Inadequate Business Continuity provisions can result in an inability to execute critical processes leading to a loss of credibility with the community and business partners, infringement of regulatory requirements, financial losses, loss of controls, and breach of fiduciary duties.
Audit or Review of Business Continuity Plans [BCPs] provides assurance that they meet the required standards. Where areas of shortfall are identified, organisations are then in a position to address them.
Audits are conducted in a variety of circumstances. The following are among the parties that request them:
- Government regulators
- Major clients
- Business partners
- The Board
- Audit Committees
- Senior Management
Australian Prudential Regulation Authority [APRA] Prudential Standard
APRA considers that BCP increases resilience to business disruption caused by unplanned events and reduces the impact on operations, reputation, profitability, clients and other stakeholders. APRA has published a Prudential Standard for Business Continuity Management so as to assist organisations in this regard.
This standard provides a structured framework for addressing BCM on an organisation-wide basis so as to ensure that that organisations have made appropriate Business Continuity Planning provisions.
This Prudential Standard is now in effect and regulated organisations are required to identify areas of non-compliance with the standard and to provide APRA with a rectification plan and timetable.
This Audit will provide the Board, its Audit Committee or Senior Management with assurance that the BCP is in compliance with the APRA Prudential Standard. Where areas of shortfall exist, these will be identified and appropriate recommendations made
Australian and International Standards
As required, the Audit may incorporate the use of Australian and international standards such as:
- AS/NZS 4360 and handbook HB 221:2003 Business Continuity Management
- AS/NZS 7799.2:2003
Best Practice
An Audit against BCP best-practice checklists provides assurance that sound BCP principles and standards are in place. This approach also incorporates adherence to current BCP standards.
Scope
The scope of the Audit may include the following:
- Business Impact Analysis, or Business Requirement documentation
- Recovery Strategy documentation
- Policy
- Scope and Limitations
- BCP documentation
- Off-site data security procedures and records
- BCP testing records
- Contractual records
- Any relevant correspondence
Interviews will be conducted with relevant personnel, such as:
- Members of the Business Continuity Team
- Management
- External parties as appropriate
Visits will be made to relevant facilities, such as
- Relevant locations within the organisation
- Recovery Sites
Audit Plan
At the commencement of the project an Audit Plan will be agreed. The major steps in this plan will
include:
- Agreement as to the Scope
- Detailed review of the documentation
- Identification and interview of relevant personnel
- Agenda preparation for the relevant personnel
- Any external visits that are considered necessary
- Preparation of the Audit report
Deliverables
A BCP Audit report will be produced that will include some, or all of the following:
- Management Summary
- Recommendations as to compliance with regulatory requirements
- Recommendations as to compliance with best practice
- Analysis Detail
- Report on compliance with regulatory requirements
- Report on the current BCP provisions
- Report on the current BCP documentation
- Report on the current Business Continuity Team
- Report on the current testing arrangements
- Any other advice that may be considered to be helpful