Relationship Development Between Business Continuity Planning and Audit
During preparations for potential Y2K disasters, the internal auditing and business continuity planning functions of many organizations developed a closer relationship. In some cases, they began working together for the first time. The potential for serious Y2K problems motivated many organizations to focus on risks and to develop, document, and exercise solutions. Organizations that had never adequately addressed potential operating impacts hired business continuity planning consultants and managers to coordinate the process. Industries overseen by regulators (banking, insurance, government agencies, etc.) dealt with new and heightened regulatory requirements. In many organizations, internal audit was charged by executive management with internal oversight of the process, working with business continuity planning to ensure that all critical business functions assessed their risks, engineered solutions, built business continuity plans, and adequately exercised those plans.
The experience was an eye-opener for all involved. Internal auditing, which previously typically had limited its business continuity audits to verifying that plans existed and were exercised for critical technology and systems, often found itself coordinating an effort that required knowledge and experience that it did not have. The same was true for external and regulatory auditors. Business continuity planners found they needed to educate auditors on basic industry principles and best practices. The knowledge gap is understandable. Internal auditing writings tend to focus on information systems and technology recoverability and neglect business function continuity and the need to address potential disasters and outages from a business process perspective. Lawrence B. Sawyer’s book, “Sawyer’s Internal Auditing,” for example, devotes less than five pages to the subject, titling it with the dated “Contingency Planning/Disaster Recovery” label. Its discussion of exercises concentrates entirely on systems recovery.
Business continuity planning’s newfound momentum and visibility are increasing again in the post-9/11 business world, as organizations face potential geopolitical threats and leverage the readiness they created to apply to traditional disaster and severe outage situations. Executive management and boards of directors are committed to continued focus on preparedness for potential impacts that can result in lost revenue, profits, and market share, customer dissatisfaction, and business vulnerability and shutdown. As a result, the relationships created between business continuity planners and internal auditors continue to evolve.
The Evolutions of Internal Auditing and Business Continuity Planning
Auditing is a mature profession that dates back to at least 3500 B.C., and has been an integral part of the business world since that time. Modern internal auditing began in the 1930s, as railroads, financial institutions, and manufacturers dealing with increased organizational complexity and a war economy developed internal auditing programs to provide independent verification of operations and financial statements. Internal auditing’s function is to furnish managers throughout the organization with information needed to effectively discharge their responsibilities. It also acts as an independent appraisal activity to review operations by measuring and evaluating the adequacy of controls and the efficiency and effectiveness of performance.
Business Continuity Planning
Business continuity planning began as “disaster recovery,” a term that originally referred primarily to the need for recoverability of mainframe equipment and sites. As organizations’ dependence on automation grew, and the ability to recover that automation improved, the focus began to shift to improving detailed planning to ensure that recoverability – hence the term “contingency planning.” Use of terms like “risk assessment,” “business impact analysis,” and “contingency plan” evolved as industry analysis and documentation tools evolved.
As companies merged and consolidated, typically putting many eggs in relatively few baskets, the terminology changed to “business continuity planning.” The emphasis changed from “planning” for a disaster to “being prepared” for it, often with solutions involving “fail over” or automatically recovered systems that allow critical business functions to continue with minimum impact.
Will the terminology and the industry continue to evolve? It appears so. At the DRJ Spring World 2000 conference, three major industry vendors eloquently agreed that the trend in the organizations of their major customers is toward the concept of “mission protection.”
Companies no longer consider themselves prepared if their exercises prove they are recoverable in the traditional 24-hour, 48-hour, or 72-hour timeframes. In today’s eCommerce environment, a company can fail or incur severe injury within hours, and reduction of that risk is a fiduciary responsibility.
Organizations increasingly mandate that the ultimate goal for critical business functions and technology is continuous operations, with the ability to quickly (in some cases, instantaneously!) shift critical work and customer support to alternate sites or back-up processes.
What does this mean to the business continuity planning process and the exercises that validate it?
Recovery strategies must focus on business processes rather than the technology components of those processes. Business continuity planning is no longer just a data center issue.
For example, a company might successfully recover its application systems only to find that people who use or support those systems are affected by the disaster and unavailable, data related to work-in-process since the last backup is lost and cannot be recreated, or the system backups were timed so that synchronization is difficult or impossible.
The Direction of the Internal Auditing/Business Continuity Planning Relationship
Increasing organizational complexity and the integration of technology into business processes have dramatically increased the importance of internal auditing and business continuity planning functions over the last 30 years.
The scope of both functions spans all aspects of the organization and requires an in-depth knowledge and understanding of organizational objectives and key business functions. Companies increasingly are structuring their end-to-end processes across traditional departmental lines.
Often, relatively few people in a large organization have a “bird’s eye view” and understand trans-departmental processes from beginning to end.
This is an important risk, because all business processes of an organization must be recoverable – eventually, if not immediately. (If any business function is deemed unnecessary to be recovered, it should be analyzed, and, potentially, eliminated!)
Business continuity planning coordinates the establishment of that recoverability, including the exercises that validate it and expose risk, single points of failure, etc. Business continuity planning needs internal auditing’s leverage to assist in elevating issues to the attention of senior management (and the board of directors, if they are severe), so that resources and support are allocated to address deficiencies.
How Can Audit Contribute to the Success of the Business Continuity Program?
“Sawyer’s Internal Auditing” advocates that the internal auditor observe the off-site testing process. In fact, the organization benefits if internal auditing is involved throughout the entire business continuity process, culminating in the exercises that validate business continuity strategies.
Achieve a Common Understanding
On an ongoing basis, internal auditing and business continuity planning professionals can work together to achieve a common understanding of industry principles and best practices. Opportunities include:
• Business continuity and internal auditing in-house joint training sessions
• Industry conferences and classes
Work Together to Promote the Business Continuity Program
With the common foundation outlined above, internal auditing and business continuity can work jointly to recommend business continuity objectives, standards, and requirements for the organization, including:
• When internal auditing performs its departmental audits, it should support the organization’s business continuity program by reviewing risk assessments, business impact analyses, existence and adequacy of business continuity plans, backups, off-site storage, exercises, and exercise documentation.
• Management has the option to assume risk rather than spend the resources to mitigate it, but should able to quantify and justify the decision.
• The operational responsibility for recovery (verified by exercises) is with business functions and support areas (e.g. computer operations).
• The organization should support exercises as learning experiences. An exercise is not a “fault-finding” activity. Mistakes are inevitable, and issues are indications that the exercise drills deep enough to uncover potential problems.
• Exercises should be required at least annually (or after significant organizational change) to ensure that recovery strategies work, business continuity plans are correctly and completely documented, and staff are trained to execute recovery solutions. Internal auditing, senior management, and business continuity planning should work together to enforce this requirement.
• Actual disaster or severe outage situations are the best exercises and should be leveraged as exercises. A post mortem should be conducted following each one. Often, after a disaster, everyone wants to move on and get back to normal. Important “lessons learned” aren’t worked through, and changes in documentation and procedures don’t get made.
• The organization is responsible to its customers, shareholders, and regulatory agencies for recoverability of business functions and systems that are outsourced to vendors. Typically, organizations don’t closely monitor vendor recoverability. Internal auditing can help to make the case to executive management that business continuity planning should be responsible for coordinating fulfillment of this fiduciary responsibility by reviewing vendor recovery solutions and business continuity documentation, observing exercises, and verifying that service guarantees and legal or regulatory requirements can be met by the vendor in a disaster or severe outage situation.
Assist In Formulating, Enforcing Exercise Standards and Criteria
During the planning stages for an exercise, internal auditing can provide meaningful support in the following ways:
• Attend key planning meetings. If time is limited, then the auditor should review minutes and other documentation, and provide recommendations.
• Assist, if necessary, in obtaining cooperation and participation from all groups that should be involved (application systems support, users for exercising recovery of systems, etc.)
• Provide input into the development of clear, measurable, and attainable objectives that are aggressive but realistic.
• Provide feedback when the scope of the exercise is being established. For example, it is often difficult (and sometimes dangerous) to mirror production. However, a superficial exercise that does not test worst-case scenarios (e.g. those that require application of incremental backups and synchronization of applications) does not test the necessary level of risk. Very few organizations have exercised full recovery of their data, ability to conduct processing cycles on recovered systems, and reconciliation of the results. The level of exposure in large organizations is frightening.
• Provide input into exercise issues. For example, a typical issue deals with whether systems will be recovered with current or “disaster” time. Conflicts may arise if backups are several days old and the recovered system uses current time. On the other hand, there are obvious issues with setting the recovered system time to a time in past.
• Assist in evaluating artificialities. Sometimes, special equipment, procedures, or conditions are necessary to conduct an exercise but exist only for the purpose of the exercise and would not be used in an actual disaster situation. Artificialities and assumptions may compromise exercise results.
• Verify that the exercise type selected is appropriate for the business function or system being tested. The range of exercise types includes desk check, walk-through, simulation, live, and integrated. A partial (e.g. connectivity test) exercise is sometimes appropriate as a pre-test.
Attend and Monitor Exercises
Internal auditing adds value by attending exercises. Monitoring activities include:
• Observe the verification of call lists for completeness and accuracy. In a disaster or severe outage situation, the most important response is to gather the right people together quickly to make critical decisions and jumpstart the recovery process.
• Verify that alternate/recovery site equipment is operable and meets recovery requirements.
• Verify that the files restored correlate with the files at the time of the disaster.
• Verify that system connectivity and access meet recovery requirements as documented in the business continuity plan.
• Monitor to ensure that issues are being addressed and not minimized or dismissed. For example, if a business function representative is responsible for verifying balances, activity, etc., ensure that the activity is performed and that results/issues are documented. During an exercise, business continuity planning personnel typically are busy coordinating the exercise and resolution of issues. Audit’s involvement in monitoring and evaluating the recovery and verification process fills a gap.
• Assess exercise schedules and task lists. With monitoring, inappropriate shortcuts are less likely to occur (e.g. copying over a live mainframe file from production during the exercise to replace one that couldn’t be recovered).
Verify Successful Completion of Post-Exercise Activities
Internal Auditing can provide important support following an exercise as follows:
• Ensure that required post-exercise activities are completed.
• Monitor the status of issues resolution. Assist business continuity planning and business functions in making the case to senior management for resources needed to provide critical recovery solutions.
• Follow up through normal departmental audits by reviewing exercise reports and issues documentation to ensure that issues have been resolved and resulting changes are documented in business continuity plans and normal working procedures.
• Provide feedback to business continuity planning following key exercises.
• Involve business continuity planning in pertinent discussions with external audit and regulators. This necessitates that audit and business continuity correlate in terms of their understanding of the business continuity planning industry and best practices as well as the internal status of the business continuity program and activities.
The internal auditing and business continuity planning professions continue to evolve, driven by technology innovations, changes in business principles and practices, and dynamic threats to organizations and their external environments. The relationships between the two functions also continue to grow and mature, fueled by the need for organizations to be confidant that they can survive disasters and major outages. To the extent that internal auditing and business continuity planning can complement and cooperate with each other, organizational preparedness for potential business impacts will improve dramatically.
Terri Kirchner, MBCP, CCP, is an IT consultant with Keane, Inc. She has 12 years of business continuity experience and is a member of the Disaster Recovery Journal Editorial Advisory Board. She welcomes comments and questions regarding this article and can be reached at firstname.lastname@example.org.
Douglas Ziegenfuss, PhD, CIA, CISA, is chairman of the accounting department of Old Dominion University in Norfolk, Va. His areas of expertise include operational, fraud, and information technology auditing, and he regularly publishes and gives presentations on audit management, fraud, and audit quality issues.