Page 578 - ITGC_Audit Guides
P. 578
Assessment Objective: Compliance Monitoring & Auditing
Maturity Evaluation
Characteristics of Capability Method of Achievement
Optimizing Internal auditing, risk management, and Proactive contact is maintained with
the general counsel all review plan docu- regulatory bodies. A dedicated team leads
mentation on a regular basis and also BCM activities supported by a cross-
sponsor third-party audits of BCM capa- functional business and technology team,
bilities, including testing activities. The which includes internal auditing and out-
organization engages in industry discus- source providers for specialized services. A
sions regarding regulatory compliance and risk assessment (by location) and BIA (by
regularly reviews benchmarking analyses. process) should be conducted and used as
A risk assessment and BIA are performed the foundation for building plans. They
and regularly refreshed to ensure that should also be refreshed periodically.
plans reflect business reality and the regu-
latory environment.
Managed Cross-functional teams, including the A dedicated team leads BCM activities
general counsel and internal auditing supported by a cross-functional business
perform regular assessments of business and technology team, which includes
conditions and regulatory requirements. internal auditing and outsource providers
Internal auditing, risk management, and for specialized services. A risk assessment
the general counsel also review plan (by location) and BIA (by process) should
documentation, in some capacity, on an be conducted and used as the foundation
annual basis. A risk assessment and BIA for building plans. They should also be
are used to ensure that plans reflect busi- refreshed periodically. Internal auditing
PROCESS MATURITY Defined ered and incorporated into BCM plans. and the internal audit function is actively
ness reality and focus on the most likely focuses on BCM program execution as
opposed to plan content.
and severe risks and impacts.
A small, cross-functional team is in place,
Regulations related to BCM are consid-
involved in the actions of this team. A
The responsibility to monitor the regu-
latory landscape resides with the general risk assessment (by location) and BIA
counsel, who communicates with the (by process) is conducted and used as the
BCM steering committee. Internal foundation for building plans and iden-
auditing monitors the plan maintenance tifying the impact of regulation on plan
process and influences when regulatory development.
changes warrant updates to the docu-
mentation. A risk assessment and BIA
that consider the regulatory environment
have been performed within the past two
years.
Repeatable Regulations related to BCM are considered Internal auditing, risk management, or
and incorporated into BCM plans when general counsel shares regulatory updates
financially practical. Internal auditing with the BCM team or those responsible
reviews the relevance of the documenta- for BCM.
tion in accordance with a long-term audit
plan and may request evidence of plan
testing.
Initial Regulatory requirements or industry An IT disaster recovery planning process
standards related to BCM are seldom exists. An internal audit function is in
considered and incorporated into BCM place, and disaster recovery is in the
plans, or are viewed as too costly to imple- annual or bi-annual audit plan.
ment. Internal auditing’s attention does
not extend beyond ensuring traditional IT
disaster recovery plans are documented.
31
