Prepare for a business continuity audit with the FFIEC handbook

Preparing for a business continuity audit

Before a business continuity audit, there are preparatory steps organizations must take. If using Business Continuity Management as a guide, Appendix A of the handbook will serve as the basis for these audit activities.

An organization can treat just about every item in Appendix A as an audit requirement, necessitating the collection of information. Important preaudit activities based on this section of the handbook include the following:

1. Determine what will be audited.
2. Gather relevant documentation, such as plans, reports, business impact analyses (BIAs), risk assessments, policies and procedures, and after-action reports.
3. Identify subject matter experts who will participate in the audit to answer auditor questions and provide additional information.
4. Identify areas for which no evidence is available and either gather usable evidence or be prepared to explain why no evidence is available.
5. Prepare a conference room or other quiet area for auditors to work. This could include a phone, whiteboard, pencils and pens and tablets of paper, and enough table space and chairs.

Examination procedures

Thirteen objectives comprise the examination procedures described in Appendix A of Business Continuity Management. These objectives can form the basis of the business continuity audit. Nonfinancial industries may find some procedures more applicable than others but should still be able to form a solid audit plan with the guidance the handbook provides.

Objective 1: Determine the appropriate scope and objectives for the examination. This section looks for various documents and reports, results of interviews with senior management prior to commencing the audit, and identification of new threats and vulnerabilities.

Objective 2: Determine whether the board and senior management promote effective governance of business continuity. This section requires evidence of senior management and the board's role in business continuity, its level of support and its commitment to the BC program.

Objective 3: Determine whether the board and senior management engage audit or other independent review functions to examine and validate the BC program. This objective determines what previous business continuity audit activity -- if any -- has taken place and the results of the activity.

Objective 4: Determine whether management developed an appropriate and repeatable BIA process. This objective looks for evidence of the development of a business impact analysis and if the results were used to improve BC operations.

Objective 5: Determine whether management conducts a risk assessment. This objective looks for evidence of a risk assessment to identify and mitigate potential risks, threats and vulnerabilities.

Objective 6: Determine whether the organization's risk management strategies are designed to achieve resilience. In this objective, the auditors will look for evidence of resilience and recoverability capabilities within the organization, such as multiple data centers, multiple offices, cloud-based data backup and various technology controls to ensure that critical systems are protected.

Objective 7: Determine whether the organization's BC program includes communication protocols. This objective looks for evidence of regular communications with various government and nongovernmental organizations, such as regulators, law enforcement, emergency responders, and state and local government agencies.

Objective 8: Assess the appropriateness of the organization's enterprise-wide BC activities. This objective goes into extensive detail on various elements of BC plans to ensure they are complete and provides procedures for a variety of events.

Objective 9: Determine whether the BC program includes training and awareness activities. Auditors will look for evidence of training programs for emergency team members, regular employees and senior management. They will also look for evidence of programs to keep employees informed of the importance of the BC program and their roles in the program.

Objective 10: Determine that the exercise and testing program is sufficient for management to be satisfied that the organization can achieve its BC objectives. In this objective, auditors will examine evidence of exercise and testing activities, post-exercise reports and evidence that exercise outcomes have resulted in improvements to the overall BC program.

Objective 11: Determine if management continuously measures the progress of and assesses the effectiveness of the BC program and uses the information to improve the BC process. This activity examines whether management reviews and updates the BC program so that the program is consistent with current business operations. It also looks for evidence of activities that facilitate the maintenance and improvement of the BC program.

Objective 12: Determine that the board has established expectations for business continuity management reporting. This objective verifies that senior management expects periodic reporting of BC program activities, such as changes in staffing, updates to BIAs and RAs, and recent exercise results.

Objective 13: Discuss corrective action and communicate findings. As the final objective, this step addresses reporting of audit findings, plans for implementing corrective actions, and preparation of work papers, including documents that contain all audit findings and analyses.

The FFIEC's Business Continuity Management handbook is free to download on the council's website.