Page 549 - ITGC_Audit Guides
P. 549

GTAG —  Executive Summary





            asset damage. Crisis management (CM) focuses on managing
            external — and in some companies, internal — communi-
            cations and senior management activities during a disaster.
            Even in an environment where ER and CM are mature and
            effective,  BCM  may  remain  inadequately  addressed.  BCM
            capabilities are focused on the recovery of critical business
            processes to minimize the financial and other impacts to a
            business caused during a disaster or business disruption. BCM
            must be integrated with ER and CM but should be a separate
            program.
              The bottom line is that the CAE should be able to answer
            the following three simple and important questions related
            to business continuity:

               1.   Does  the  organization’s  leadership  understand
                  the current business continuity risk level and the
                  potential impacts of likely degrees of loss?
               2.   Can  the  organization  prove  the  business  conti-
                  nuity risks are mitigated to an approved acceptable
                  level and are recertified periodically?
               3.   If an unacceptable business continuity risk exists
                  but executive management has decided to assume
                  the risk, are the organization’s owners, business
                  partners,  and  other  constituents  aware  that
                  management has decided not to mitigate the risk?
                  Also,  has  the  decision  to  accept  the  risk  been
                  properly documented?

              If the answer to any of these questions is “no,” this GTAG
            can help. Specifically, this guide aims to help CAEs under-
            stand the BCM program, risks, and controls and to prepare
            them  with  information  for  executive-  and  board-level
            discussions. The value of this GTAG is that it provides a
            high-level  summary  in  straightforward  business  language
            for  executive  readers  and  detailed  guidance  for  internal
            auditors in audit assessments. This GTAG focuses on how
            BCM,  as  a  program  or  framework,  is  designed  to  enable
            business leaders to manage the level of risk the organiza-
            tion could potentially encounter if a natural or man-made
            disruptive  event  that  affects  the  extended  operability  of
            the organization were to occur.The guide includes disaster
            recovery  planning  (DRP)  for  continuity  of  critical  infor-
            mation technology infrastructure and business application
            systems, because many business functions are predominately
            automated. This will help the CAE establish the basis for
            exercising an effective assessment and reporting key infor-
            mation to stakeholders.












                                                              2
   544   545   546   547   548   549   550   551   552   553   554