A Real-world Exploration of BC and DR Audit Digging Deep: A Real-world Exploration of BC and DR Audit
Agenda BC from a C-Level perspective Why is important to conduct BC Audits? Real Case Study (Retail Global Company) Audit Planning Audit Methodology Risks, Controls and Audit Procedures Conclusion
Business Continuity from a C-Level perspective Source: http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf
Source: http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf
Source: http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf
Source: http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf
Source: http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf
Why is important to conduct BC Audits? Source: http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf
Ensure that Business Continuity Program is “LIVE”. Validate if the plans are accurate and working to respond the scenarios identified as critical for business. Ensure that session training and awareness are performed involving all BC Program stakeholders. Ensure compliance with standards, best practices, corporate local policies. Source: http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf
Phase I Phase II Phase III Phase IV Process Improvement Phase I Phase II Phase III Phase IV Framework Assessment Development Implementation Project Administration Gap Analysis with good practices Training Risk Analysis Business Continuity Strategy Development BCM Policies Audit, Exercises, Tests & Workshops Business Impact Analysis Documentation of Business Continuity Plans BCM Program Management Maintenance and Improvement Audit Continuous Program must become part of Organization
Real Case Study (Retail Global Company) Source: http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf
Audit Planning The objective was to review of Brazil’s Business Continuity plans to provide management an objective assessment of whether sufficient controls exist to ensure good practices, policies and procedures were in place throughout the company. Audit scope covered the review of key controls for high risks identified in the following processes: 1) Secure Information Repository 4) BC Plans 2) Risk Assessment 5) Training and Awareness 3) Business Impact Analysis 6) Exercises and Tests
Out of Audit Scope: BC program (objective, scope, framework) and policy Roles and Responsibilities Budget and Resource Allocation 3rd Party Analysis Emergency and Crisis Procedures Post Incident Review Metrics and Indicators Management Review Date: 2013 Criteria: Business Continuity Global Policy Period: 1 year before Sample: Non-statistical
Business areas involved Asset Protection Legal Compliance Logistics Communication Merchandising Finance Replenishment Ethics People Information Technology Operations Store
Audit Methodology
Focus on high-risk areas Integrated with IT Audit Team approach and on going assessment of strategy Continuous communication with Auditee Draft Report Opening Meeting Finalize Scope Fieldwork (Perform) Planning Process Risk Analysis Conduct interviews/obtain understanding of processes and flowchart processes and associated risks. Evaluate control strengths and weaknesses Scope Definition: Includes consideration of relevant processes, systems, records, personnel, and physical properties, including those under the control of third parties. Focus on indentifying inherent high risk exposure Follow-up (FUP) Assess that actions to mitigate the risk exposure observed in Internal Audit reviews are timely and effectively implemented. Provide CEO/CFO scorecards with the status of action plans and upcoming or past-due implementation dates. Draft Project Scope Findings Test selected key controls Develop and execute unique test plans and communicate test results to customer Hold “In-Fact“ Meeting Discuss audit observation and test results and reach consensus on cause and impact and recommend corrective action Interim Communications Findings
Example Risks, Controls and Audit Procedures 1) Secure Information Repository Risk Control (Expected) Documentation illegibility There are automated controls implemented to keep the documentation (BCPs, DR, Risk Assessments, BIAs, Training, Tests results, presentations, meeting notes), including distribution, access, storage and preservation, retrieval, control of changes, preservation of legibility, prevention of the unintended use of obsolete information, retention and disposal procedures Leakage of restricted information Use of obsolete information Information theft
Example Risks, Controls and Audit Procedures 1) Secure Information Repository Audit Procedure Schedule a visit in loco to verify if automated control implemented is a secure repository solution to keep the BC documentation including but not limited to: a) Distribution and Access Control; b) Control of Changes; c) Preservation of legibility and retrieval; d) Prevention of the unintended use of obsolete information e) Retention and disposal period established. Obtain print-screens of automated tool and formal procedures to ensure that the controls above are implemented.
Example Risks, Controls and Audit Procedures 2) Risk Assessment Risk Control (Expected) Not knowlegement and management of disruption risks There is a formal and documented risk assessment process to identify risks of disruption to business functions and resources, systematically analyze risk, evaluate which disruption related risks require treatment, and identify treatments commensurate with emergency management and recovery objectives in accordance with company risk appetite. Risk assessment in disaccording with company risk appetite and recovery objectives. Inappropriate risk treatment and follow up management.
Example Risks, Controls and Audit Procedures 2) Risk Assessment 1) Obtain the Risk Assessment methodology and quality/quantity criteria based on. 2) Obtain the last Risk Assessment report. 3) Obtain the Meeting Notes about the Risk Assessment results presentation to Executive Board. 4) Verify if Risk Assessment is according to BC global policy and it includes: a) threats to and vulnerabilities (risks evaluated) that could lead a disruption to critical business functions and resources. b) impacts that would arise if an identified threat becomes an incident and causes a business disruption. c) risks treatments and actions plans for each threats and vulnerability commensurate with emergency management and recovery objectives in accordance with company risk appetite.
Example Risks, Controls and Audit Procedures 3) Business Impact Analysis Risk Control (Expected) Documentation illegibility There is a formal and implemented methodology and questionnaires for determining continuity and recovery priorities, objectives and targets. The BIA report include: i. Critical business functions and resources that support the execution of business processes, assessing the impacts over time of not performing these functions ii. Prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable Leakage of restricted information Use of obsolete information
Example Risks, Controls and Audit Procedures 3) Business Impact Analysis Audit Procedure 1) Obtain the last version of BIA methodology approved by executive management including criteria used to quantify and qualify the customer, financial, regulatory, operational, reputational and human impacts. 2) Obtain the BIA questionnaires used on the last year for each business area interviewed and the final report of results. 3) Obtain the meeting notes about the BIA results presentation to Executive Board on the last year.
Example Risks, Controls and Audit Procedures 3) Business Impact Analysis Audit Procedure 4) Analyze if BIA documentation is according to BC global policy and it includes, but not limited to: a) impacts of disruption activities that support in-scope business process, key products, IT systems and services. b) business functions and resources that support the execution of business process and IT systems, assessing the impacts over time of not performing. c) timeframes for resuming the business functions at a specified minimum acceptable level, taking into consideration the time period after the start of a disruption within which each activity needs to be resumed been identified. d) RTO and RPO for each process. e) all interdependencies relevant to the critical functions, activities or IT systems. f) suppliers and outsource on whom critical functions or activities depend. g) minimum resources (people, technology, physical space, equipment, records).
Example Risks, Controls and Audit Procedures 4) Business Continuity Plans Risk Control (Expected) Business disruption There is a business Brazil unit continuity strategies options (with selection influenced by a cost-benefit analysis) and plans in place to enable recovery based on the outputs from the BIA and risk assessment. In addition, there is strategy to make available the IT services upon which business activities depend. Solutions are required which ensure the availability of applications within specific timeframes. Technology platforms and application software are in place within timescales. Data continuity solution is designed to meet management-approved Recovery Point Objectives (RPO). Unavailability of IT environment and IT processing services Damage to the company’s image. Customer dissatisfaction Compromise the ability to completely and timely recover the business operations.
Example Risks, Controls and Audit Procedures 4) Business Continuity Plans Audit Procedure 1) Obtain the last version of Business Brazil Unit Continuity Plans. 2) Verify if BC Plans include the recovery strategies (Data Center, Call Center, DCs, People site) options selected after the cost-benefit analysis and based on the outputs from BIA and Risk Assessment results, in order to Protect prioritized functions, stabilize, continue, resume and recover prioritized functions and their dependencies and resources, and mitigate, respond to and manage impacts. 3) Verify if DR IT Plan includes but are not limited to: a) Strategy determinations reviewed and updated after major technology changes b) Infrastructure and application-oriented plans with procedures focused on the recovery information technology assets, based on management approved IT disaster recovery strategies
Example Risks, Controls and Audit Procedures 4) Business Continuity Plans Audit Procedure 4) Verify if Business Unit Continuity Plans include: a) Purpose, objectives and scope. b) Primary and second owner and it´s roles/responsibilities. c) Activation criteria and procedures. d) Communication requirements and procedures. e) Internal and external interdependencies and interactions. f) Resource requirements. g) Information flow and documentation process. h) Functions that must be maintained. i) Critical and time-sensitive applications. j) Alternative work people sites address. l) Vital records. m) Contact lists of critical suppliers and BC recovery teams. n) Recovery standard procedures (IT environment or/and Manual Workaround).
Example Risks, Controls and Audit Procedures 5) Training and Awareness Control (Expected) Perform inadequate activities to respond during an event. There is a BC training and awareness program implemented. The goal is to create awareness and enhance the knowledge, skills, and abilities required to implement, support, and maintain the program. The scope and frequency of instruction is identified. All employees are trained to the level of their involvement and apply to simple test/exam at the end of each session training. Records of training and education are maintained in a secure repository. Inability to measure the effectiveness training activities in place.
Example Risks, Controls and Audit Procedures 5) Training and Awareness 1) Obtain the training and awareness Program. 2) Verify if training program include but are not limited to: a) Identify stakeholder groups with associated training / awareness needs. b) Management-approve training / awareness methods, tools and materials. c) Execute and schedule frequents training / awareness activities and content. 3) Obtain the BC sessions training attendance list of last year including the registers of all staff according to audience described in the program document. 4) Obtain the tests/exams results completed by attendance list.
Example Risks, Controls and Audit Procedures 6) Exercises and Tests Control (Expected) BC Plans do not work during a real-scenario/crisis. There are an exercise/test procedures and strategies consistent with BC global policy objectives. Exercises and table tops are designed to evaluate plans, procedures, and capabilities and they are based on appropriate scenarios (with defined aims and objectives). There are formalized post-exercise reports reviewed within the context of promoting continual improvement. At a minimum, an annual simulation and tabletop exercise are conducted for the business continuity plans and IT DR plan. Inability to promoting continual improvement without lessons learned.
Example Risks, Controls and Audit Procedures 6) Exercises and Tests 1) Obtain the exercises and tests program and procedures and verify if include but are not limited to: a) Exercise plans and materials, consistent with the scope of the program b) Scheduled, executed exercise sessions*, consistent with the scope of the program c) Exercise summary reporting, consistent with the scope of the program d) Post-incident reporting documenting the activation of plans and corrective actions. 2) Obtain the version of last annual simulation and tabletop exercise report conducted with the business continuity leaders and meeting notes of presentation of summary results to executive management team.
Conclusion Management should take immediate actions to strengthen controls surrounding Business Continuity Plans. The deficiencies noted increased the exposure to unavailability of the IT environment and consequently a business interruption, which could ultimately lead to competitive disadvantage and damage to the company’s public image. Overall Report Rating: Unsatisfactory - Require immediate management action to address significant issues identified to mitigate risks to appropriate levels for the business.
Business Continuity and Emergency Management always was part of company’s culture. The founder laid the ground work for the principles that still guide the way the company responds to a crisis of any type. •Associates •Operations •Community “Take care of your associates, and they will take care of your operation, and the operation will take care of the community.”
Send me your questions !!
What happened after the global audit program? Question: What happened after the global audit program? Until 2014 the enterprise continuity team has completed around the World: 225 BIAs 218 Business Continuity Plans through global BC program Awareness and sessions training programs Different BC exercises with operational and crisis team
Thank you !!! Contacts: Silvio Pezzo @pezzosi1 silvio.pezzo@br.ey.com São Paulo, Brazil