Posted by: Robert Davis
BCP, Business Continuity, Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, Crisis Management, Disaster Recovery, DRP, IT Audit
BCP audits normally have an organizational focus. ‘Organizational-based’ BCP audits examine deployed frameworks, managerial issues, and departmental activities. However, if during ‘organizational-based’ planning the IT auditor discovers a BCP framework is not deployed, the audit planner should consider utilizing the COBIT Deliver and Support-Ensure Continuous Service, Manage Service Desk and Incidents, as well as Manage Problems framework domain processes as baselines for setting detail objectives. Partly reflective of the COBIT “Ensure Continuous Service,” “Manage Service Desk and Incidents” and “Manage Problems” processes; BCP availability, compliance, effectiveness and efficiency are the primary information criteria; while confidentiality, integrity, and reliability should be considered secondary information criteria, even when other audit measurement standards are included within the audit ambit.
“View Part I of the Auditing Business Continuity and Disaster Recovery series here“