Business Continuity Management Audit/Assurance Program

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.

This audit/assurance program assists the audit and assurance professional in designing and executing a review. The continuity planning audit/assurance review will:

• Provide management with an evaluation on the enterprise's preparedness in the event of a major business disruption
• Identify issues that may limit interim business processing and restoration of same
• Provide management with an independent assessment of the effectiveness of the business continuity plan and its alignment with subordinate continuity plans

This audit program is not IT-focused. The scope of this audit/assurance program is significantly wider than the IT continuity plan. The review will focus on the enterprise business continuity plan, policies, standards, guidelines, procedures, laws and regulations that address maintaining continuous business services, including:

• Development, maintenance and testing of the business continuity plan
• Ability to provide interim business services and the effective and timely restoration of same
• Risk management and costs related to the business continuity plan