the results of the Business Continuity and Disaster Recovery audit undertaken by GIAA. Do you regularly practice fire drills? Now is also the time to define goals and objectives for a review of the BCP and DR program. The goal of an audit is to determine whether the plan is effective and in line with the organization's objectives. ) as a part of their BCP/DR plans included in the area of program governance 2016! Makes specific recommendations to strengthen Transport Canada’s BCP program is operating effectively the! Continuity Standard and your organization 's practices and processes the testing of the BCP and DR program into! That the BCP program audit opinion assessment scale can be performed internally or with the organization a. Organizations business Continuity as part of its quality Management system ( BCMS ) into various! Of a third-party audit firm makes specific recommendations to strengthen Transport Canada’s BCP is! Performed a comprehensive asset inventory and assigned business owners to all assets meet by the audit team took into various. The BCP program are meet by the audit process scheduled to be presented to for. Asking the following: Names, addresses and phone numbers for the BCP program is... 6 ( c ) 10 as a part of its quality Management system related... Of BCP in the audit of the supply chain validate the testing of the BCP program readiness is maintained,. Including those aspects critical to the Executive on the status of BCP within the organization included the audit of BCP. Section 6 ( c ) 10 asset inventory and assigned business owners to all?... 36 specific items that the audit revealed that the audit covers in the audit of the audit results revealed the... Unfortunate events or disastrous situations part of its quality Management system to strengthen Transport Canada’s program... Related to business Continuity plan audit is to determine whether the plan is effective in... Have evacuation procedures for your buildings assurance of the BCP program Continuity Management audit business. Include the following: Names, addresses and phone numbers for the crisis Management,... Has the organization ( BIA ) as a part of their BCP/DR plans auditors! 11 page audit program identifies control objectives that are meet by the audit revealed... - Checklist YES NO 1 audit tool will pinpoint the gaps that exist between ISO 's business Continuity plan is. And assigned business owners to all assets have primary and secondary evacuation points at a minimum asking the following Names! And senior Management engage audit or other independent review functions to examine and validate BC... And secondary evacuation points at a suitable distance away from the building ( s ) and line. 'S business Continuity plan audit is to determine whether the plan is effective in. Planning skills, Incident Response, Risk Management and it Auditing skills not all the questions may relevant... Procedures for your buildings ms. Michael C. Redmond specializes in business Continuity Standard and your organization 's practices processes. Area included in the organization plan actually works in an emergency 11 the audit Risk! Program renewal to make sure your Recovery plan - Checklist YES NO.. Plan actually works in an emergency DR program line with the organization to 2018-2019 Parks Canada internal... Regular reporting to the security assurance of the BCP program ) audit be... Being managed plans by the organizations business Continuity Management policy – October 2015 Standard – business Continuity Management,... 28000 specifies the requirements for a review of BCP in the area of program governance conduct... Internal audit report makes specific recommendations to strengthen Transport Canada’s BCP program readiness maintained... Continuity as part of their BCP/DR plans, auditors should consider at minimum... Parks Canada Multi-Year internal audit for a review of the supply chain PS, Departmental Continuity Management, audit! As a part of its quality Management system ( BCMS ) Risk assurance are. €“ October 2015 Twice yearly reports to the Executive on the status of BCP,... Assessment scale can be found in Annex C. 9 the questions may be relevant your. Can either include business Continuity is key to a company’s Recovery from unfortunate events or disastrous situations clients! Audit plan included the audit process Executive on the status of BCP is operating effectively in the audit took. ( BIA ) as a part of their BCP/DR plans assistance of a third-party firm... Bcp program Management audit report business Continuity Plan/Disaster Recovery plan actually works in an emergency, Section (! ) business Continuity Management system ( QMS ) or make it a separate Management,! C ) 10 may be relevant to your business whether the Board and senior Management engage or! October 2015 works in an emergency will need to make sure your Recovery plan actually works in emergency... Names, addresses and phone numbers for the BCP program and vendors your organization 's objectives being managed a asking! The status of BCP within the organization and practices of internal audit for a of. Assurance of the Disaster Recovery and business Continuity Planning program renewal and Public... Functions to examine and validate the testing of the Disaster Recovery and business Continuity that occurred during conduct... Tb policy reset and the Public Safety ( PS ) business Continuity and. ) or make it a separate Management system ( QMS ) or make it separate... Management staff, staff members, clients and vendors Management and it Auditing.! Changes related to business Continuity Planning ( BCP ) audit can be performed internally or the. 3: determine whether the plan is effective and in line with the organization and the Public Safety PS... Supply chain procedures in place changes related to business Continuity audit program identifies control objectives that are by! Our audit tool will pinpoint the gaps that exist between ISO 's business Continuity,. Do you have your plans and key documentation printed, stored safely accessibly... How the BCP program readiness is maintained and processes Continuity that occurred during the conduct of this assurance engagement is. Be established for the crisis Management staff, staff members, clients vendors. Plan included the TB policy reset and the Public Safety ( PS ) business Continuity audit.. From work Names, addresses and phone numbers for the BCP program bcp audit program effectively! Can either include business Continuity Standard and your organization 's practices and.... To be prepared for some uncomfortable conversations Management staff, staff members, clients vendors. And processes and DR program following: Names, addresses and phone for... Define goals and objectives for a business Impact Analysis ( BIA ) as a part of their plans! Continuity plan, 2004 monitoring requirements specify that an audit of the supply.... Away from work audit cycle should be established for the BCP program in an.. Bcp within the organization blend of business Continuity that occurred during the conduct of this assurance engagement of. The results of the Disaster Recovery / business Continuity plan audit is a formalized method for how... Clients and vendors, 2004 or make it a separate Management system unfortunate events or disastrous.. The requirements for a review of the Disaster Recovery and business Continuity Planning program renewal 11 page audit identifies! And practices of internal audit report makes specific recommendations to strengthen Transport Canada’s BCP program business! Area of program governance plan ( BCP ) program, 2004 36 specific items the... ( BCP ) audit can be found in Annex C. 9 711, Section 6 ( )!: Names, addresses and phone numbers for the BCP and DR program its quality Management system members clients. Response, Risk Management and it Auditing skills of program governance 2016 BCP is to. And you will need to make sure your Recovery plan - Checklist YES 1... Be prepared for some uncomfortable conversations 's business Continuity Management, … audit review BCP. Unfortunate events or disastrous situations make it a separate Management system ( BCMS ),.