Académique Documents
Professionnel Documents
Culture Documents
• Get the message across – Don’t get the readers lost in details and terminologies.
Apply the KISS principle!
• Provide a concise Executive Summary
• Start with non-technical content
• Start with fewer details and gradually add details
• Protect the information
• Protect yourself (Auditors)
Outline:
1. Executive Summary
2. Introduction
a. Reasons for Audit
3. Scope
4. Approach
5. Audit Statement
a. Pass-Fail (PF) Rating
b. Compliance statement
c. Quality statements
i. Strengths
ii. Weakness
iii. High level recommendations for improvements
The overall rating of BC Program is Average and the controls are in compliance of
current industry guideline with respect to program’s current maturity level. We find that
there is evidence of consistent progress from the initial inception of the BC program. We
also find that there are adequate support and controls in place to allow improvements in
the overall program.
The audit has discovered risk areas and weaknesses in several key quality related aspects
of the program. The risks and weaknesses are primarily related to these areas:
• Program commitment
• Interim BC Plan
• BC Program Management Document
• Risk Management
• Personnel
• Salvage Restoration
• IT Systems Recovery Strategy
• Offsite Data Storage
• Work around Procedures
• Critical Record Storage
• BC Plan Document
• BC Plan testing
• Recovery site change monitoring
• Risk Controls
The audit finds the following as the main areas of program strength:
• Management Buy-In
• IT recovery strategy
• IT recovery testing
• Business Impact Assessment
• SLAs and contract management
6. Audit Progress
a. Compared to previous audit.
a. Areas of Strength
b. Recommendation
This section provides the results of the audit from Program Lifecycle perspective.
Our audit examined the BC program lifecycle at seven different stages:
a. Program Initiation
b. Program Planning
c. Program Functional Requirements
d. Design and Development
e. Program Implementation
f. Plan Testing
g. Program Maintenance
Each of these stages was assessed in terms of their main aspects (Program Stage
Categories). The ratings, indicating our assessment, are given to a stage or a
category as follows:
1. Weak – value of 0 to 3
2. Average – value of 4 to 6
3. Strong – value of 7 to 10
a. Program Initiation
This phase involves the first step in starting the BC program. Our audit reviewed
the roots of the program to determine if there is adequate management buy-in,
program has been evaluated properly, a formal commitment is given from the
senior management, and there is sufficient support for allocating BC funding.
b. BC Program Planning
In this phase, plans for the rest of the phases are developed. Our audit reviewed
planning and organization of BC program management. In particular, we
examined aspects related to BC program management document, program
structure, program approval process, and a detailed budget for BC program.
BC Program 4.4 1. Project plan is well structured but 1. Create a BC program document
Management Average a complete program document is which is separate from the BC
Document missing; project plan is part of BC plan
plan (Risk Area); 2. Research industry specific BC
2. Industry specific BC requirements requirements
have not been researched 3. State all key assumptions in the
3. No written program assumptions program document
4. No evidence of program risks in 4. Assess and document key
BC plan or program document program risks and mitigation
steps
Program 3.0 Primary reason for weakness in 1. BC coordinator and her
Structure Weak program structure is part-time roles immediate team members should
assigned to BC coordinator and have full-time dedicated
immediate team member. Secondary positions.
reason is that roles and 2. Establishment of a SC must
responsibilities of individual team become a high priority.
members are not well defined. The
overall program structure is expected
to improve with the establishment of a
BC Steering Committee as planned.
Approval 5.2 The approval process is reasonable
Process Average given the current maturity level and
efforts are being made to improve it.
Overall 3 Weak Program structure is weak due to
part-time roles assigned to BC
coordinator and immediate team
members (Risk Area).
c. BC Functional Requirements
In this phase, plans for the rest of the phases are developed. Our audit reviewed
planning and organization of BC program management. In particular, we
examined aspects related to BC program management document, program
structure, program approval process, and a detailed budget for BC program.
Training and 6.5 Training requirements have been Document requirements for
Awareness Strong documented but only for BC teams. personnel outside of BC teams.
Salvage & 0 There are no salvage and restoration Evaluate and document salvage and
Restoration Weak requirements documented (Risk restoration requirements.
Area)
Insurance 3.5 Insurance requirement area is weak. 1. Review insurance policy for
Requirements Weak comprehensive disaster
coverage.
2. Integrate insurance purchase
process with BC program.
3. Determine insurance claim
process.
BC Tools 5 Tools are currently under evaluation. Assess requirements for tool support
Average staff.
Assembly 2.75 Assembly location requirements have 1. Assess detail assembly site
Location Weak not been assessed thoroughly for BC capacity requirements for BC
team members. teams.
2. Assess detail travel and
accessibility requirements for BC
teams.
3. Assess requirements for tertiary
assembly location.
Overall 4.83 Risk management is weak but BIA
Average has a high rating. There are no
salvage and restoration requirements
documented (Risk Area)
.
Design and Rating Comments/Suggestions Recommendation
Development
Risk Controls 3.0 Problems in this stage are due to Initiate a risk assessment and
Weak weaknesses in the previous functional management project with the help of
requirement process. Not all control risk management expert and full
options have been analyzed and management support.
residual risks have not been
examined.
IT Systems 5.3 Overall design is aligned with the 1. Assess requirements for Email
Recovery Average requirements but there are still some and other generic applications.
Strategy gaps and room for improvements 2. Assess requirements of the
(Risk Area). Example: Generic ability of people to get to
applications such as email are not recovery site on time needs
part of recovery strategy. Drop ship additional.
of billing system server may not be a 3. Align drop ship strategy with
reliable strategy; the ability of people RTO requirements.
to get to recovery site on time needs
additional assessment.
Alternate IT 6.85 Recovery site is with a vendor who is 1. Implement information security
Recovery Site Strong both reputable and reliable. It is measures for the recovery site.
located outside of the regional risk 2. Consider use of tertiary recovery
area. Information security is a site to deal with potential lack of
concern because the servers and access to secondary site.
work areas are shared among other 3. Review BC plan of recovery site
clients. There is no guarantee of vendor.
access in the time of a disaster.
Service is provided on the first-come-
first serve basis.
Offsite Data 3 Weak RPO requirements are unknown for 1. Assess RPO requirements for
Storage Billing Systems; Data integrity testing Billing System.
procedures are not documented; Lack 2. Assess and document data
a strategy for remote backup during integrity test procedures.
recovery period (Risk Area) 3. Design data backup strategy for
recovery period.
Critical Record 4.6 There is no internal records Design and develop an internal
Storage Average management group or facility besides critical document/record
the remote storage facility. management group and facility in
addition to a remote storage site.
Alternate Work 4.7 Interim site exists. There are plans to 1. Expedite design and
Area Average acquire a long term alternate work development of alternate work
area with the same IT recovery site site.
vendor. 2. Consider Canadian site as a
possible tertiary work area
recovery site
Crisis 6 EOC will be used as CMC. 1st See recommendations in
Management Average location is a leased site 30 miles requirement stage
Center (CMC) away from HQ. Alternate location is a
hotel meeting room to be
Design and Rating Comments/Suggestions Recommendation
Development
Assembly 6 No major concerns except that it has Evaluate design of assembly
Location Average not been evaluated for BC related location to determine if it meets BC
use. requirements.
Data 5.83 The design overall meets the Review data link for improving
Communication Strong continuity requirements but needs redundancy and single-point-of-
Services some additional improvements. For failure. Include this review as part of
example, carrier links to data center risk assessment project.
go through the same conduit through
the single entry to the building (Risk
Area).
Voice 6.6 The design overall meets the Review design to provide additional
Communication Strong continuity requirements but needs redundancy by combining voice
some additional improvements. communication mediums
Work-around 3.6 Most critical business areas have Ensure work around procedures for
Procedures Weak work-arounds documented but with all critical areas are complete and
inconsistent format and partial documented using a consistent and
information (Risk Area) complete format.
Training and 5.2 There are no major weaknesses in Assign training and awareness
Awareness Average this area but there is room for responsibility to a staff. Review
improvements. current training and awareness
design for additional improvements.
Salvage and 0 Functional requirements have not The design and development for
Restoration Weak been initiated yet. See comments Salvage and Restoration must be
from Functional Requirement Table. based on the functional
requirements once they are
completed.
Overall 4.2
Average
e. BC Program Implementation
In this phase, plans for the rest of the phases are developed. Our audit reviewed
planning and organization of BC program management. In particular, we
examined aspects related to BC program management document, program
structure, program approval process, and a detailed budget for BC program.
Training and 2.0 Training and awareness program is Expedite initiation of training and
Awareness Weak partially implemented. awareness program.
BC Tools 2.0 There are no major weaknesses in Expedite tool evaluation to begin tool
Weak this area but there is room for usage and deployment
improvements.
Salvage and 0 Salvage and restoration is not yet Expedite salvation and restoration
Restoration Weak included in BCP. See comments from requirement assessment to begin its
Functional Requirement Table. (Risk implementation.
Area)
Program Rating Comments/Suggestions Recommendation
Implemen-
tation
Personnel 4.0 Most of the required personnel are Expedite hiring of staff to fill two key
Average hired except for two key positions positions.
reporting to BC coordinator.
SLA and 7.0 Most of the key SLA have been
Contracts Strong implemented and the rest are under
review.
BC Plan 3.0 Plan document is missing key Redesign BC plan document and
Document Weak sections. Most parts of the document address incomplete areas.
are incomplete.
Overall
f. Plan Testing
g. Program Maintenance
Order Receive 6 6 4 9 7 9
Proces- Orders
sing Process IMS 6 6 4 9 7 1
Orders
Fulfill Orders IMS 6 6 3 9 7 1
Overall 1 6 6 3 9 7 1 4.7
Sales and Sales Manage Sales SITS 9 4 7 9 7 2
Marketing Contracts
Sell Product SITS 7 4 7 9 7 2
Develop Sales 7 4 7 9 7 2
Plan
Overall 1 7.6 4 7 9 7 2 5.4
Overall 8 8 7 4 9 7 9 7.4
Product Establish 8 5 7 8 9 7 9
Pricing Wholesale
Product Price
Adjust Product 8 5 7 8 9 7 9
Pricing
Establish 8 5 7 8 9 7 9
Online and
Retail Product
Pricing
Overall 8 5 7 8 9 7 9 7.6
Distribution Packaging Package IMS 5 8 7 9 7 1
Products
Order IMS 5 8 7 9 7 1
Packaging
Supplies
Overall 1 5 8 7 9 7 1 5.4
Shipping Create 8 6 8 9 7 8
Shipping
Labels
Attach Invoice 8 7 8 9 7 8
Urgent 8 5 8 9 7 8
Delivery
Normal 8 5 8 9 7 8
Delivery
Scan Package 8 7 8 9 7 8
Overall 7 8 6 8 9 7 8 7.6
Business Business Business Systems Work- IT Records Re- Re- Re- All
Department Function Process Not Arounds Strategy Strategy covery covery covery
Tested Team Tasks Tested
All 6.5
Departments