IT Continuity Planning Audit/Assurance Program 


IT Continuity Planning Audit/Assurance Program   Download (Member Only, 2M)
Bookstore Purchase the Book

  Provide feedback on this document
Knowledge Center  Visit the Audit Tools and Techniques Knowledge Center community
Knowledge Center  Visit the Business Continuity-Disaster Recovery Planning Knowledge Center community

The audit/assurance programs reflect the IT Assurance Framework (ITAF) sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes and 3800—IT Audit and Assurance Management and were developed in alignment with the Control Objectives for Information and related Technology (COBIT®)—specifically COBIT 4.1.

Objective—The IT continuity plan audit/assurance review will:
  • Provide management with an evaluation of the IT function’s preparedness in the event of a process disruption
  • Identify issues that may limit the interim business processing and restoration of same
  • Provide management with an independent assessment relating to the effectiveness of the IT continuity plan and its alignment with the business continuity plan and IT security policy
Scope—The review will focus on the IT continuity plan and its alignment with the enterprise business continuity plan, policies, standards, guidelines, procedures, laws and regulations that addresses maintaining continuous IT services. This will address:
  • Development, maintenance and testing of the IT continuity plan
  • Ability to provide interim IT services and the restoration of same
  • Risk management and costs related to the IT continuity plan

The review relies on the existence of a business continuity plan. Policy, standards, guidelines and implementation of the business continuity plan is outside the scope of this review.

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information Systems Auditor (CISA) designation or has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and necessary subject matter expertise to adequately review the work performed.