Auditing Business Continuity and Disaster Recovery – Part VI

BCP audits normally have an organizational focus. ‘Organizational-based’ BCP audits examine deployed frameworks, managerial issues, and departmental activities. However, if during ‘organizational-based’ planning the IT auditor discovers a BCP framework is not deployed, the audit planner should consider utilizing the COBIT Deliver and Support-Ensure Continuous Service, Manage Service Desk and Incidents, as well as Manage Problems framework domain processes as baselines for setting detail objectives. Partly reflective of the COBIT “Ensure Continuous Service,” “Manage Service Desk and Incidents” and “Manage Problems” processes; BCP availability, compliance, effectiveness and efficiency are the primary information criteria; while confidentiality, integrity, and reliability should be considered secondary information criteria, even when other audit measurement standards are included within the audit ambit.

“View Part I of the Auditing Business Continuity and Disaster Recovery series here“

Auditing Business Continuity and Disaster Recovery – Part V

The IT auditor’s primary purpose, when performing an audit of business continuity and/or disaster recovery, should be to identify, document, test, evaluate, and report the controls as well as the associated risks related to BCP and/or DRP processes from an IT perspective, as implemented by the entity, for achieving relevant control objectives — both primary and secondary.

The BCP assurance process can be an individual audit area examination or an auditable unit examination for every IT function audit undertaken. During the IT audit planning process, all or segments of an entity’s deployed BCP related frameworks may be selected as auditable units. Furthermore, BCP audits may cross divisional, functional, or departmental demarcations.

“View Part I of the Auditing Business Continuity and Disaster Recovery series here“

Auditing Business Continuity and Disaster Recovery – Part IV

Although often referred to as disaster recovery plans, controls to ensure service continuity should address the entire range of potential disruptions. These may include relatively minor interruptions, such as temporary power failures, as well as major disasters, such as fires or natural disasters that would require reestablishing operations at a remote location, and may also include errors, such as writing over a critical file. If controls are inadequate, even relatively minor interruptions can result in data lost or incorrectly processed data — which could cause financial losses, expensive recovery efforts, and inaccurate or incomplete information. For some operations, such as those involving health care or safety, system interruptions could also result in injuries or loss of life.

“View Part I of the Auditing Business Continuity and Disaster Recovery series here“

Auditing Business Continuity and Disaster Recovery – Part III

As with a business continuity plan (BCP); a disaster recovery plan (DRP) contains the consistent actions to be undertaken prior to, during and after a disaster. A sound DRP is built from a comprehensive planning system, involving all of the entity’s business processes. Disaster recovery strategies include, but are not limited to:
 disaster insurance
 reciprocal agreements
 redundant data centers
 the use of alternate sites
 telecommunication links
 business impact analyses
 legal liabilities assessments

“View Part I of the Auditing Business Continuity and Disaster Recovery series here“

Auditing Business Continuity and Disaster Recovery – Part II

For most professionals, business continuity planning refers to the process for developing advance arrangements and procedures enabling an entity to respond to service interruptions in such a manner that critical business functions continue at projected levels. In other words, business continuity planning is the act of proactively strategizing a method to prevent, if possible, and manage, if necessary, the consequences of a disaster; while limiting crisis consequences to the extent that an entity can absorb the impact. As a result, though it often ranks in the lower-half in importance, business continuity planning is on most top-ten governance lists of strategic entity issues.

“View Part I of the Auditing Business Continuity and Disaster Recovery series here“

Auditing Business Continuity and Disaster Recovery – Part I

After a catastrophic incident or event; losing the capability to process, retrieve, and protect information maintained electronically can significantly affect an entity’s ability to accomplish its mission. For this reason, an entity should have: (1) controls in place to protect information assets as well as minimize the risk of unplanned interruptions, and (2) a plan to recover critical operations should interruptions occur. Consequently, these plans should consider the activities performed at general support facilities, such as data processing centers and telecommunications facilities, as well as the activities performed by users of specific resources.

Auditing Information Assets Protection – Part VIII

Control environment scanning to produce a viable IT audit plan should be considered fundamental to planning an IT audit. Primary consideration regarding the control environment’s operating style is IT auditability. As with most audit situations, verifiability is heavily dependent on auditability. IT auditability considerations should precede IT integrated process deployment. In other words, auditability should be included in the design of IT and the information being provided to audit areas. Consequentially, auditability can assist or hinder an IT assurance effort; if it does not postpone a planned audit.

“View Part I of the Auditing Information Assets Protection series here“

Auditing Information Assets Protection – Part VII

Primary drivers for IAP audit planning are verifying safeguarding existence, adequacy, and risk management. However, as with standard IT audits, a general control environment, information systems, and control procedures understanding should be obtained during engagement planning to comply with ISACA’s assurance standards and guidelines as well as other applicable attestation, audit, accounting, and IT standards. Neglecting adherence to standardized professional practices can result in unsupportable audit opinions.

“View Part I of the Auditing Information Assets Protection series here“

Auditing Information Assets Protection – Part VI

Alternatively, IAP may be within the ambit of other IT audit areas. Under these circumstances, a ‘functional-based’, ‘application based’, or ‘compliance-based’ examination may be appropriate. ‘Functional-based’ audits address identified processes as auditable units that can include goals and objectives, ownership, repeatability, as well as roles and responsibilities. ‘Application-based’ audits address identified areas where IT is superposed to complete a task that can accommodate completeness, accuracy, validity, authorization, and segregation-of-duties. Lastly, ‘compliance-based’ audits redress adherence to externally and internally imposed entity requirements that can encompass national laws, and regulations, as well as standards.

“View Part I of the Auditing Information Assets Protection series here“

Auditing Information Assets Protection – Part V

Reflective of the COBIT “Ensure Systems Security” domain-process, IAP confidentiality and integrity are the primary information criteria, while availability, compliance, and reliability are considered secondary information criteria; even when other audit measurement standards are included within the audit ambit. For instance, information privacy may be within the IAP audit ambit and considered a material or significant auditable unit. However, as primary information criteria for privacy, compliance and effectiveness should still remain secondary for the IAP audit, if other distinct auditable units are identified.

Similar to IT Governance assurance services, IAP can be an individual audit area examination or an auditable unit examination for every IT function audit undertaken. During the IT audit planning process, all or segments of an entity’s deployed IAP related frameworks may be selected as auditable units. Furthermore, IAP audits may cross geographical, divisional, functional, or departmental demarcations.

“View Part I of the Auditing Information Assets Protection series here“