The board and senior management should engage internal audit or independent personnel to review and validate the design and operating effectiveness of the BCM program. Audit should report to the board and provide an assessment of management’s ability to manage and control risks related to continuity and resilience.
Examiners should review the following:
- Scope of BCM-related audit activities.
- Audit reporting of BCM-related activities to the board.
- Board review of audit reports.
- Tracking and resolution of audit findings.
- Management’s review of system and organization controls (SOC)“In 2017, the American Institute of Certified Public Accountants (AICPA) introduced the term “system and organization controls” (SOC) to refer to the suite of services practitioners may provide relating to system-level controls of a service organization and system- or entity-level controls of other organizations. Formerly, SOC referred to service organization controls. By redefining that acronym, the AICPA enables the introduction of new internal control examinations that may be performed (a) for other types of organizations, in addition to service organizations, and (b) on either system-level or entity-level controls of such organizations.” (AICPA, SOC 2 Examinations and SOC for Cybersecurity Examinations: Understanding the Key Distinctions.)and third-party service provider audit reports.
The board and senior management should engage internal audit (or an independent review) to assess the BCM design effectiveness, including policies and procedures, and the effectiveness of controls. Audit should report to the board and provide an assessment of management’s ability to oversee and control risks related to continuity and resilience. Auditors should be qualified and independent of BCM processes. Audit scope and frequency depend on the entity’s complexity, risk profile, and changes the entity may be experiencing. Large, complex entities may have multiple audits, covering various departments or aspects of the BCM program. Less complex entities may have their business continuity activities included within an IT general controls audit.
The internal audit of the BCM program should provide an independent assessment of management’s ability to oversee the entity’s continuity and resilience risk. Auditors should:
- Evaluate the business impact analysis (BIA) and risk assessment for reasonableness, identification of critical functions, and the likelihood of different events and the potential impact on operations.
- Evaluate controls for reliability, adequacy, and effectiveness regarding continuity and resilience.
- Leverage SOC reports and other external artifacts from third-party service providers, as appropriate.
- Compare the entity’s inherent risk level and the effectiveness of risk mitigation against the entity’s risk appetite.
- Verify whether test plans achieve the stated objectives.
- Monitor BCM testing to verify that issues (e.g., deviation from test plans and failed objectives) are appropriately identified and escalated.
- Assess the BCM program’s effectiveness.
Refer to the IT Handbook’s “Audit” booklet for additional information.
II.A Board and Senior Management Responsibilities
III Risk Management