Your SlideShare is downloading. ×
  • Like
Copy 1 ss540 audit guide 201214 rar bia rs plan
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Copy 1 ss540 audit guide 201214 rar bia rs plan

  • 681 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
681
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
23
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Standardised Audit Program Risk Analysis and Review Clause Component Yes No Are internal and external risk events and impacts Policies / 1 identified and reviewed by all business units and 5.1 Processes their operational processes? How is this done and are records available for 2 5.1 / 5.2.2 Policies audit ? Are both qualitative and quantitative impacts 3 5.1 Policies evaluated ? Records available ? Is procedure for identification of external and 4 5.2 Policies operational risks established and available ? Has the BCM committee reviewed the findings and 5 recommendations of risk analysis efforts? Selected 5.2.1 Policies appropriate cost effective treatment? How are identified risks treated and are they 6 5.2.3 Policies documented ? Is list of potential disasters established and what is 7 5.2.4 Policies selected as the most probable disaster ? Is risk analysis carried out consistently across all 8 business units ? Are records of analysis available 5.2.5 Policies for all business units ? Are people involved or responsible for risk analysis 9 competence ? Are training records available for 5.2.6 Policies / People these training conducted ? Are roles and skills of essential staff and external 10 parties needed identified, established and 5.4.2 People documented ? Has risk review and anaysis been performed on 11 critical equipment and facilities? Are there 5.5 Infrastructure available risk treatments for all identified risks?copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 1 2/23/2011
  • 2. Standardised Audit Program Risk Analysis and Review Clause Component Yes Nocopy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 2 2/23/2011
  • 3. Standardised Audit Program Specific comments regarding deficiencies/ effectivenesscopy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 3 2/23/2011
  • 4. Standardised Audit Program Specific comments regarding deficiencies/ effectivenesscopy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 4 2/23/2011
  • 5. Standardised Audit Program Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness 1 Was the BIA process completed ? 6 Was the BIA conducted on a periodic 2 and systematic basis ? i.e. pre- 6.1 determined frequency? Are there any business or technology 3 changes that require a review of the 6.1 BIA ? Are there policies to govern assessment of losses due to 4 6.2 Policies interruptions to business operations or processes ? Is the MBCO of the organization 5 clearly stated and documented by the 6.2.1 Policies Exe Mgt? How is the MBCO clearly defined and 6 6.2.1 Policies approved by the Exe Mgt ? Are there any significant internal or external changes especially for legal or 7 6.2.1 Policies contractual requirement that requires a review of the MBCO ? 8 Is there a BCM Steering committee ? 6.2.2 Policies Is there a list for review of potential 9 threats and risks for each business 6.2.2 Policies unit for the BCM Steering committee ? Is the list reviewed by the BCM10 6.2.2 Policies Steering committee ? Is the list of CBF produced and11 6.2.2 Policies priortised by the Committee? Is the list of CBF the decision of the12 6.2.2 Policies Committee ? Are there any discrepancies of the13 CBF between the Business Unit Head 6.2.2 Policies and the BC team ?14 Has the CBF been prioritized ? 6.2.2 Policiescopy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 5 2/23/2011
  • 6. Standardised Audit Program Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness Is the prioritized list reviewed and15 approved by the BCM Steering 6.2.2 Policies committee ? Has the recovery prioritization of CBF16 been done in conjunction with 6.2.2 Policies allocation of resources ? Are there policies to ensure that the17 MBCO comply with legal and 6.2.3 Policies regulatory requirements ? What is the expertise level of18 6.2.4 Policies personnel undertaking the BIA ?19 Does the CBFs support the MBCO ? 6.2.4 Policies What considerations are the priority for20 analyzing the impact of risk on CBFs ? 6.2.5 Policies Establish and approve the recovery21 6.2.5 Policies priority with the allocation of resource Is workplace safety and health22 considerations considered in the 6.2.5 Policies prioritization of the CBFs Are legal and regulatory requirements23 considered in the prioritization of CBFs 6.2.5 Policies Are quantitative or qualitative impacts24 considered for the CBFs impact of 6.2.5 Policies risk? Are there processes established to25 identify different disruptions to the 6.3 Processes business operations and functions ?26 Are all the individual BU identified by: 6.3.1 Processes Name and description? Processes employed? Supporting systems? Special skills and expertise required? Resource requirements?copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 6 2/23/2011
  • 7. Standardised Audit Program Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness Are the operational constraints of each28 6.3.1.1 Processes Business Unit CBFs provided ? Has each BU identify the minimum level of services that must be provided29 6.3.1.2 Processes to support the organisation s MCBO Has an assessment of CBFs been30 6.3.2 Processes done ? Has inter-dependencies been31 identified for internal and external 6.3.2.1 Processes parties ? Has alternate process been examined32 6.3.2.2 Processes and documented? Has the documentation done for all the33 CBF and processes? I.e. SOP, 6.3.2.3 Processes flowcharts, manuals. Have each CBF RTO and RPO been34 6.3.3 Processes determined ? Are the following areas considered in establishment the CBF priorities? Potential loss impact? Parallels and interdependencies? RTO/RPO? Have the processes for the identification, categorisation and35 6.3.5 Processes prioritisation of vital records been established for each CBF process? Are the processes for data collection36 6.3.6 Processes for the BIA phase kept ? Have key personnel been identified for37 the participation in the Business 6.4 People impact analysis? Are the probable impacts on existing38 infrastructure identified and assessed? 6.5 Infrastructurecopy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 7 2/23/2011
  • 8. Standardised Audit Program Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness Are the facilities required for each CBF identified? Have the Key personnel participated39 6.5 Infrastructure and consulted on the BIA? Has an IT inventory for the CBFs40 6.5.1 Infrastructure completed ? Is the available BC IT inventory able to41 6.5.1 Infrastructure support the MBCO ? Are the facilities required to support42 6.5.2 Infrastructure each CBF identified?copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 8 2/23/2011
  • 9. Standardised Audit Program Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness 1 What is the scope for Recovery Strategy? 7.1 Scope What are the policies guiding the evaluation of 2 7.2 Policies recovery strategies? Does the BCM Steering committee review and BCM Steering 3 7.2.1 approve recommended BCM strategies? Committee Does the BCM Steering committee formulate the BCM Steering 4 organisational recovery strategy based on probable 7.2.1 Committee disasters and CBFs? Was the strategy formulated based on risks faced by CBFs from one or a combination of the following: a. Revert to alternate processing capability; b. Arrange reciprocal arrangements, e.g. with another organization in the same industry; c. Establish alternate site or business facility; Strategy 5 7.2.2 d. Arrange for alternate source of supply, e.g. of Formulation raw materials; e. Outsource to external vendor(s); f. Transfer of operation(s) to subsidiary business units; g. Rebuild from scratch after disaster; h. Do not take any action. Is a set of guidelines established to guide the Strategy 6 7.2.2 decision making process for the above strategy? Formulationcopy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 9 2/23/2011
  • 10. Standardised Audit Program Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness Does the BCM steering committee undertake the following set of activities based on the feedback from business units with CBFs? a. deliberate on the recovery strategies for various 7 7.3 Processes CBFs and formulate an organisational recovery strategy in conjuction with probable disasters; and b. consolidate recovery requirements based on the organisational recovery strategy into contract specifications Are there processes for a given recovery strategy to determine the following requirements: a. Skill set required by supporting staff; Recovery 8 b. Technology and equipment; 7.3.1 Strategy c. Facilities; Requirements d. Off-site storage and alternate site(s); and e. Alternate processing capabilities. Recovery Were the non-tecnology continuity issues for each 9 7.3.1 Strategy support service of CBFs reviewed? Requirements Recovery Does a set of criteria have been established to Strategy10 guide the evaluation of the appropriate recovery 7.3.2 Evaluation strategy for each CBF? Criteriacopy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 10 2/23/2011
  • 11. Standardised Audit Program Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness Does the organisation have adequate number of11 staff with relevant skill set to support the 7.4 People organisational recovery strategy? Does the alternate infrastructure have been12 examined if the existing infrastructure is indaquate 7.4 People to support the recovery strategy? Does the organisation capable of providing the13 necessary infrastructure to support the 7.5 Infrastructure organisational recovery strategy? Is there a review of existing technology and Technology and14 7.5.1 equipment? equipment Does a list of technical specifications for the Technology and15 7.5.1 technology and equipment have been specified? equipment16 Have the existing facilities been reviewed? 7.5.2 Facilities Does deliberation on the facilities used to support alternate processing include the following considerations: Alternate17 a. Acquisitions; 7.5.2.1 Processing b. Mutual agreement; c. Outsource to external vendors; and d. Manual workarounds Does the criteria to guide the selection process of Alternate18 alternate processing vendors have been 7.5.2.2 facilities established? outsourcing19202122copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 11 2/23/2011
  • 12. Standardised Audit Program Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness232425copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 12 2/23/2011
  • 13. Standardised Audit Program BC Plan Clause Component Yes No Specific comments regarding deficiencies/ effectiveness Is policy and process established and documented 1 8.2 Policies to govern the development of BC plans ? Is the BC Plan, and subsequent changes, reviewed 2 8.2.1 Policies and approved by the BCM Steering Committee? Is an Emergency Operations Centre set up and 3 associated conditions for operation and closure 8.2.2 Policies established and the head appointed ? Is policy governing emergency response and the 8.2.5 / 4 priority for actions to be carried out established Policies 8.2.6 and documented ? Are formal processes established for each component of the BC plan to determine their requirements? 5 1) Pre-incident preparation 8.3 Processes 2) Initial damage assessment … 13) BC plan distribution and control Who are the people in the BCM Steering Committee? Are roles and responsibilities established and documented including : 6 8.4.2 ) BCM Coordinator 8.4 People .. .. 8.4.8) Damage assessment team (DAT ) Is procedure established to manage appropriate 8.4.9 / 7 medical attention, assembly area and personnel People 8.4.10 safety ?copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 13 2/23/2011
  • 14. Standardised Audit Program BC Plan Clause Component Yes No Specific comments regarding deficiencies/ effectiveness Is contact list for key personnel drawn up and 8 8.4.11 People maintained ? Does the BC plan address the requirements needed to operate and maintain all the 9 infrastructure componenets to ensure that CBFs 8.5 Infrastructure can continue within the planned levels of disruption? Are critical and general equipment / supplies as10 well as communication requirements established 8.5.1 Infrastructure and documented ? Are EOC as well as alternate site requirements11 8.5.2 Infrastructure identified and documented ?copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 14 2/23/2011
  • 15. Standardised Audit Program Testing and Exercising Clause Component Yes No Specific comments regarding deficiencies/ effectivenesscopy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 15 2/23/2011
  • 16. Standardised Audit Program Progamme Management Clause Component Yes No Specific comments regarding deficiencies/ effectiveness 1 2 3 4 5 6 7 8 910111213141516171819202122copy1ss540auditguide201214rarbiarsplan-110224004807-phpapp01.xlsx 16 2/23/2011