Developing and Implementing a Business Continuity Audit Program
Dr. Robert E. Davis obtained a Bachelor of Business Administration in Accounting and Business Law, a Master of Business Administration in Management Information Systems, and a Doctor of Business Administration in Information Systems Management from Temple, West Chester, and Walden University; respectively. Moreover, during his twenty years of involvement in education, Dr. Davis acquired Postgraduate and Professional Technical licenses in Computer Science and Computer Systems Technology. Dr. Davis also obtained the Certified Information Systems Auditor (CISA) certificate — after passing the 1988 Information Systems Audit and Control Association’s rigorous three hundred and fifty multiple-choice questions examination; and was conferred the Certified Internal Controls Auditor (CICA) certificate by the Institute for Internal Controls.
Since starting his career as an information systems (IS) auditor, Robert has provided data security consulting and IS auditing services to corporations as well as other organizations; in staff through management positions. Before engaging in the practice of IS auditing and information security consulting; Robert (as a corporate employee) provided inventory as well as general accounting services to Philip Morris, USA, and general accounting services to Philadelphia National Bank (Wells Fargo). Furthermore, he has prior experience as a freelance writer of IT audit and information security training material.
Dr. Davis received recognition as an accomplished, energetic auditor, author, and speaker with a sound mix of experience and skills in monitoring and evaluating controls. Based on his accomplishments, Temple University's Fox School of Business and Management Alumni Newsletter, as well as The Institute for Internal Controls e-newsletter featured Dr. Davis. Furthermore, he is an Advisory Board Member of The Institute for Internal Controls, the first and inaugural Temple University CISA in Residence and a founding Temple University Master of Science in IT Auditing and Cyber-Security Advisory Councilmen. Last, he accepted invitations to join Delta Mu Delta International Honor Society, the Golden Key International Honour Society, the Thomson Reuters' Expert Witness List, the IT Governance LTD expert panel, as well as the International Association of IT Governance Standards honorary membership group.
Organizational units exist for various reasons. Nevertheless, governance focusing on business perpetuity and reliability should address strategic to operational transformations enabling adequate continuity management. When threading from the first-tier ‘Governance Tree’ level, linked leaves are inextricably affected by external forces. Consequently, an organizational formation’s continuity depends on relevant, accurate and timely external environment information assessments to drive appropriate governance.
Business continuity is a comprehensive managed effort to prioritize key business processes identifying significant threats to normal operations that permit planning strategies for ensuring effective and efficient organizational responses to challenges arising during and after a crisis. Consequently, business continuity planning encompasses processes for developing advance responses to service interruptions in such a manner that critical business functions continue at expected levels. Sub-categorically, disaster recovery planning typically ranks as a vital business continuity component referring to technological aspects of planning and organizing necessary to minimize potential losses and ensure critical business functionality if catastrophic circumstances materialize. A useful business continuity capability is essential. However, for most entities, being able to recover IT is fundamental.
Continuity management of information technology service processes should minimize adverse effects caused by disastrous and unpredictable events while focusing on sustaining core business processes. Specifically, major management tasks should include defining requirements and strategies for information technology continuity, defining measures and continuity plans for information technology services, managing continuity procedures as well as managing continuity and recovery in an emergency. Service continuity controls ensure that when unexpected events occur imperative operations continue without interruption or are promptly resumed, and critical as well as sensitive data remain protected.
Management, especially information security management, cannot establish an adequate safeguarding posture unless root expectations are understood and potential threats, weaknesses as well as opportunities are appropriately addressed. Towards this end, entity oversight committee members — mainly non-executive directors — should ensure they are satisfied that effective, efficient, as well as compliant processes deployment for business continuity and IT availability.
Arguably, establishing a robust preparedness capability is one of the best investments an entity can pursue. Nonetheless, auditors should assure (based on a thorough risk assessment) the entity’s resiliency efforts are operationally ready to respond when required. Beneficially, IT audits of business continuity and disaster recovery plans can assist in ensuring the proper attention to information assets supporting an entity’s operations.
A well-planned, properly structured audit program is essential to evaluate risk management practices, control systems, and compliance with policies concerning information technology-related risks at institutions of every size and complexity. Effective audit programs are risk-focused, promote sound information technology controls, ensure the timely resolution of audit deficiencies, and inform the board of directors or highest-level oversight committee of the effectiveness of risk management practices.
During this webinar, Dr. Davis will give an overview of Business Continuity and what an audit encompasses.Dr. Davis will also discuss primary business continuity audit program considerations. Moreover, Dr. Davis will address information gathering associated with a business continuity audit during audit program construction. Lastly, Dr. Davis will respond to all questions posed during the live webinar.
Cost-effective strategies should be designed to prevent, detect and/or mitigate the impact of potential crises. Reducing system vulnerabilities is typically achievable by delineating then remediating single as well as combined configuration failure points. Various resources that can contribute to the remediation process should receive identification as continuity enablement factors. Documenting these resources -- including essential personnel (and their roles and responsibilities), information, applications, and infrastructure -- in a plan demonstrates a commitment to continuity.
- Challenges of business continuity planning in today’s volatile threat landscape
- Key elements of crises management response
- How a Business Continuity Plan differs from a Disaster Recovery Plan
- Significant components for developing a Business Continuity Audit Plan
- Acquiring appropriate business continuity audit evidence
- Recommendations for analyzing a Business Continuity Plan
- Communications development before, during, and after a Business Continuity Audit
Course Level - Advance
Who Should Attend
- Operations Managers
- Endor Managers
- Disaster Recovery Engineers
- Call center representatives
- Business Continuity Team members
- Information Security personnel
- Chief Security Officer
- Risk Managers
- Chief Information Officer
- Chief Operations Officer
- Information Security Managers
- Information Security Engineers
- Technology Managers
Why Should Attend
Considering information systems are generally critical to enhancing productivity, it is imperative deployed information technology (IT) provide availability with service responsiveness to meet user utilization demands, even during crises. Entity susceptibility as well as IT operational resiliency impact speedy and systematic redress for fulfilling efficiency, effectiveness, availability, and compliance requirements. Furthermore, neither business nor IT resides within static environments. Thus, environmental dynamics can generate a change that alters system activities requiring timely response and restoration to ensure continuous service delivery.
Regardless of organizational formation (e.g., corporation, partnership, co-operative, or agency) management has a generally accepted duty to plan and enact strategies permitting the entity’s survival under less than idealistic conditions. Adequate business continuity management requires securing assets that offset catastrophic events. Therefore, management should ensure ‘best practices’ disaster recovery planning is deployed within the IT and information security governance frameworks as well as visibly communicate commitment expectations for sustaining a sound and effective continuity program. Directly, an entity’s disaster recovery plan has a significant effect on the viability of IT and information security governance programs. Indirectly, IT and information security governance programs may impact stakeholder assessed entity value.
Threats to an entity’s existence manifest in diverse forms, including disruptions, emergencies, crises or disasters. Anyone of these incidents or events can jeopardize data processing services sustaining mission-critical operations. Unavailable business information systems can diminish efficiency, erode effectiveness, hinder compliance and idle employees. As a result, entities should regularly examine their business continuity, disaster recovery, as well as back-up plans to ensure adequate operational requirements forecasting for service restoration.