IT Audit in Practice: Survival When You Are Small—Business Continuity and Resilience

We have all been through a lot. The pandemic has built a new working model, changing leadership perceptions on how and where work can be performed. The intricate plans that many enterprises tested on an annual basis in line with business continuity turned into a semi-permanent primary work strategy. Organizations have not only adapted, they have embraced the new remote model, reconsidering real estate footprints and managing to a more flexible workforce that is unencumbered by the uncertainties of commuting issues. Although both large and small enterprises have accommodated, the smaller organizations with fewer resources have faced an equal or greater shift. Everyone needs a resilient operating model, and the pandemic has been the reality check showing how necessary it is to plan.

While large enterprises have structured approaches to business continuity planning (BCP), starting with business impact analysis (BIA) and culminating in disaster recovery (DR) testing and gap remediation, smaller enterprises do not often execute the same rigor around a planning regimen. You may be part of a small business wearing many hats, from planning and development to quality control or from risk analysis to systems audit. Or you may be an independent auditor, providing support to small businesses. Business continuity may be something you see small businesses pursue with diligence, or you may have small business experience that resonates with a looser set of emergency plans. Even if you are an IS auditor or risk assurance specialist in a large enterprise, BCP/DR is even more important now than only a couple of years ago. In this discussion, a small business that continues to manage through these changing times serves as a case in point for BCP/DR for any size enterprise and how you, as an IS auditor or risk assurance professional, can provide needed structure in support of business resilience.

Case Study: The Brookes Group

The Brookes Group¹ is not the “mom and pop” shop one typically thinks of from a small business perspective. With a handful of employees, the business provides engineering design and operational support for the packaging industry with a specialty in glass packaging. Working in the international environment, the company’s clients include well-known businesses to lesser name brands. Its marketing strategy is a consultative service offering that allows clients to either take the design back in-house or to outsource back to the Brookes Group for turnkey management. As opposed to a locally sourced small business, the Brookes Group deals with application/network needs and distribution channel/supply chain requirements on a global basis. Business resilience is complex, just on a smaller scale than large organizations.

When asked what the major impacts are from a continuity perspective, however, the primary focus, even after almost 25 years, rests on the broad theme of financials, covering supplier inventory costs and expense coverage from initial proposal to completed design. When asked again about key risk factors in the case of a service interruption, the conversation goes to people. Whether the business owner speaks about the in-house engineer or the spouse who handles the financial float, reliability hinges on trust in people that fosters good quality and a solid reputation for the company.

The small business owner often does not have the luxury of thinking tactically about BCP/DR. Instead, entrepreneurs often follow a do-it-yourself (DIY) philosophy without documented plans in place that outline what to do when things go wrong. The Brookes Group has been generally fortunate over time, despite having an office in a remote rural setting and despite limitations on shifting work to others if the primary employees are not available or cannot access the tools they need to perform their jobs. Despite the recent wake-up call the pandemic presented to all of us, many small businesses are not documenting or believe they cannot document and execute continuity planning/testing with the handful of resources they have. Furthermore, BCP/DR may not be seen as a top priority at the detailed nuts and bolts level that is the backbone of successful continuity planning.

Staying Focused on What Matters for BCP

What really matters, after all, with business continuity? It really gets down to two goals: safety and keeping the lights on. But operationalizing a safe environment, despite common principals for avoiding business-impacting hazards and promoting health, fire or other safety principles varies from enterprise to enterprise regardless of size. Keeping operations going is all about what a business relies on to meet its goals. Everyone has a unique value-add, or so they hope, to maintain and grow business.

BUSINESS CONTINUITY AND RESILIENCY PLANNING OFFER THE IS AUDITOR THE OPPORTUNITY TO BE CLOSELY LINKED WITH THE BUSINESS OWNERS, NOT JUST THE TECHNOLOGY GROUPS.

Business continuity and disaster recovery are where the IS auditor meets the sweet spot on an integrated audit approach in the name of adding value for small and large enterprises alike. The two BCP/DR goals imply reliance on critical systems and applications, but the requirements extend to workforce, alternate locations, vendor evaluation, emergency communications and more. Business continuity and resiliency planning offer the IS auditor the opportunity to be closely linked with the business owners, not just the technology groups, because when it comes to safety and keeping the lights on, everyone has to be all-in for it to work.

The BCP/DR scope turns out to be business size agnostic. The challenge for the IS auditor working with the entrepreneur is to obtain a solid understanding of business drivers from the owner and key personnel before conducting process walk-throughs An accurate scope of work depends on drawing out the key priorities, risk impact areas and operational dependencies as early in the scoping process as possible. The pre-scope development discussion can be used with an interview-style approach to help draw out the “day in the life of the business” components, where critical operations can be determined and priority/criticality to the business understood. A structured interview style is best to understand not only the passion the business owner will share, but to garner the less exciting but very crucial operational elements of how things run. In cases where BCP is “in the heads” of the owners instead of captured in documentation, the IS auditor’s interview helps frame BCP requirements and leads to documentation and audit results. Some interview questions to consider when conducting the prescope development discussion with the small business owner are shown in figure 1.

With a completed interview in hand, the auditor can prepare a scope that compliments the business owner’s objectives of marketing success while ferreting out the details on how things work. Whether done at the small or large scale, review and buy-in from the business process owner and/or business owner starts the conversation on priority functions, risk assessment and key requirements to maintain resiliency.

Interview With the Brookes Group

The interview prior to scope development with the Brookes Group identified a few key areas:

• Workforce and strategic supplier-clients
• Design applications
• Quality parts and materials inventory

The business model started on a foundation of reputation. As a former executive working for a large player in the packaging industry, the business owner recognized that subject matter expertise was everything and establishing the business quickly was critical before the expertise was viewed as stale. Survival was not about systems or applications, but instead about getting out to potential clients to build a base of business. Thus, once the fledgling business could afford it, the administrative assistant role became the critical business enabler to seeing clients. The business continuity focus on critical personnel remains the top priority today.

Other priorities grew as the business evolved. Network connectivity was important but not critical as long as the phone functioned to call clients.

Engineering applications to enable packaging design were important but viewed as more of a commodity given the availability of other similar and accessible applications. Information did not need to be on demand; therefore, network and application resilience requirements were not as stringent from a recovery time objective (RTO) perspective. Over time, however, the priority of supplier-client reliability along with the network connectivity, infrastructure and systems used, became paramount. Today, understanding the quality of a supplier and the risk taken by the supplier, whether on manufacturing material or cybersecurity for design protection, is a point of failure that worries the business owner.

In an interview-style discussion, it has been possible to draw out priorities, risk and the potential impact on the Brookes Group business. The essence of a business impact analysis (BIA) has been garnered and requirements for a focused business continuity plan can be derived to cover the following areas:

• Critical personnel/workforce
• Key systems and applications with required time to restore quantified with a discreet time
• Supplier reliability
• Supplier risk metrics
• Emergency preparedness for personnel safety

Business Continuity Process Walk-Through

Moving to the next step of process walk-through can help the IS audit/assurance professional determine the differences between the initial business conversations and operational reality. In a small enterprise it may mean conducting a “test of one” by watching the owner perform the activities that make the business run or, if staff is involved, it may mean walking through the process with the actual process owner to uncover the steps that produce a final revenue-producing outcome. How does the test of one make the audit engagement more accurate? Business and process owners, especially entrepreneurs, usually have knowledge of what goes on day to day. As business grows or strategies become more complex and others join the team, the detail level know-how can slip away from the owner, who by her or his success needs to step away from tactical execution. In the case of the Brookes Group, the owner’s focus was and is on client contact. The ability to be on the road building and maintaining relationships may mean time away from core operations. As much detail as the interview may have uncovered, the test of one is the proof of the present operational environment. With a random example selected of a key process, the IS audit/assurance professional can observe what happens in a live scenario, asking questions and comparing notes to the original interview material. It is not uncommon for key operational steps, systems, materials or personnel to emerge as crucial components, even though the interview did not identify all activities.

WITH A COMPLETED INTERVIEW IN HAND, THE AUDITOR CAN PREPARE A SCOPE THAT COMPLIMENTS THE BUSINESS OWNER’S OBJECTIVES OF MARKETING SUCCESS WHILE FERRETING OUT THE DETAILS ON HOW THINGS WORK.

Availability of process documentation is a critical component of a successful walk-through, especially in a supplier-reliant model like the Brookes Group. Sketchy or missing work instructions easily translate into misunderstandings between parties and increase the potential of service incidents that can become business-impacting outages. Critical documentation is not just business-based but supplier-based as well, and a thorough audit review of how the business documents processes handled by suppliers and how suppliers translate that into their own work instructions can help identify potential BCP gaps.

Here are the key points, all of which enable the BCP:

• The pre-scope interview has given the auditor the opportunity to listen to the business owner’s vision and how they have built a viable product or service. Key interview questions help clarify critical business components into risk impacts if something were to go wrong.
• People, suppliers, systems, applications, etc., can be evaluated based on risk to the business and assigned to continuity priorities.
• Risk categories should include risk to reputation, risk to financial health, risk of client impact and risk of missing regulatory requirements. Consistent priority values can be assigned on an A, B, C basis to channel funding and attention to the highest value components.
• Examination of enterprise and supplier documentation can reveal whether the priorities and risk characteristics for each key component and business driver align with what happens on the floor in the operations environment.

When the plans are verbal, or outlined only instead of fully explained, the IS audit and risk management professional has the opportunity to encourage and recommend documentation frameworks.

AVAILABILITY OF PROCESS DOCUMENTATION IS A CRITICAL COMPONENT OF A SUCCESSFUL WALK-THROUGH, ESPECIALLY IN A SUPPLIERRELIANT MODEL.

BCP/DR Audit Value for the Small Business

Does the Brookes Group have a documented plan and does it use audit professionals? Yes and no. The sense of DIY overrides the concern for having written backup plans, and the view maintained by the business owner is that an audit of the core business (i.e., administrative assistant, engineer, spouse who manages finances) is not needed. The sentiment changes, however, when considering supplier-clients for the managed service aspect of the Brookes Group’s business. The Brookes Group owner explains that if a client does not decide to take the design engineered by the Brookes Group back in-house and instead decides to hire the Brookes Group for a turnkey managed solution for production, distribution and product delivery, the stakes for success become much higher and more complex for the Brookes Group. Risk now goes beyond the small group in a rural office to global manufacturing facilities and personnel within the client’s company that need to stay true to the integrity of the design with efficient use of high-quality materials and repeatable quality manufacturing processes. Taking on new supplier-clients feels like having limited or no control to the business owner when there is not support from an objective professional, and that is where audit services and the presence of structured supplier documentation are part of the Brookes Group operational model. Auditing makes the potential relationship more official. The objective “test” of security systems, quality control and materials inventory becomes less risky when the auditor provides expertise on risk, control points and quality adherence.

Does this mean that the “average” small business would not benefit from the BCP structure a risk assurance professional can recommend? The answer is in the perceived value, and that value is made clear starting with the initial interview where the careful listener can turn a die-hard do-it-yourself entrepreneur into a believer in continuity planning and detailed documentation for critical processes.

Building the BCP from a solid BIA is foundational for large and small enterprises. We have discussed the framework that allows for agreement on identification of key processes and concurrence on critical priorities, which enables the next steps of scenario planning and recovery testing. Scenario planning allows business and process owners to develop what-if scenarios against the top priorities. The objective of scenario planning is to allow simulation of an actual impacting event, whether a system outage that results in production downtime, an application issue that results in design miscalculations, a loss of key personnel as has occurred with the pandemic, or the unavailability of work locations due to natural or man-made disasters. Brainstorming among operations owners, including suppliers, is important to construct scenarios that correctly represent impacting outages and what the business would need to have available to recover. Once the dependencies are vetted and verified through the scenario brainstorming process, they can be included in the scenarios that will be used to simulate and test the organization’s ability to recover. Scenario planning and structured disaster recovery testing merit careful consideration, and further study of scenario planning, disaster recovery testing and incident management implications on BCP/DR is recommended.

The focus here has been on the value an integrated audit approach for business continuity planning can bring to the small enterprise owner. Focus on understanding the business, followed with an evaluation of formal documentation and identification of continuity plan improvement areas identified during process walk-throughs and the test of one methodology are key points of a successful foundation for scoping out a BCP/DR review. The IS audit/assurance professional can consider a few questions before finalizing the report back to the business owner. Do the report findings provide achievable opportunities to cover an unexpected event? Were all critical components of continuity planning considered, including emergency preparedness and safety of personnel? Did the audit report recommendation resonate with where the owner sees the business going? Results need buy-in and recommendations need to be viewed as realistic by the small business owner, both financially and operationally. Suggestions for measuring improvements over time are equally important to demonstrate how to track quantifiable results. When the business owner trusts that the auditor understands the business vision, and is clear about how things work, how money is made and market share obtained, the audit report is viewed as complimenting the vision, and the BCP/DR suggestions become a worthwhile addition to the overall business plan.

WHEN THE BUSINESS OWNER TRUSTS THAT THE AUDITOR UNDERSTANDS THE BUSINESS VISION…THE AUDIT REPORT IS VIEWED AS COMPLIMENTING THE VISION.

Endnotes

¹ The Brookes Group is a fictionalized depiction of an actual small business currently in its 24^th year of operation. The company name has been changed and does not relate to any company of the same or similar name.

Cindy Baxter, CISA, ITIL Foundation

Is an assistant vice president at State Street Corporation, Boston, Massachusetts, USA, and a member of its risk assurance team, where she works on the first line of defense for State Street’s Global Markets business unit. Prior to working at State Street, Baxter managed a global application development management (ADM) compliance team at AIG focused on software development life cycle (SDLC), identity and access management (IAM), and IT security screening for AIG’s commercial market segment. Her technical experience comes from her role as IT director of operations at Johnson & Johnson’s global command center and her work in technical sales and engineering at AT&T as a relationship director for several Fortune 100 clients. She is grateful to have learned technology from the ground up and happy to have arrived at a career in audit and risk management, which allows her to leverage her experience across four industries.