IT Control - BCP | BRP

Some called it "Business Continuity Planning (BCP)", others called it "Business Resumption Planning (BRP)". Well, whatever the term is, the most important aspect is the plan, not the term.

Besides the BCP, there is the DRP (Disaster Recovery Planning), that is the IT aspect of the BCP. DRP = IT BCP.

The most important thing is to plan for the worst case scenario and ensure that all critical business processes and mission critical systems are covered under the plan.

For auditing purposes, the detailed information of BCP are available in:-

• FFIEC (BCP booklets)
• COBIT IT Processes (item DS4 ensure continuous service)

Illustration of an IT Risk Assessment

Area : IT Planning and Strategy

Source : IT Plan

Risk : Failure to plan for effective use of the IT resources

Outcomes:
Use of IT not alligned with the business objectives
Missed IT opportunities resulting to loss of competitive advantage

Control:
IT Long term and short term plan

Control effectiveness:
Medium effective(ME)
- IT Plan not reassessed periodically and feedback from users not captured and reported to the Steering Committee

Risk Mitigation Strategies (Recommendation):-
Review the IT plan on periodical basis via gathering feedback from the various users and report the status to the IT Steering Committee.

IT Control - IT Plan

Purpose of IT plans is to ensure that the use of IT is aligned with the mission and business strategies of the organization

It is also to highlight the IT requirements in achieving the business objectives.

In general there are two types of plan, i.e. short-range and long-range plan.

As like any other plan,it should be reassessed periodically and amended as necessary in response to changing business and IT conditions.

Management should establish processes to capture and report feedback from business process
owners and users regarding the quality and usefulnessof long- and short-range plans.

Risks
Failure to plan and re-assessed the plan could lead to:-

• IT failures to meet the organisation’s missions and goals
• IT failures to match short-range plans with long-range plans
• IT projects failures to meet short-range plans
• IT failures to meet cost and time guidelines
• Missed business opportunities
• Missed IT opportunities

IT auditor and IT projects

Besides conducting audit, IT auditors are often involved in IT projects to ensure that adequate security and controls are considered and built into the systems regardless whether it is developed in-house or acquired from the vendor.

This involvement is to ensure that control issues are highlighted at the early stage as it might be costly too implement control when the system is already live, up and running.

The involvement is a preventive (pre-implementation), rather than detective (post-implementation).

The auditors should maintain its independence as stated in the iS Auditing Standards issued by ISACA.

Planning of IT Audit

There are many ways to plan for the IT audit:-

1. ISACA IS Auditing Standard on Planning. There is also an IS Auditing Guidelines on Use of Risk Assessment in Audit Planning
2. Global Technology Audit Guide (GTAG), Guide 4: Management of IT Auditing
3. FFIEC IT Examination Handbook section on Audit.
4. COBIT can also be used for planing an IT audit. One of the example is aailable at this site:-

• Dexia Bil Group

Whatever way, the most important things are:-

• to understand how IT support the business
• what are the IT risks that could occur
• what is the impact and the likelihood of the IT risks
• to ensure that all the high risk IT activities are covered, if not all then majority of the highest risk (priority should be gien to the highest risk)