Business Process Audit Guides Information Technology Management 0.

Process Overview
Information Technology Management

The Information Technology Management Process is aimed at identifying, anticipating and translating information requirements into working information management systems which support and shape the business, including the proper maintenance of the systems once implemented.

1. Process Overview
This document provides a minimum framework for assisting Management in carrying out their Self Assessment Process. This assessment is based on IT-related risks which have been identified and addressed to the following activities: Utilising Information Technology Managing Hardware and Software Application Development Infrastructure Services provided by the IMC ( INFORMATION MANAGEMENT CENTRE) Similar to other self assessment processes in the Concern, there are strong links within each individual activity between risks, adequate safeguards and supporting evidence. These are covered in more detail below: When carrying out self assessment the answers to the supporting evidence questions will indicate if the necessary safeguards are in place and are operating effectively to manage the risks.

2. Key Performance / Control Indicators

In addition, the following summary of Key Indicators provides a useful list of monitoring supervisory measures where trends / variations to targets or plan / comparisons to others may indicate signs of control problems within Information Process Management. Costs vs. plan per project Consultancy costs vs. contract and plan Unscheduled Downtime of IT hardware / applications Utilisation of capacity (CPU, disk, network, printing, etc.) Adequacy of systems response time Action plan based on latest ITORS results Daily review of logfiles statistics Action plan from last DRP test ISOs action plan User complaints analysis ESM / RAXCO results outside IT policy standards User survey results

3. Business Process Guide

Business Process

Information Technology Management

Activity

Utilising IT

Managing Hardware & Software

Implementation and Development

Infrastructure Services provided by the IMC

Risk

IT resources do not support business requirements

Appropriate Facilities and Data are not available when required

Projects are mismanaged

Responsibilities have not been clearly defined

Inefficient use of IT

IT expenditure is not aligned with IT budget

Application not designed with adequate internal controls

Services are not in line with the needs of the company

Opportunities for using latest advances in IT are lost

Hardware and Software purchases are not compliant with policy

Knowledge and skills is inadequate

A comprehensive Security Concept has not been established

Data is not accurate and / or complete

Systems and data are accessed by unauthorised personnel

Process: Activity:

6.Information Technology Management

1.Utilising Information Technology

Risks 1.IT Resources do not support business requirements 2.Inefficient use of IT 3.Opportunities for using the latest advances in information technology are lost

1. Risk

IT Resources do not support business requirements

1.Safeguard

An IT Strategy, Plan and Steering Committee are established Establish and maintain an up to date IT strategy and plan that is consistent with the BG (BUSINESS GROUP) and THE COMPANY strategies and plans. Establish an IT steering committee which involves users in the maintenance of the IT strategic plan, optimising investment in and use of IT, and ensure that it supports the company's long range plans. Supporting Evidence Is there a comprehensive, appropriate and up to date IT strategy and plan? Has it been formally approved? Is there an overall business strategy and does the IT strategy complement the business strategy? Is there an IT steering committee representing user groups responsible for developing and implementing the Information Systems Plan including both hardware and software requirements. Are periodic meetings held to review progress and priorities with minutes and action plans? Is there a process in place to get feedback and input from key users and champions? Has an Application portfolio analysis been performed? Have organisational structures and IT changes been analysed? Having clear terms of reference and responsibilities been defined? Are there agreed and regularly updated project plans in place? Have proper approvals been received for all current projects? Have project sponsors with sufficient authority been appointed?

2.Safeguard

An Application and Infrastructure strategy is established Establish a software, hardware and telecommunication strategy and implementation plan, which has been approved by the Business Group, supports the business strategy and annual plan, and complies with ITG policies. Supporting Evidence Is there a business systems strategy and plan with approved priorities? Has the business systems strategy and plan been communicated and discussed with Management responsible for the business processes concerned? Does the strategy and plan include proper provision for people and capital? Are adequate resources provided in line with the strategy and plans?

2. Risk

Inefficient use of IT
1.Safeguard

IT Performance is monitored Set up to date efficiency and service level targets and monitor performance of the entire installation (network, all platforms, applications, archives etc.) to ensure a stable, reliable and well-controlled operation. Supporting Evidence Are Service Level Agreements (SLA's) and standards set and agreed with application owners, and regularly reviewed? Is computer, network and system performance monitored, including utilisation of CPU and disk storage including the usage of telecommunications bandwidth? Are automatic systems implemented to give warnings? Is response time, batch job turnaround time, equipment reliability, abnormally terminated jobs periodically monitored for key applications? Does the company differentiate between development/project and running/operational costs and time - and budget for, monitor and report on costs and time? Are there procedures for monitoring and analysing user complaints, service levels, updating difficulties, variances from budgets, etc.?

3. Risk

Opportunities for using the latest advances in information technology are lost
1.Safeguard

Developments in technology and industry are monitored The needs and opportunities for technology in the information area are identified through monitoring business, technical and industry literature and attending seminars, conferences and exhibitions and ensuring these are consistent with Business Group and ITG Guidance. Supporting Evidence Is the Head of IT of the OpCo fully integrated into the BG (BUSINESS GROUP)'s IT organisation? Is IT management attending seminars, conferences and exhibitions? Is the OpCo involved in Lead IT projects within the BG (BUSINESS GROUP)? Are IT literature, newspapers, IT magazines available to all IT staff and management?
2.Safeguard

Developments in technology and industry are monitored The needs and opportunities for technology in the information area are identified through monitoring business, technical and industry literature and attending seminars, conferences and exhibitions and ensuring these are consistent with Business Group and ITG Guidance. Supporting Evidence Is the Head of IT of the OpCo fully integrated into the BG (BUSINESS GROUP)'s IT organisation? Is IT management attending seminars, conferences and exhibitions? Is the OpCo involved in Lead IT projects within the BG (BUSINESS GROUP)? Are IT literature, newspapers, IT magazines available to all IT staff and management?

Process: Activity:

6.Information Technology Management

2.Managing Hardware and Software

Risks 1.Appropriate computing facilities and information are not available when required 2.IT expenditure is not aligned with IT budget 3.Hardware and Software purchases are not compliant with policies 4.Data is not accurate and/or complete 5.Systems and data are accessed by unauthorised personnel

1. Risk

Appropriate computing facilities and information are not available when required
1.Safeguard

Physical access is secured Provide physical security for complete installations, off-site storage facilities and office computers and restrict physical access for computer installations. Supporting Evidence Is there an inventory of leased and owned computer equipment? Do invoices for rented/leased computer equipment specify equipment on hand in accordance with rental agreements/contracts, and are they approved by data processing personnel? Is there a procedure that specifies personnel who are permitted access to computer operations areas? In the event of job termination, is minimal time taken to remove the person from the premises; access to data and computer equipment revoked; all keys, access cards, etc. returned; and appropriate locks, codes, etc. changed? Does the location and security of computer operations include windows with bars or shatterproof glass if accessible from the street? Is telecommunications hardware located in a secure place? Is a log kept of all telecommunication problems, and if so, are recurring problems indicated and followed up? Is there insurance coverage in line with Concern policy that is reviewed periodically by a professional and does it include provisions for fire, smoke and water damage; crime and vandalism; accidents; power shortage and loss; natural disasters; loss of air conditioning; data recovery; operation of the back-up site; and business interruptions? Is protection against fires adequate, e.g. extinguishers, sprinklers? Is an UPS (Uninterrupted Power Supply) unit installed and regularly tested? If there is confidential data on personal computers, are procedures established ensuring adequate physical security? Are computers virus-protected?

2.Safeguard

Disaster Recovery Plans exist and are tested Document and regularly test a disaster recovery plan (as an integral part of the overall business continuity plan), including alternative processing arrangements, the secure storage of up-to-date data and systems backups and the re-creation of the original facilities, and evaluate the impact of new or modified systems on this plan and compatibility with the unit's business. Supporting Evidence Is there a disaster recovery plan as part of the unit's business continuity plan that includes all business processes critical to the business? Does it detail the operational steps which need to be taken in the event of a disaster? Where a disaster recovery plan is dependent on actions by 3rd parties, do contracts exist and are they complete so as to ensure timely resumption of service? Are back-up data, programs and forms stored in a secure off-site facility? Are there copies of all system documentation at the alternate processing site in the event of a disaster? Are power facilities adequately secured (generators, etc). are there adequate shut-off devices; is there a need for power surge devices, alternate power facilities, e.g. battery operated? (NOTE: these are applicable only in large data centres). Is the DRP kept up-to-date and tested annually?
3.Safeguard

Back-up procedures exist and are followed Back-up procedures have been established, tested and are being followed. Supporting Evidence Is the removal of data from the processing site adequately controlled, including transfer of data to the back-up storage location (which must be off site), and release of data to third parties? Is an inventory of back-up storage maintained and updated regularly? There are clear back-up procedures regarding timing and frequencies for all applications established? Have responsibilities been defined?

4.Safeguard

Preventive maintenance is performed Establish standards for preventative maintenance of computer hardware, infrastructure (air-condition etc.) and monitor, identify and take action regarding regular failures. Supporting Evidence Are maintenance contracts, including service standards, established with IT system suppliers or service companies? Are there maintenance schedules for key installations and was the last maintenance performed in line with the schedule? Are common suppliers/service companies used within a BG (BUSINESS GROUP)?

2. Risk

IT expenditure is not aligned with IT budget

1.Safeguard

A Detailed IT Budget is prepared Establish reliable procedures for planning, authorising and monitoring the budget for hardware and software. Supporting Evidence Are investments and costs planned and authorised according to the annual planning process? Is the budget regularly monitored? Have procedures been established to ensure that appropriate equipment and software are purchased?

10

3. Risk

Hardware and Software purchases are not compliant with policies

1.Safeguard

The global buying policy is adhered to Establish procedures for authorising and purchasing hardware and software in accordance with the Global Buying arrangements and Corporate IT policies. Supporting Evidence Have authorisations clearly been defined and communicated regarding buying of hardware and software? Have procedures been established and communicated ensuring that all hardware and software are bought in accordance with THE COMPANY's IT Policies and the Global Buying System (GBS)? Does the company place "electronic" orders on the Website in accordance with the global buying arrangement ? Is access to these sites regularly monitored? Have procedures been established so that invoices based on electronic orders are completely checked, ensuring that the company pays only for hardware and software completely received, on the basis of current corporate prices and actual exchange rates? Have contact persons been defined to co-ordinate global buying of hardware? Have suppliers performance and service measures been defined within each category (as outlined in the GBS) and are they regularly monitored?

4. Risk

Data is not accurate and/or complete

1.Safeguard

11

Amendments to master data are authorised Procedures are in place for each application for ensuring that amendments to master files and control tables are made by authorized users. Supporting Evidence Are there controls over masterfile and control tables, including ensuring the integrity of master file updates as to whether they are authorized and accurate? Are there audit trails with appropriate accountability and is there evidence that they have been reviewed periodically? Has information ownership been determined in accordance with Information Classification Policy?

2.Safeguard

Data accuracy and consistency is protected Procedures are in place to reconcile data within and between applications and to monitor the data transfer between systems regarding completeness and accuracy. Supporting Evidence Are batch control procedures in place and working? Are there controls, e.g. record counts, receipt verification, etc. for external transmission to and from other systems, e.g. MFG PRO Manufacturing to SAP financial, to and from in-house developed systems, and between integrated modules of the same system? Are Control databases in place? Are there requirements that assure that data is checked for reasonableness? Are there adequate edit tests prior to processing data, including tests for reasonableness of data and procedures to ensure that data rejected, flagged, or put into suspense files is corrected on a timely basis? Are all control procedures properly documented, followed and monitored? Are responsibilities for control processes clearly defined by the system owner?
3.Safeguard

12

Master data is regularly reviewed Master data is regularly reviewed to ensure that records are not outdated. Supporting Evidence Are all amendments made on a timely basis? Is key master data regularly reviewed regarding accuracy and consistency (e.g. customers, creditors, debtors, assets register etc.)?

5. Risk

Systems and data are accessed by unauthorised personnel

1.Safeguard

The ISO function is effective An effective Information Security Officer function exists to monitor and enforce a formally documented company policy for computer security based on the Concern IT Security Policy and local regulations, including an evaluation of potential computer risks and strategies to deal with them. Supporting Evidence Has an Information Security Officer (ISO) been appointed at a level high enough and independent of the IT function to facilitate effectiveness (independence of reporting)? Has a Self-Assessment [Information Technology Operational Risk Summary (ITORS) been completed, an action plan developed to address weaknesses, and have recommendations been actioned? Do the ITORS results correctly reflect the actual situation and have they been communicated to the BG (BUSINESS GROUP)?
2.Safeguard

13

Access to systems is controlled Access control software and procedures protect data, applications, and system software as well as monitor and follow up violations. Supporting Evidence Have procedures been established to define access rights of users, operators, network managers and developers according to their functions/responsibilities and are they compliant with IT Security policies? I.e. is there proper segregation of duties and access control? Are access rights authorised by application or system owner and regularly updated to cover new starters and leavers, and are they maintained in all systems concerned? Is there separation of inquiry vs. update capability? Are there procedures established and closely monitored to analyse log-files and system messages generated from various systems regarding unauthorised use? Have appropriate incident escalation procedures been set up? If there is confidential data on a personal computer, is it adequately protected and physically secured? Have security requirements been communicated to all users? Is there a provision for special handling of sensitive information so that confidentiality is not compromised? Are there controls to ensure that security packages are not bypassed when the computer is started-up? Is the use of global operating system utilities, i.e. users with unlimited rights, monitored to evaluate usage? Is use of the main console limited to computer operators and not used to enter transactions? Are group ID's used only when essential and used securely? Is access by third party consultants properly controlled and are there signed contracts in place covering non-disclosure of confidential information? Are audit logs on servers reviewed regularly? Is ESM/RAXCO installed and properly checked on all open system servers? Is there adequate management, control and appropriate use of Internet facilities? Are computer programs processed from authorized production libraries? (Command language can be used to override libraries and files so that unauthorized versions of programs or files are processed).

14

3.Safeguard

The network is secured For securing networks against unauthorised access procedures are established and monitored (any incidents have to be reported). Supporting Evidence Have the Network Security Policy and incident handling requirements been fully implemented? Are there procedures established and closely monitored for analysing log-files and system messages regarding intrusion detection devices or the presence of guards? Is Internet access only established via firewalls? Are firewalls regularly updated? Are third party direct links registered with GIO with valid contracts? Is remote access always secured with a recommended secure access control device?
4.Safeguard

Access to output/reports is protected Reports are only distributed to authorised personnel and specified confidential reports, files and disks are destroyed after use. Supporting Evidence Is there a provision for handling of sensitive information so that confidentiality is not compromised? Is there routinely separation of inquiry vs. update capability?

15

Process: Activity:

6.Information Technology Management

3.Implementation & Development

Risks 1.Project is mismanaged 2.Application was not designed with adequate internal controls 3.Knowledge and skills are inadequate

1. Risk

Project is mismanaged
1.Safeguard

Projects are effectively management A Project Management process exists which ensures that all projects are briefed, the objectives clearly understood, costs and benefits determined and authorised, and responsibilities and ownership defined. Supporting Evidence Has a comprehensive project brief, including business requirements, responsibilities, team members, steering committee, objective, budget, etc., been established? Are project organised in small modules and are they business lead? Are there contracts that specify costs, description of project, and period of time? Are competitive bids or reasonable evaluations of fees required for use of consultants? Are project costs estimated to ensure adherence to authorisation levels, and if project enhancements significantly increase original project estimates, are additional authorisations required? Are resources adequately allocated to the project and managed efficiently and effectively? Has a detailed project plan been developed and checkpoints (milestones) been defined and is the project progress monitored accordingly? Are IT security aspects built into the brief? Are all interfaces to other systems determined prior to development? Are post mortems carried out on all major projects?

16

2.Safeguard

Development and test standards are established System development life cycle methodology exists, is in line with Concern IT policy, and involves users in the review and approval of systems. There are test facilities separate from the production environment and all modifications are adequately tested. Supporting Evidence Is there a standard (policies and procedures) manual with requirements for documentation (programming, system design, operations, data preparation, and user procedures) and design (system design, programming conversion, e.g. parallel processing, file validation), training plans, and testing plans? Are system owners involved in the authorisation process? Has a QA program for managing projects been implemented? Have all implications been evaluated in terms of costs, network and computer requirements? Have procedures been implemented to review project plans regarding timing, costs and implementation risks? Is a current risk register maintained and proactively monitored and reported to the Steering Group to propose alternative solutions? Are test plans available and have tests been performed in accordance with established test plans? Do test plans cover events, such as month-end, year-end, breakdowns etc.? Has an integration test with other linked systems been performed? Have relevant tests been performed and accepted by users? Have developers no access to productive data and transactions etc.? Are there efficient computer resources available to test the implementation of new versions/releases of standard software, which should include integration tests?

3.Safeguard

17

The transfer into the live environment is controlled Procedures exist which prohibit testing with live data and which ensure that confidential data is adequately protected, establish mechanisms for the transfer of programs and data from productive into test environment and vice versa. Supporting Evidence Is there a technical process established so that only operators initiate the transfer (copy of programs, modules etc.) to be modified from production into test environments and from test into production after amendments and tests? Are there controls over program libraries modifications? Are there audit trails with appropriate accountability? Does the development of the command language preclude overrides that allow processing from unauthorised versions or segments of programs? Have naming conventions been implemented and used for files, programs and procedures? Have sensitive and confidential files been classified ensuring authorised usage? Do source and object programs have similar creation dates to ensure that object programs were compiled from authorised source versions and that authorised program modifications have been implemented?

4.Safeguard

An IT budget is established A procedure exists for differentiating between development and running costs and time, and budgeting for monitoring and reporting on development costs and time. Supporting Evidence If consultants are used, are costs properly allocated? (Are there contracts that specify costs, description of project, and period of time?) Are project costs commitments monitored to ensure adherence to authorization levels, and if project enhancements significantly increase over original project estimates, are additional authorizations required? Are actual costs compared to budget? Are time, progress and costs of own staff and consultants maintained? Are time sheets from consultants checked?

18

2. Risk

Application was not designed with adequate internal controls

1.Safeguard

Overall control procedures are developed Overall control procedures are developed for ensuring completeness, accuracy and consistency of input, data and processes. Supporting Evidence Are control procedures developed to monitor consistency of data including analysing system-warning messages? Are control standards defined and accepted? Are control procedures developed: e.g. reconciliation of data between General Ledger and the Sub Ledgers and to other systems? Is there a system of quality assurance to ensure that control standards are enforced?
2.Safeguard

An adequate test environment is provided Sufficient test facilities totally separated from the production environment are provided and all modifications are adequately tested. Supporting Evidence Is a test environment available for all development activities? Have responsibilities for and ownership of data and application software been defined? Are fallback procedures and back-ups for the developments established and tested?

3. Risk

Knowledge and skills are inadequate

1.Safeguard

19

Training plans are created and followed All development personnel and users, including IT operators, are adequately trained. Training includes the use of the system, and control and recovery procedures. Supporting Evidence Is training material available for different user groups and computer operators, and updated as modifications occur? Is the training based on current system documentation? Is there a formal training process for design, operations, and user personnel? Is there a training environment established?
2.Safeguard

Documentation is maintained There is adequate documentation of all developments maintained in conjunction with system or program modification. Copies are stored at the alternate-processing site in the event of a disaster. Supporting Evidence Is complete documentation available for different users groups and computer operators, and updated as modifications occur? Have the IT operations procedures been completed and documented (interfaces, recovery, communications, timing)? Has ownership for documentation been defined? Is there a system of quality assurance to ensure that system documentation standards are enforced? Are copies of documentation stored off-site in a secure location in case of a disaster?

20

Process: Activity:

6.Information Technology Management

4.Infrastructure Services provided by the IMC ( INFORMATION MANAGEMENT CENTRE)

The following section only applies to Operating Companies, which are supported by an IMC ( INFORMATION MANAGEMENT CENTRE). and is in addition to the previous sections. Risks 1.Responsibilities have not been clearly defined 2.Services are not in accordance with the needs of the company 3.A comprehensive Security Concept has not been established

1. Risk

Responsibilities have not been clearly defined

1.Safeguard

An agreed IMC ( INFORMATION MANAGEMENT CENTRE) Contract is established The OpCo and the IMC ( INFORMATION MANAGEMENT CENTRE) have to agree on their responsibilities and obligations regarding hardware and software strategy and the timing of the transfer of services to the IMC ( INFORMATION MANAGEMENT CENTRE). This contract should be agreed by the Business Group and signed by the Chairman of the OpCo and the Head of IMC ( INFORMATION MANAGEMENT CENTRE). Supporting Evidence Is there a contract available describing the obligation of both sides and the move of responsibilities regarding infrastructure services, hardware strategy, investment and costs, including the transfer of all relevant assets from the OpCo to the IMC ( INFORMATION MANAGEMENT CENTRE)? Is there an agreed implementation plan available for the transfer of hardware and applications from the OpCo to the IMC ( INFORMATION MANAGEMENT CENTRE)? Does the plan include proper provisions for people and capital?
2.Safeguard

21

Communication channels between OpCo and IMC ( INFORMATION MANAGEMENT CENTRE) are established Appoint an Infrastructure Manager (BSM) as first point of contact for the IMC ( INFORMATION MANAGEMENT CENTRE). This structure and responsibilities should be communicated within the OpCo and the IMC ( INFORMATION MANAGEMENT CENTRE). Supporting Evidence Have the Infrastructure Managers (IM) been appointed within the OpCo? Have procedures been established to communicate major application developments between the OpCo and the IMC ( INFORMATION MANAGEMENT CENTRE)? Have these procedures and communication channels been distributed across the OpCos? Are there regular meetings held between the OpCo, BG (BUSINESS GROUP) and the IMC ( INFORMATION MANAGEMENT CENTRE) about achieving contract targets and budgets? Are minutes and action plans available?
2. Risk

Services are not in accordance with the needs of the company

1.Safeguard

A Service Level Agreement is established There is a standard Service Level Agreement (see Blue Print) describing in detail the scope and the availability of services to be delivered by the IMC ( INFORMATION MANAGEMENT CENTRE) and the obligations of the OpCo, including agreed measures and costs. This contract has to be agreed and signed by OpCos. Supporting Evidence Does the SLA contain clearly defined services and obligations of both sides, performance measures and cost, including transfer-pricing agreements? Have the Commercial Director and the IMC ( INFORMATION MANAGEMENT CENTRE) signed a SLA? Have legal and tax related issues been discussed with the representative departments? Have the agreed services, measures and obligations been communicated to all managers and staff concerned?
2.Safeguard

22

Performance measures are defined and monitored Define performance measures for all services, in order to assess, monitor and improve quality of service. Provide regular service level reports to the OpCo and the Infrastructure Management Team. Design a problem management system. Supporting Evidence Have performance measures been implemented as recommended in the Blue Print ? Have measures for Service Desks Quality been implemented? Have these measures been agreed with and communicated through the IMC ( INFORMATION MANAGEMENT CENTRE) and the customers of the OpCo? Have measures for development services been defined? Are problems completely recorded and regular analysis generated? Are results periodically discussed with the IMC ( INFORMATION MANAGEMENT CENTRE) and corrective actions taken?

3. Risk

A comprehensive Security Concept has not been established

1.Safeguard

23

IT Security Standards are established Implement and maintain all components of the IT Security Policy and define the responsibilities of the Information Security Officers in the OpCo and the IMC ( INFORMATION MANAGEMENT CENTRE) in order to ensure a consistent coverage of IT Security Policies including local and legal regulations. Supporting Evidence Have procedures been established for physical security and access to data and information, ensuring full coverage and consistency between OpCo and the IMC ( INFORMATION MANAGEMENT CENTRE)? Have ISOs been appointed? Have responsibilities of the ISOs in the OpCo and the IMC ( INFORMATION MANAGEMENT CENTRE) been defined and communicated? Has a Self-Assessment been completed (ITORS) separately for the OpCo and the IMC ( INFORMATION MANAGEMENT CENTRE)? Do the ITOR results correctly reflect the actual situation and have they been communicated to the BG (BUSINESS GROUP)? Have corrective action plans been developed, ensuring full coverage and consistent implementation of IT Security Policies?

2.Safeguard

24

Disaster Recovery Plans are established and tested Develop, establish and test a Business Continuity Plan for the OpCo fully compliant with IT Security Policies to ensure IT service continuity for critical business applications. This plan should be in accordance with the plans in the IMC ( INFORMATION MANAGEMENT CENTRE) in order to avoid any gaps. Supporting Evidence Have all application owners identified IT applications and information that are critical to the continuity of the Business Group/Operating Company function? Have owners for DRP clearly been defined in the OpCo and the IMC ( INFORMATION MANAGEMENT CENTRE)? Does the Disaster Recovery Plan cover all critical IT applications which have been protected with a written and tested business continuity/Disaster Recovery Plan to ensure business continuity in the event of primary IT services failure? Are responsibilities for the case of disaster clearly defined between the OpCo and the IMC ( INFORMATION MANAGEMENT CENTRE) and are they communicated? Is the DRP kept up-dated and tested annually? Are minutes of the current tests available and is adequate corrective action taken in order to improve business continuity? Are there any gaps identified between the DRPs of the IMC ( INFORMATION MANAGEMENT CENTRE) and the OpCos? Have application owners been involved in the evaluation of the test results? Does the recovery time meet the business needs?

25