it42015 slides
TRANSCRIPT
5/7/2015
1
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
AuditNet® Training without Travel™ Auditing Contingency Planning May 7 2015
Guest Presenter:Richard Cascarino,
MBA, CIA, CISM, CFERichard Cascarino &
Associates
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Jim Kaplan CIA CFE
• President and Founder of AuditNet®, the global resource for auditors (now available on Apple and Android and Windows devices)
• Auditor, Web Site Guru,
• Internet for Auditors Pioneer
• Recipient of the IIA’s 2007 Bradford Cadmus Memorial Award.
• Author of “The Auditor’s Guide to Internet Resources” 2nd Edition
5/7/2015
2
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Richard Cascarino MBA CIA CISM CFE
• Principal of Richard Cascarino & Associates based in Colorado USA
• Over 30 years experience in IT audit training and consultancy
• Past President of the Institute of Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified Fraud Examiners
• Author of Auditor's Guide to IT Auditing
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Webinar Housekeeping
• This webinar and its material are the property of AuditNet® and Richard Cascarino and Associates. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided with a link access to that recording as detailed below. Downloading or otherwise duplicating the webinar recording is expressly prohibited.
• Webinar recording link will be sent via email within 5-7 business days.• NASBA rules require us to ask polling questions during the Webinar and CPE
certificates will be sent via email to those who answer ALL the polling questions• The CPE certificates and link to the recording will be sent to the email address you
registered with in GTW. We are not responsible for delivery problems due to spam filters, attachment restrictions or other controls in place for your email client.
• Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.
• After the Webinar is over you will have an opportunity to provide feedback. Please complete the feedback questionnaire to help us continuously improve our Webinars
• If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.
5/7/2015
3
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Disclaimers
• The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant‐client relationship.
• While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website
• Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet®
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Today’s Agenda
• What is a Disaster?
• What is a Disaster Recovery Plan?
• Who is Accountable?
• What are the Options?
• What is the cost?
• How can a C.P. be tested?
• What is Management's Role?
• What is the User's Role?
• What is the Information Services Role?
• What is the Internal Auditor's Role?
5/7/2015
4
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Before and After
Perhaps the best prepared organiZations are the ones who have lived through a calamity
7
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
The Risks
FireFloodBuilding CollapseExplosionIndustrial FailurePower FailureLoss of dataDeliberate sabotage
8
5/7/2015
5
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Abuse
Deliberate action by staff"Hacking" into systemsInternet penetrationEDI abuse
9
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
DISASTER - A
LOSS OF CAUSESPeople ExplosionBuilding Aircraft
CrashFactories Total FireFinance FloodCredibility Industrial
ActionMaterials EarthquakeComputers Sabotage
10
5/7/2015
6
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
DISASTER - B
LOSS OF CAUSESHardware ExplosionSoftware FireIn-house data Flood
Industrial Action(Temporary Loss)
11
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
DISASTER - C
LOSS OF CAUSESSoftware and the ability to recover Explosion
In-house data FireFloodFreak Atmospheric ForceDeliberate DestructionBad Systems DesignPoor Operating Standards
12
5/7/2015
7
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
DISASTER - D
LOSS OF CAUSESSoftware - Partial loss only and the Computer Operational
inability to recover ErrorDeliberate Destruction Bad Systems Design Poor Operating Standards
13
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Inefficiency Production control Lost production Schedule disruption
LegalPenalty clauses
Ill-willCustomersShareholdersStaff
Consequences of Disruption
Loss of RevenuesDelays in invoicingLost interestLost salesLost future business
Incurred CostsExtra manningInterest on loansLoss of discount
14
5/7/2015
8
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
DRP Status
2011 Survey by RC&A
M/frame LANs CloudDRP 77% 51% 35%Planning 18% 18% 29%No Plans 5% 30% 32%
That does not mean they work
15
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
The Future
Increasing dependence on Cloud systemsIntegrated data warehousesIntegrated office automationEDIInternet tradingDRP must be considered during systems planning
16
5/7/2015
9
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Corporate Survival
MenMoneyMaterialsMachinesMethodsAll resources
17
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Corporate Survival
Not a computer problemThereforeThe responsibility of
The boardExecutive managementSenior managementJunior managementUsersThe cleaning staff
18
5/7/2015
10
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
The Computer Role
A prime resourceExpertise neededRecovery not instantaneousReturn to normal even longerIn-depth planning requiredOne objective - survival
19
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
A Plan must be
ComprehensiveDynamicUseableRelevantTestedUp to dateKnown
20
5/7/2015
11
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
A Disaster can be
Application dependentCalendar dependentInstallation dependentTotal loss
Probability is lowImpact on business is high
Minor lossProbability is highImpact on business is low
21
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
How to Get Started
Establish terms of referenceIdentify emergency lines of reportingEstablish emergency strategyTerms of referenceIt must be firmly recognized and accepted that policy decisions and overall responsibility rest entirely with top management
22
5/7/2015
12
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Disaster Planning
3 levels of concernHardware reliabilitySoftware and data integrityLoss of Facility
Why has loss of facility become the predominant concern?
23
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Preparedness for a Disaster
PoorOrganisation highly vulnerable to damage to its data processing capability; could jeopardize corporate survival
WeakDisaster would result in conspicuous interruption of IT services ; could result in loss of business
AdequateOrganisation could recover from the loss of computer capabilities at some cost and public embarrassment
GoodOrganisation could recover from the loss of computing capability with some cost but little embarrassment
Very GoodOrganisation is ready for virtually any eventuality. Disaster should have no material effect on the business
24
5/7/2015
13
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Contingency Plan
Board-level sponsor requiredCommittee or individual
Identify the key systems and prioritize24 hours2-3 days1 week1 monthnever?
Calendarized
25
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Risk analysisDevelop the plan outlineEstablish the recovery teamResource analysisSelection of backup facilitiesDocumenting the plan / procedures / tasksPrepare off-site storageTest and educateMaintain and review
26
The Methodology
5/7/2015
14
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Risk Analysis
Must beSimpleQuickEasily understoodEasily updated
Must cover all systems ManualAutomated
Must determine dependencies
27
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Planning - 1
DefinePurposeScopeStrategy
Determine recovery requirementsWhich jobsIn which orderWhat resources
Arrange backup siteHotWarmCold
28
5/7/2015
15
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Planning - 2
Define recovery activitiesDefine responsibilities and staffingDefine procedures to test & maintainTest and Amend
Possible strategiesFallback to manual
Rarely possible
Fallback within the organisationEffective but expensive
Reciprocal agreementsMany inherent problems
29
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Minimum Requirements to Recover
Copies of filesCopies of programsOperating SystemDocumentationAlternate facilityContingency plan
30
5/7/2015
16
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Where to Start
Model the business
Accounting Marketing Payroll
Production MIS
How do we identify critical applications?
Disaster Recovery Planning is a Business Problem !!!!!!
31
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Model the Business
Identify data flow and dependencies
Identify the critical business performance areasCritical success factors
Accounting Marketing Payroll
Production MIS
32
5/7/2015
17
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Identify the Critical Systems
Also dependent systems (incl. manual)
Accounting Marketing Payroll
Production MIS
Plan for the DRP when you plan for the systemAt the Feasibility Study stage
33
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 1
5/7/2015
18
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Making the First Move
Establish the terms of referenceIt must be firmly recognised and accepted that policy decisions and overall responsibility rests entirely with top management
Identify emergency lines of reportingEstablish emergency strategies
35
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Need to Define
Allocation of responsibilityList of all possible perilsStudy of all components under threatEffectiveness of existing defencesHigh risk / high exposure areasCurrent insurance positionManagement awareness levels
36
5/7/2015
19
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Components Include
HardwareSystems softwareApplication softwareDataData storage mediumsDocumentationStationeryPeople
37
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Also Affected
Cash flowVulnerable remote sitesContracts / commitmentsTelecomms and networksBuildingsServicesManual interfacing systems
38
5/7/2015
20
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Work in Progress
Systems under development should be accounted for:Time schedulesLocation of all documentationTest versions of systemsSDLC status reports
39
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Documentation
Must be up-to-dateMust be stored securelyMust record known weaknessesMust reflect dependenciesMust reflect changesMust include authority levels
40
5/7/2015
21
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Insured Areas for Review (1)
Schedule of coverDamage or loss to/of:PropertyPlant and equipmentComputer hardwareComputer software and dataDocumentationKey Personnel
Degree of damage:Slight to total loss
41
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Insured Areas for Review (2)
ProtectionAgainst computer misuseOf misuse of data Of disclosure of dataAgainst other organizations consequential claims
42
5/7/2015
22
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Insured Areas for Review (3)
Loss of people includingPublic liabilityEmployers liabilityBusiness interruption
General exceptionsGeneral conditionsOngoing declarations
43
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Lines of Reporting
In an emergencyWho is in charge ?What is his role ?Who is his backup ?Who are the key personnel ?What autonomous groups exist ? Who maintains the plan ?
44
5/7/2015
23
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Emergency Strategies
Must contain alternativesApply to:
Key systemsDisaster potentialDisruption periods
Define impact of a DP area disaster on all operating areas
45
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Strategies Defined Under:
Pre-planning definition stageFunctional requirements stageDesign stageImplementation stageTesting stageContinuity and maintenance stage
46
5/7/2015
24
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Teams Involved
Management teamUser teamFacilities teamTelecomms teamSystems software teamOperations teamHardware teamRecovery team
47
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Identify Types of System - IT
By operating objectivesCentralisedStand-aloneDistributedReal timeOn-lineBatchTogether with degrees of priority
48
5/7/2015
25
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Categorize Systems
Effect of stoppage identifiedEssential interfacing systems identified (computer and manual)Document all systemsPriorities to include:Business loss ratingAlternative service level reqd.Maximum down time
49
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Other Systems - Manual
Document all manual systemsIdentify relationshipsEffect of stoppage identifiedCheck alternative:AccommodationPeopleStationery suppliesOffice equipmentControl procedures
50
5/7/2015
26
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
If only Limited Resources Available
Grade systems for recoveryAgree with managementDependencies must be taken account ofDocumentation must be archivedRun priorities agreed with management (these may vary by time period)
51
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 2
5/7/2015
27
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Backups
For all systems?For essential systems only?Required:HardwareSoftwarePeople
SpecialistsUsers
53
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Infrastructure
Infrastructure includes:Computer siteOffice accommodationPower and servicesCommunicationsComputerClericalAir conditioning
54
5/7/2015
28
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Backup Operating Standards
Run documentationSystems specsProgram specsSource codeObject codeJCLSupport documentationControl documentationCommunication protocols
55
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Points of Contact
Who does what ?Who is the backup ?Who is needed for recovery ?Who can declare a disaster ?How can they be reached ?
56
5/7/2015
29
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Identify User Data - IT
Storage media must be identifiedData elements must be classifiedBy creationOrganisationRetrieval typeImportanceConfidentialityAccess restrictions
57
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Data also Defined by:
Method of processingUsagePresentationActive life spanLocationDisposal timescaleDisposal methodNote also transitory data
58
5/7/2015
30
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Data Elements
InterrelationshipsValidation rulesInput and reinput proceduresInterim processesControl requirementsSecurity requirements
59
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Grading of Data
By applicationTherefor by strategic importanceBy alternate method of sourcingBy degree of pain in lossBy disruption periodEach application is therefor graded but not all of its data is of the same importance
60
5/7/2015
31
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Planning and Development Data
Not all data reqd is for processingTest data for WIPStrategic plans of the siteAdministrative data for the siteAll must be backed up
61
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Preparation of Back-up Data
The most important elementShould be designed into application systemsShould be an enforced standardMust be maintained safelyMust be maintained securely
62
5/7/2015
32
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Acquisition
Reputable vendorsSupport levelsSecond sourcingInternal backupKnown backup sitesVendor's DRP policies
63
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Contracts Should Include
Equipment life spanMaintenance agreementsEnvironmental requirementsPower requirementsPower failure reactionTraining scheduleSafety and security measures
64
5/7/2015
33
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Register of Hardware Including:
Importance in processingLocationAvailability of replacementImportance in DRPNeeds of application systemsVendorReplacement lead timePurchase/lease/rentalInsurance cover
65
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Hardware Availability Assured by:
Agreements with suppliersStandby sitesPortable computer centresReciprocal arrangementsBackup optionsIn-company backupReciprocal arrangementsCold sitesWarm sitesHot sitesManual procedures
66
5/7/2015
34
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 3
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
For Recovery Establish:
Minimum configuration reqdContinuity agreements with vendorsBackup procedures agreedCompatibility of equipmentCompatibility of firmwareSecurity arrangementsTesting of h/w backup
68
5/7/2015
35
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Consider Also
Redundant hardwareDual control of peripheralsSwitchable commsComms linesUPSStandby generators
69
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Types of Stoppage
Hardware failureMicrocode failureMechanical problemPower failureDamageEnvironmental failureHuman errorBuilding damage
70
5/7/2015
36
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Ancillary Equipment
SwitchboardsElectrical equipmentPower stabilizersModemsData prep equipmentStandby generators
71
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Is it Useable?
Review for obsolescenceSpares may by unobtainableBackup may have to be secondhandManuals may be missingTransport may be required
72
5/7/2015
37
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Systems Software
Software categoriesSystems support softwareCompilersUtilitiesAll otherTypesSource codeBinaryExecutable
73
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Systems Software
Operating systemsFile back-up softwareFile restore softwareSecurity softwareCommunications software
74
5/7/2015
38
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Problem Areas
Differing versionsConfiguration timesPortability to backup sitesIncompatibility of minor programsFrequency of useWork in progress
75
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Software Data Required
Supply sourceRelease level and dateSecurity classificationSupport criteriaAmendments madeContingency arrangementsTesting proceduresRecovery procedures
76
5/7/2015
39
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Documentation Must Include
How to use the softwareHow to generate the software productWhere the software residesListings of source codeHow to handle error conditions
77
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Amendment Notes Must Include
Date of amendmentLevel and version noamendment sourcewho amendedDate amendment testedDate/release & level when put into productionPurpose of the amendment
78
5/7/2015
40
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Software Acquisition
Level of software supportDuration of support for release levelCan previous levels be obtained?How far back?Cost of replacingLicense agreementsTimescale for replacement
79
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Software Disasters
Stoppage due to:Specific program problemsProject problemsDepartmental problemsCompany problemsOther problems
80
5/7/2015
41
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Software Failure?
orProgram logic faultOperational errorWrong version of software usedJCL ErrorInput errorHuman error
81
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Other Problems
Snapped magnetic tapesHead crashesUnreadable magnetic mediaLost source codeDeleted recordsDeleted filesIncompatible softwareOperational difficultiesActs of God
82
5/7/2015
42
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 4
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Testing the Plan
Management needs must:Be fully definedBe approvedCover all in-houseand third party risksDefine all 'retained' risks
84
5/7/2015
43
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
The Plan Must
Be knownBe secureBe up-to-dateBe availableBe workableBe cost-effective
85
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Testing the Plan
Must be plannedMust be practicalShould be realisticShould be unexpectedWill comprise discrete elementsWill not work the first time
86
5/7/2015
44
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
We Must Know
The critical systemsThe critical dataThe critical hardwareThe critical softwareThe timing of backupsAll retained risksThe insurance positionContractual agreements
87
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Continuity
Change control must operateRisk evaluation of the corporation is dynamicAgreements expirePeople leaveTraining is forgottenTesting is ongoingPolicies changeCost/benefits change
88
5/7/2015
45
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 5
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
The Audit Program
PoliciesApplication systemsUser dataHardwareSystems softwareTestingContinuity
90
5/7/2015
46
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Policies - Terms of Reference
Ensure contingency policy existsEnsure policy is sufficient and realisticEnsure high risk areas identifiedEnsure adequacy of insuranceEnsure all levels of managementUnderstand their responsibilitiesIf insufficient in-house expertise - call in a consultant
91
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Policies - Strategies
Assess levels of competence expectedReview the estimated financial effectsReview the projected costReview the current planning statusReview current contractsReview contingency team staffingReview security and distribution of plan
92
5/7/2015
47
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Who Does What?
Ensure a definitive organisation chart existsEnsure it is up-to-dateEnsure all reporting relationships are coveredEnsured security arrangements existEnsure security will continue in an emergency
93
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Application Systems - IT
Review key systems of the CorporationCheck for their computer componentCheck the priority ratingsEnsure contingency plan allows for differing time spansCheck for adequate and up-to-date documentationReview previous tests
94
5/7/2015
48
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Manual Systems
Check manual systems are includedEnsure adequate and up-to-date documentation existsCheck for back-up facilitiesReview training program for manual backupReview previous tests
95
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Systems Under Development
Check all WIP is coveredCheck details are up-to-dateCheck for backups of test librariesReview staff responsibilitiesCheck level of documentation
96
5/7/2015
49
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
User Data - Computer
Check file layouts of key systemsCheck layouts to actual filesReview data relationshipsReview linkage to manual dataCheck costs of alternate data sourcesCheck backups are as recordedCheck backups are appropriateReview the results of previous tests
97
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Hardware
Check an acquisition policy existsCheck it is enforcedEnsure documentation exist for all hardwareReview hardware registerTest check the register to actualSpot check remote equipmentCheck for immediate availability of the registerReview the results of previous tests
98
5/7/2015
50
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
More Hardware
Ensure hardware backup plan existsReview for essential systems usageEnsure the essential hardware has been identifiedReview contingency agreementsReview contractual arrangementsEnsure the plan is tested on an ongoing basisReview the results of previous tests
99
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Hardware Stoppages
Ensure an incident log is maintainedEnsure recovery procedures exist for previous stoppage typesSample hardware log for serious interruptionsCheck latest contacts listEnsure maintenance routines are followedCheck fire fighting equipment maintenanceCheck physical security 100
5/7/2015
51
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Systems Software
Establish software usedCheck backup proceduresCheck software securityCheck that recoverability has been testedCheck software contracts existCheck all amendments are recordedCheck backup copies of software documentationCheck previous test results
101
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Software Problems
Check previous problems have been recorded including the fixCheck incident logs are maintainedCheck offsite documentation storageCheck current backup proceduresCheck backups are currentEnsure all new software is adequately testedCheck regular testing is done
102
5/7/2015
52
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Testing
Review all relevant files,Charts, meeting minutesReview policy objectivesReview costs, budgets and estimatesCheck progressive nature of test planCheck that all previously identified deficiencies have been remediedInvestigate inefficiencies highlighted in testingTest prioritizationInspect remote sites
103
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Continuity
Ensure responsibility for plan maintenanceEnsure management kept informedEnsure master copy of plan is secureEnsure distributed copies are kept up-to-date, available but secure
104
5/7/2015
53
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 6
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Remember
It could be a corporate survival planIt is not one person's planManagement commitment is required
106
5/7/2015
54
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Questions?
• Any Questions?Don’t be Shy!
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Coming Up Next
IT AUDIT BASIC
5. IT Fraud and Countermeasures May 12
IT AUDIT ADVANCED
1. Advanced IT Audit Risk Analysis for Auditors May 19
2. Advanced IT Audit Securing the Internet May 21
3. Advanced IT Audit IT Security Reviews May 26
4. Advanced IT Audit Performance Auditing of the IT Function May 28
5. Advanced IT Audit Managing the IT Audit Function June 2
5/7/2015
55
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Thank You!Richard Cascarino, MBA, CIA, CISM, CFE
Richard Cascarino & Associates970-291-1497
Jim KaplanAuditNet LLC®800-385-1625