Audit and Assurance

Expand all | Collapse all

DRP - questions to ask

  • 1.  DRP - questions to ask

    Posted 28 Mar, 2020 01:53
    We have established the need to consider pandemics as part of DRP and BCP. In supprt, what are some of those questions to ask audited entity's in planning audits- starting from the March year ends?

    Rumbidzai Mhuka
    Assistant Manager Information Risk Management

  • 2.  RE: DRP - questions to ask

    Posted 30 Mar, 2020 05:41
    A few guidelines below- specific to COVID

    ​COVID – Initial Measures
    Implement fundamental emergency measures for the current situation
    Implement all the recommendations from WHO, CDC etc.
    Benchmark of introduced measures within your industry
    Employee travel restrictions or travel ban

    COVID – infrastructure risks
    Check the readiness of infrastructure and other services (SaaS etc.) for the higher load of employees working remotely
    Check if the corporate systems can be managed remotely without the physical presence of IT employees (Operations, Support etc.)
    Map single points of failure in the infrastructure in case of remote operations, design countermeasures
    Define the responsibilities of suppliers according to SLAs in case of emergency situations, draft any required amendments
    Set up sufficient IT support for remotely working employees
    Prioritize access to corporate systems (Management, Top Management priority etc.)

    COVID – cyber risks
    Check security and monitoring of applications for remote access
    Test applications for remote access (VPN etc.) + patches, hardening
    Perform Awareness campaign for specific cases of social engineering attacks in communication related to crisis

    COVID – employee risks
    Analyze key roles that require on-site access, plan a backup plan in case of their absence (e.g. substitutability)
    Design measures to help employees with management of stress and stressful situations
    Arrange a method of assigning and distributing employees at various levels of operational reduction
    Set up access for employee mobility (division of shifts, transport, etc.)

    COVID – business and operational risks
    Map single points of failure within the organization (processes, employees, technologies) and draft countermeasures
    Establish emergency measures and organizational instructions in order to ensure continuity of operations according to the level of risk
    Set up reaction plans (procedures, allocation of employees, tools and other resources)
    Prepare for issues in the supply chain
    Make arrangements for work that cannot be done remotely
    Prepare for the need to close down office or business premises
    Stabilize the organization for the event of a significant impact on its economy (Plan for optimization of costs, processes and portfolios)
    Prepare scenarios, plans and measures to restore business operations (disaster recovery plans)

    COVID – communication risks
    Set up a mechanism of communication with employees (positive), partners, suppliers, authorities, and the public

    Vikram Raghuveer
    Manager-IT and internal audits

  • 3.  RE: DRP - questions to ask

    Posted 01 Apr, 2020 04:22
    Hello Rumbidza,

    Vikram has provided a very comprehensive response. Additionally, you should ask with regard to the Pandemic Plan
    Have the priority lines of activity protected by identifying risks to those and appropriately mitigating them?
    Have the risk relating to supply chain and key supplies or vendors identified and risk mitigated?
    Is there an established command & control structure with key roles & responsibilities defined?
    Has the pandemic plan tested?



    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.

  • 4.  RE: DRP - questions to ask

    Posted 19 Apr, 2020 07:16
    Hello, Vikram's reply is pretty complete. i will say do not forget to continuously communicate and to explain what any government decision or competitor decision means for the company and for the teams to avoid any internal hysteria.

    Zineb Gridda
    Senior IT Auditor

  • 5.  RE: DRP - questions to ask

    Posted 23 Apr, 2020 03:55
    An interesting post regarding maintaining Data Privacy may also be considered.

    Read the post here: Privacy and Respect Under COVID-19

    Anurag Sureka
    Senior Consultant

  • 6.  RE: DRP - questions to ask

    Posted 23 Apr, 2020 04:18
    Thanks, Anuraj for sharing the journal article with the caption, ' privacy and Respect under COVID-19'

    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.