Audit of Business
Continuity Management [BCM]
Inadequate Business
Continuity provisions can result in an inability to execute
critical processes leading to a loss of credibility with the
community and business partners, infringement of regulatory
requirements, financial losses, loss of controls, and breach
of fiduciary duties.
Audit or Review of
Business Continuity Plans [BCPs] provides assurance that
they meet the required standards. Where areas of shortfall
are identified, organisations are then in a position to
address them.
Audits are conducted in a
variety of circumstances. The following are among the
parties that request them:
- Government
regulators
- Major clients
- Business partners
- The Board
- Audit
Committees
- Senior
Management
Australian Prudential
Regulation Authority [APRA] Prudential Standard
APRA considers that BCP
increases resilience to business disruption caused by
unplanned events and reduces the impact on operations,
reputation, profitability, clients and other stakeholders.
APRA has published a Prudential Standard for Business
Continuity Management so as to assist organisations in this
regard.
This standard provides a
structured framework for addressing BCM on an
organisation-wide basis so as to ensure that that
organisations have made appropriate Business Continuity
Planning provisions.
This Prudential Standard
is now in effect and regulated organisations are required to
identify areas of non-compliance with the standard and to
provide APRA with a rectification plan and timetable.
This Audit will provide
the Board, its Audit Committee or Senior Management with
assurance that the BCP is in compliance with the APRA
Prudential Standard. Where areas of shortfall exist, these
will be identified and appropriate recommendations
made.
Australian and
International Standards
As required, the Audit may
incorporate the use of Australian and international
standards such as:
- AS/NZS 4360 and
handbook HB 221:2003 Business Continuity
Management
- AS/NZS
7799.2:2003
Best Practice
An Audit against BCP
best-practice checklists provides assurance that sound BCP
principles and standards are in place. This approach also
incorporates adherence to current BCP standards.
Scope
The scope of the Audit may
include the following:
- Business Impact
Analysis, or Business Requirement documentation
- Recovery Strategy
documentation
- Policy
- Scope and
Limitations
- BCP
documentation
- Off-site data security
procedures and records
- BCP testing
records
- Contractual
records
- Any relevant
correspondence
Interviews will be
conducted with relevant personnel, such as:
- Members of the
Business Continuity Team
- Management
- External parties as
appropriate
Visits will be made to
relevant facilities, such as
- Relevant locations
within the organisation
- Recovery Sites
Audit Plan
At the commencement of the
project an Audit Plan will be agreed. The major steps in
this plan will include:
- Agreement as to the
Scope
- Detailed review of the
documentation
- Identification and
interview of relevant personnel
- Agenda preparation for
the relevant personnel
- Any external visits
that are considered necessary
- Preparation of the
Audit report
Deliverables
A BCP Audit report will be
produced that will include some, or all of the
following:
- Management
Summary
- Recommendations as to
compliance with regulatory requirements
- Recommendations as to
compliance with best practice
- Analysis Detail
- Report on compliance
with regulatory requirements
- Report on the current
BCP provisions
- Report on the current
BCP documentation
- Report on the current
Business Continuity Team
- Report on the current
testing arrangements
- Any other advice that
may be considered to be helpful
|