An organisation fears its procedures and policies may be poor in relation to the continuation of their operations after a disaster occurs.
The scope of our review was to conduct, as part of our risk based internal audit plan, a review of policies and procedures for implementing and maintaining business continuity management at a large organisation.
Our work consisted of interviews with key staff and a review of the organisation’s documentation. This internal audit assignment focused on the following key issues:
- Had business continuity management been embraced by the business and IT functions?
- Was a policy established in this area?
- Were appropriate procedures and supporting records maintained?
- Were the services provided by third parties appropriate (if applicable)?
- Had appropriate testing been carried out?
Our findings were categorised as follows:
- Four findings highlighted a major control weakness that posed a significant risk of financial loss or operational disruption, these required immediate attention
- One finding showed a significant control weakness that could have resulted in financial loss or operational disruption. This weakness required immediate attention
- Business and IT management should carry out a comprehensive business continuity risk assessment in relation to the impact and likelihood of different levels of disaster.
- We recommended that as part of an organisation-wide initiative, management formulate and document an appropriate business continuity management strategy based on the output from an initial business impact analysis and risk assessment process.
- We recommended that management review service contracts with third party suppliers to ensure they adequately included appropriate levels of service.
- We recommended that IT management evaluate the possibility of extending the terms of the current hardware maintenance agreements to include the provision of replacement hardware in the event of a critical component or other system failure within a defined timeframe.