Coa Audit Service Continuity Plan - 0001

n u it
23)
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
Document Revision History

Version/ Originator/
Page Date of
Revision Description of Revision Process Approver
No. Approval
No. Owner
1.0
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Revision No. 0
Effective Date
TABLE OF CONTENTS
1.0 Introduction I
2.0 Purpose : I
3.0 Continuity Policy Statement 2
4.0 Scope 2
5.0 Roles and Responsibilities 3
6.0 Definition ofTerms 13
7.0 Assumptions 15
8.0 Mission Essential Functions and Recovery Time Objective 16
9.0 Activation, Criteria, Procedures and Authorities..........................................................17
I 0.0 Continuity Strategies 19
11.0 Resource Requirements 27
12.0 Communication Procedures 29
13.0 Testing and Maintenance of the ASCP 32
14.0 References 35
15.0 Appendices 1 36
Appendix A (Creation ofCOA Continuity Core Team) 36
Appendix B (Continuity Core Team Structure) 38
Appendix C (Damage Assessment and Needs Analysis Initial Report) 39
Appendix D (IT Disaster Recovery Team) 41
Appendix E (IT Disaster Recovery Plan Worliflow) 42
Appendix F (Risk Assessmentfor Continuity of Operations) 43
Appendix G (Impact Analysis) 51
Appendix H (Netvvork Failover Plan) 54
Appendix I(Websites/Information Systems Failover Plan) 55
Appendix J (Delegation ofAuthority and Order of Succession) 56
Appendix K (KeyResource Requirements Form) 58
Appendix L (Key Contacts Form) 60
Appendix M (Exercise and Test Plan) 62
Revision No. 0
Effective Date
ACRONYMS
AI Artificial Intelligence International Organization for

ISO
AH Audit Highlights Standardization
Agency Records Custodial IT Information Technology
ARCIS JEV Journal Entry Voucher
Information System
ASCP Audit Service Continuity Plan LGU Local Government Unit
AT Administration Team LR Liquidation Report
ATL Audit Team Leader MEF Mission Essential Function
AWA Alternative Work Arrangements ML Management Letter
BCI Business Continuity Institute MOA Memorandum of Agreement
Business Continuity MOU Memorandum of Understanding
BCMS
Management Systems MT Medical Team
Baa$S Backup as a Service NC Notice of Charge
CCT Continuity Core Team NCR National Capital Region
CCTV Close Circuit Television ND Notice of Disallowance
CER Cash Examination Report National Disaster Risk Reduction and
NDRRMC
Continuity Planning and Incident Management Council
CPIRRT National Institute of Standards and
Recovery/Response Team NIST
CT Communication Team Technology
DRaaS Disaster Recovery as a Service NS Notice of Suspension
DRT Disaster Recovery Team OR Official Receipt
DV Disbursement Vouchers PSCT Public Service Continuity Team
EDP Electronic Document Portal PPE Property, Plant and Equipment
Emergency Response/Recovery Quality Assurance and
ER/RT QuAID
Team Implementation Division
Federal Emergency Management RMS Records Management Services
FEMA
Agency RTO Recovery Time Objective
FPT Finance and Procurement Team SA Supervising Auditor
Information, Communication and Summary of Audit Observations and
ICT SAOR
Technology Recommendations
IS Information Systems TER Technical Evaluation Reports
Information Systems Administration UPS Uninterruptible Power Supply
ISAdSD
and Support Division
Information Systems Development
ISDMS
and Maintenance Division
Revision No. 0
Effective Date
1.0 INTRODUCTION
Public-sector auditing is indispensable for public administration, as the management of

public resources is a matter of trust. It enhances the confidence of the intended users
by providing information and independent and objective assessments concerning
deviations from accepted standards or principles of good governance. 1 As an
independent constitutional commission under the 1987 Constitution of the Philippines,
the Commission on Audit (COA) has the primordial mandate of promoting good
governance and accountability. With the enormous duty to examine, audit, and settle
all accounts pertaining to the revenue and receipts of, and expenditures or uses of funds
and property, owned or held in trust by, or pertaining to, the Government, or any of its
subdivisions, agencies, or instrumentalities,2 coupled with high expectations from
stakeholders, COA has been relentlessly adopting policies and guidelines to improve
the delivery of audit services. Nonetheless, like any other institution, continuity of audit
services delivery is a huge challenge for COA in times of crisis. Routine, traditional,
and predictable audit processes need to be replaced with unconventional and innovative
audit strategies, systems, and processes.
Amid the emergency and emergent situations, delivery of audit services heightens
relevance and significance to the public necessity to assess the efficiency, effectiveness,
and economy of the government's disaster risk intervention and response programs,
including the utilization of a huge amount of emergency public funds allocated for the
purpose.
In order to fulfill its constitutional mandate and maintain public trust in government
through continuous audit operations and incessant protection of its personnel during the
period of uncertainties or calamities, the COA develops and adopts a comprehensive
Audit Service Continuity Plan (ASCP) that provides the framework for building and
strengthening its organizational resiliency and capacity for emergency preparedness
and disaster response and recovery.
2.0 PURPOSE
Given that the Philippines ranks as the 9" riskiest country worldwide," government
agencies are exposed to both natural and human-induced hazards that can affect
operational continuity. Developing the COA ASCP is a key strategy to provide
roadmaps and methods that support the organization and its operation in times of
unforeseen disruptions and emergencies.
An effective COA ASCP helps the organization to ensure continued performance of

mission essential functions (MEFs) through timely and orderly response/recovery,
resume delivery of vital services to the public, minimize damage and loss to a critical
process by protecting essential facilities and resources, reduce or mitigate disruptions
1
ISSAI I 00 Fundamental Principles of Public-Sector Auditing.
Section 2( I) of Article IX-D of 1987 Philippine Constitution.
3
World Risk Report 2019 edition.
Page I
Revision No. 0
Effective Date
to operations, establish succession if agency leadership is disrupted, and improve

continuity capabilities through a test, training and exercise program.4
3.0 CONTINUITY POLICY STATEMENT
As the Supreme Audit Institution of the Philippines, COA recognizes the need to
establish, implement and maintain appropriate and effective continuity plan to ensure
timely delivery of audit services during emergency and emergent situations that cause
work disruptions to ensure transparency and accountability over public resources, and
help improve government operations as an enabling partner in good governance, after
taking into consideration the welfare and protection of its employees and resources, as
well as the needs of its stakeholders.
The Commission commits to the attainment of the following public service continuity
objectives:
• Develop, implement, maintain, monitor, review, and continually improve the

COAASCP;
• Equip COA personnel by providing them with tools and skills to capacitate them
to prepare and respond to and recover from disruptive events;
• Reduce the loss oflife or property, and minimize damage;
• Determine and adopt the minimum acceptable level of audit services to achieve
stakeholder satisfaction during disruptive incidents, and ensure capability to
provide such;
• Ensure resumption and recovery of MEFs in the shortest possible time after a
disruptive incident, and provide protection and welfare to its employees and
resources, and serve the needs of its stakeholders; and
• Preserve the confidentiality, integrity and availability of its information assets
amid disruption incidents.
4.0 SCOPE
The ASCP covers the COA Central Office and auditing units situated in the National
Capital Region (NCR), including all its personnel and external service providers. After
the first iteration, the succeeding version of this document will include sections for
offices and auditing units located outside NCR.
This ASCP does not cover certain incidents that may lead to a long-running crisis,
safety threat and work disturbances such as war, invasion and rebellion.
Public Service Continuity Guidebook.
Page[2
Revision No. 0
Effective Date
5.0 ROLES AND RESPONSIBILITIES

In order to achieve the COA's continuity objectives, a Continuity Core Team (CCT)
shall be created through the issuance of an Office Order (Appendix A) following the
CCT structure (Appendix B).
The overall duties and responsibilities of the CCT are as follows:
a. Facilitate the periodic review and refinement of the ASCP to include testing,
evaluation, packaging, updating, and improvement;
b. Develop a work plan for the refinement and updating of the ASCP;
C. Organize consultation meetings with the planners and relevant technical experts
regarding the refinement of the ASCP;
d. Facilitate the presentation and endorsement of the revised ASCP to the authorities
for comments and approval;" and
e. Perform such related duties and responsibilities as the need arises.
The specific duties and responsibilities of each Officer/Teams are as follows:
The Commission Proper or the Chairperson
,,
Planning Tasks Deliverables
1. Evaluates and approves the ASCP Updated and Approved ASCP
2. Ensures the continual improvement and
update of the ASCP on a yearly basis or Minutes of Meeting
as the need arises
3. Ensures that continuity programs are
properly resourced by providing the
Approved Budget
necessary and sufficient funds and staff
complement .
4. Appoints continuity managers to oversee
Office Order appointing
plan development, maintenance, and
Continuity Manager/s
testing activities
COA Memorandum relative to
5. Approves Order of Succession and
Order of Succession and
Delegations of Authority
6. Approves MEFs; acceptable
"downtime" for each function; and risk
for exposures which they elect not to List of Approved MEFs
address that has been identified in impact
analysis
5
PSCP Guidelines, p. 52.
Page[3
Revision No. 0
Effective Date
~- Planning Tasks
' Deliverables
7. Approves all alternate site decisions for COA Resolution for Alternate
the relocation of the MEFs Site Decisions
8. Approves the Consolidated ASCP Approved Consolidated ASCP

Budget Proposal Budget Proposal
Emergency or Recovery Task Deliverables

Memorandum on
1. Activates/Deactivates the ASCP.6
Activation/Deactivation of ASCP
"
2. Approves COA Memorandum providing
specific guidelines on continuity
strategies depending on the disruptive
COA Memorandum
incidents such as the implementation of
alternate working mechanisms and other
precautionary measures
Approved Consolidated
3. Approves the Consolidated
Supplemental ASCP Budget
Supplemental ASCP Budget Proposal
Proposal
Continuity Managers- the Assistant Commissioners' (AsComs) Group

1. Oversee plan refinement, maintenance,
and testing activities
2. Review ASCP to ensure compliance
- Reviewed ASCP, Minutes of
Meetings
with rules and regulations, and endorse
to the Commission Proper
3. Set test objectives and review test plans
List of Test Objectives and Test
to determine those essential
Plans
requirements are met
4. Review test results, ensuring corrective
measures are detailed and actions are Test Results
taken
5. Review COA Memorandum on the
Draft COA Memorandum for the
Order of Succession and Delegations of
Order of Succession and
Authority, and endorse to the
Commission Proper
6. Review the Consolidated ASCP Budget

Duly endorsed Consolidated
Proposal and recommend approval and
ASCP Budget Proposal
endorsement to the Commission Proper
" For clarity, only the procedures concerning the shift to alternative work arrangements for the continuity of audit services need activation.
Procedure to prevent further loss of lives and property are automatically triggered by the emergent situation.
No part of this document may be reproducedwithout prior permission from the Document Controller or his/her
Page [4
Revision No. 0
Effective Date
1. Assess the level of the disruptive

incidents and endorse to the Commission Endorsement to
Proper the activation/deactivation of the activate/deactivate ASCP
ASCP
"
2. Initiate preparation of COA
Memorandum providing specific
guidelines on continuity strategies such
as the implementation of alternate Draft COA Memorandum
working mechanism and other
precautionary measures, and endorse to
the Commission Proper for approval
"
3. Monitor the recovery process and
eventually provide regular reports on
Recovery Status Reports
recovery status to the Commission
Proper
4. Review the Consolidated Supplemental

Duly endorsed Consolidated
ASCP Budget Proposal and recommend
Supplemental ASCP Budget
approval and endorsement to the
Proposal
Commission Proper
Continuity Coordinators -Directors IV and Directors III (as alternate)
1. Coordinate plan refinement,

maintenance and testing activities
Updated ASCP, Minutes of
2. Coordinate and lead the planning Meeting
activities of the Continuity Planning and
Incident Recovery/Response team
(CPIRRT)
Reviewed corrective actions
3. Oversee the CPIRRT resulting from plan testing
4. Maintain updated contact details of Updated contact details of the

members of the CPIRRT CPIRRT
Page I 5
Revision No. 0
Effective Date

5. Ensure that periodic impact analysis is
performed and documented to identify
the maximum acceptable time frames in
Impact Analysis
which MEFs could be inoperable
..
without compromising the
Commission's reputation
6. Review and update the plans on a
periodic basis, or as changes are made to Minutes of Meeting/Updated
the MEFs; distribute updates to those on ASCP
the plan distribution list
7. Ensure that all required equipment and
List of equipment and Facilities
facilities are provided at the alternate site
8. Ensure that all records and resources

Status Report on All Records and
required to support the restoration of
Resources needed to support the
MEFs, within the appropriate time
restoration of MEF
frames, are available and kept offsite
Memorandum and/or electronic
9. Coordinate tests of the plan; initiate
mail sent to concerned CPIRRT
corrective actions resulting from tests
about the tests of ASCP
10. Prepare Consolidated ASCP Budget Consolidated ASCP Budget

Proposal Proposal
,
Memorandum, electronic mail, or

1. Initiate incident notification process; i.e.,
mobile notification sent to
calling the CPIRRT
..
CPIRRT
Comparative Analysis between
2. Track actual progress/completion of
Actual Progress/Completion of
recovery/response activities against the
Recovery/Response Activities vis-
projected sequence of recovery/response
a-vis Projected Sequence of
events
Recovery/Response Events
3. Prepare and submit final Incident
Final Disaster Assessment and
Assessment Reports and Action Plan to
Action Plan Report
Continuity Manager
4. Review the consolidated Monthly
Reviewed consolidated Monthly
Report of Expenditures related to an
Report of Expenditures
ongoing disruptive incident
5. Review the consolidated Monthly Reviewed Comparative Analysis
Comparative Analysis between Budget between Budget and Actual
and Actual Expenditures Expenditures
Page I 6
Revision No. 0
Effective Date

6. Ensure the adequacy of the budget
during a disruptive incident
Evaluation Report and
7. Evaluate/assess the need to augment Consolidated Supplemental ASCP
budget for other expenditures related to
Budget Proposal
the disruptive incident, then prepare
Consolidated Supplemental ASCP
Budget Proposal
Continuity Planning and Incident Recovery/Response Team (CPIRRT the

Service Chiefs
1. Review and update procedures to Updated ASCP, emergency/ recovery

recover/resume MEFs procedures
Inventory of resources needed

2. Identify the resources needed to
(manpower, office and medical
support the restoration of MEFs within
supplies, furniture and fixtures, IT
the appropriate time frames
equipment, vehicles, etc.)
3. Prepare and maintain vital records
Vital Records Register
register d
4. Work with the technical support team

to plan and execute disruption
recovery test exercises to determine
whether essential business functions Minutes of Meeting
can be recovered within acceptable
timeframes as outlined 1n the
continuity plan ,
5. Ensure that all staff members are

Training program for the staff
familiar with continuity plans,
members of the incident/ disaster
recovery procedures, and their
recovery/response team
assigned responsibilities
6. Develop emergency evacuation plan,

Emergency Evacuation Plan, Recovery
recovery plans, test plans; review test
Plan, Test Plan, and Corrective actions
results; plan and oversee corrective
resulting from plan testing
actions, as required
7. Coordinate continuity testing,

documenting post-exercise lessons Annual testing of the ASCP, Report on
learned, and conducting periodic the result of the ASCP testing, Periodic
evaluations of the Commission's Continuity Evaluation Report
continuity capabilities
Page ]7
Revision No. 0
Effective Date

Overall Emergency or Recovery Task
I. Prepares an ASCP Budget Proposal
and submit a copy to the Continuity ASCP Budget Proposal
Coordinator for consolidation
2. Submits to the Finance and
Procurement Team, a Monthly Report
of Expenditures incurred and paid Monthly Report of Expenditures
related to the incident/disaster that
affected the operation
3. Prepares Comparative Analysis
Comparison of ASCP Approved
between ASCP Approved Budget and
Budget and Actual Expenditures
Actual Expenditures
4. Prepares Supplemental ASCP Budget
Supplemental ASCP Budget Proposal
Proposal
Communication Team
(In coordination with Public Information
Office and Office/Cluster Directors)
1. Issues. emergency alerts/notifications
to COA employees and its
stakeholders on the onset of the Emergency Alerts/Notification
disaster/incident or activation of the
ASCP
2. Develops an official public statement
concerning the disruptive incident, and Official public statement
controls and regulates media releases
3. Provides information regarding the
disruptive incident and
, Communication plan
recovery/response efforts to
employees and their families
4. Notifies employee's emergency Updated database of the contact details
contact of employee injury or fatality, of employees (organic and non-
if applicable organic)
5. Serves as communication operator in
Communication plan
times of disruptive incident
6. Prepares and operatescall tree Call Tree
7. Prepares status report of employees
and provides a copy to the continuity Status Report of Employees
coordinator/s for consolidation
Emergency Response/Recovery Team
(To be augmented by selected employees per
Office Order)
1. Ascertains the nature and scope of the Report on the nature and scope of
emergency emergency
Page [8
Revision No. 0
Effective Date

2. Coordinates the orderly evacuation of Memorandum, electronic mail, or
employees when needed, as well as the messages sent via messaging
immediate rescue of employees applications to all concerned
3. Inspects the physical structure and
identifies the areas that may have Inspection Report
sustained damage
4. Prepares overall damage assessment
and need analysis reports which
include damages on physical Damage Assessment and Needs
structure/areas and equipment and Analysis Report (Appendix C)
provides recommendations to the
continuity coordinator
5. Advises the Continuity Coordinator on Minutes of meeting or electronic mail
1ssueS regarding incident/disaster or messages sent via messaging
safety applications
6. Ensures that all emergency/disaster
response equipment or gadgets are Inventory of Emergency/Disaster
complete, sufficient, and m good Response Equipment/Gadgets
condition
,
Medical Team
(In coordination with HRMO-Medical and
Dental Unit)
1. Renders first-aid treatment to injured
personnel and coordinates transfer to
Medical Report/s
hospital for those requiring immediate
treatment, when necessary
2. Provides medical support to victims List of Personnel with injuries and
and casualties casualties
3. Prepares list of nearby hospital/s Database of nearby hospital/s
4. Ensures the adequacy and availability
of medical supplies needed 1n
Inventory of medical supplies
providing emergency and immediate
treatment
Administration Team ,
(In coordination with General Services
Office)
1. Arranges the availability of necessary
office support services and equipment Inventory of office supplies, furniture
such as office supplies, hardware, and fixtures, and documentation for
furniture and fixtures, and offsite
transportation
Inventory of vehicles and Report on
2. Provides immediate transportation of
Victims/Casualties transported to
victims/ casualties to hospitals
hospitals
Page [9
Revision No. 0
Effective Date

3. Identifies and documents when repairs Pre-repair Inspection and Budget
can begin and obtains cost estimate Estimate
4. Determines where forms and supplies
should be delivered, based on damage Report on Forms and Supplies for
to the normal storage areas for the Delivery
materials
5. Contacts vendors/contractors to
Contact details of vendors, Job Order
schedule specific start dates for the
Contract Sheet/Contract of Service
repairs
6. Takes appropriate actions to safeguard
equipment from further damage or
deterioration
7. Coordinates the removal, shipment, Status of Property, Plant and
and safe storage of all furniture, Equipment (PPE)/lnventory remaining
documentation, supplies, and other onsite
materials as necessary
8. Supervises all salvage and cleanup
activities
9. Coordinates required Office's
relocations to the recovery sites
10. Coordinates relocation to the
permanent site after repairs are made Memorandum or communication sent
11. Assures that arrangements are made to all concerned
for meals and temporary housing
facilities, when required, for all
recovery/response personnel
12. Takes headcount of personnel after the List of headcounts of personnel after
disruptive incident/evacuation disruptive incident/evacuation
I 3. Maintains security and order inside Status Report on security and order
and outside the office premises and traffic flows, indicating therein
proposed plan of action for problems
14. Maintains order and traffic flows encountered, List of security guards
within the surroundings of COA and their respective area of
prem1ses "
responsibility
Consolidated List of Secured COA
Assets indicating among others, the
15. Secures COA assets description of the property, property
number, acquisition cost, location, and
its condition
IT Disaster Recovery Team (DRT) (Appendix
D) (In coordination with Information
Technology Office)
1. Activates the IT Disaster Recovery Activation of IT
Plan (refer to COA IT Disaster Continuity/Disaster/Incident Recovery
Recovery Plan and Appendix E) Plan
Page [10
Revision No. 0
Effective Date
Emergency_ or Recovery Task Deliverables

2. Determines the urgency, level of Damage Assessment Report
impact or damage of the disruption
DRT- Information Systems Administration
and Support Division and Information
Systems Development and Maintenance
Division
3. Assesses the extent of a cybersecurity
breach on the digital information and
Cybersecurity incident report
digital assets, and recommends a Incident response and analysis report
solution for the continuity of the
operation
4. Provides network services on the
affected servers
5. Makes arrangements with network Inventory of IT equipment, network
serv1ce carriers/internet serv1ce
devices
providers to recover network
IT Disaster/ Incident
operations at the primary/secondary Recovery/Response Status Report
site
Monitoring Report
6. Assists 1n the installation of
Information Systems (IS) and
restoration of damages systems
7. Ensures that data files are backed
regularly and provides the latest offsite Report of data/records with backup
backups when needed
8. Assists in the restoration of the needed Restored IS and Database
database
9. Assists in the restoration of the Web
applications in the Web Server and Restored web applications
Databases in the SQL Server
10. Coordinates with the appropriate
divisions for the required offsite Report of data/records with backup
backup of Information System Codes,
Web Application Files and Databases
DRT- Quality Assurance and
Implementation Division
11. Notifies the System Owners and Monitoring and Status Report
System Administrators about the status Memorandum or communication sent/
of the disruption . Minutes of Meetings
12. Assesses the recovery to restore
system operations procedures
performed
13. Performs validation testing and Validation Test
ensures normal operation of the IS
Page [11
Revision No. 0
Effective Date

14. Coordinates with IS Users and System
Memorandum or communication
Administrators on the status of IS
sent/Minutes of Meetings
during recovery
15. Reviews latest database installation
and configuration, and monitors Monitoring and Status Report
performance of IS restored
Audit Service Continuity Team (ASCT)
(In coordination with Supervising Auditors)
1. Provides continued and uninterrupted • Monthly Reports/Outcomes
audit services to the auditee, clients, • Minutes of Meetings
and stakeholders of COA • Audit Work Papers
t
• Audit Query Memorandum
• Audit Observation Memoranda
(AOM)/Audit
Highlights/Information
Systems Observation
Memoranda
• Notice of Suspension,
. Disallowance or Charge
(NS/ND/NC)
2. Maintains operation of MEFs
• Annual Audit Report/s
• Management Letter/s (ML/s)
• Special Audit Report/s
• Performance Audit Report/s
• Fraud Audit Report/s
. • Information Systems Audit

Report/s
• Legal Opinions
• COA Decision/s
Finance and Procurement Team (FPT) (In
coordination with PFMS and GSO)
Approved Budget Proposal and
1. Secures availability of budget during
separate bank account maintained for
emergency or disaster
emergency or disaster
Consolidated Monthly Report of
2. Accounts for expenditures related to
Expenditures related to the
the incident/disaster
incident/disaster
3. Procures needed resources for the Approved disbursement vouchers and
CPIRRT activities/program in support supporting documents relative to
ofthe·ASCP procurement
4. Secures key suppliers/contractors 1n
Database of suppliers/contractors
times of emergency/disaster.
Page [ 12
Revision No. 0
Effective Date

5. Prepares the consolidated Monthly
Report of Expenditures related to the Consolidated Monthly Report of
incident/disaster and submits a copy to Expenditures
the Continuity Coordinator
6. Prepares the consolidated Monthly
Comparative Analysis between ASCP Consolidated Monthly Comparative
Approved Budget and Actual Analysis between ASCP Approved
Expenditures and submits a copy to the Budget and Actual Expenditure
Continuity Coordinator
6.0 DEFINITION OF TERMS

a. Alert is a formal notification that an incident has occurred which might develop
into a Business Continuity Management or Crisis Management invocation;
(BCI Glossary 2011)
b. Alternate Site refers to a site held in readiness for use during Business
Continuity invocation to continue the urgent and important processes of an
organization. The term applies equally to office or technology requirements;
(BCI Glossary 2011)
c. Audit Service Continuity Plan refers to the documented procedures that will
guide the Commission on Audit to respond, recover, resume, and restore to a
pre-defined level of operation following disruption; (ISO 22301)
d. Call Tree is a structured cascade process that enables a list of persons, roles
and/or organizations to be contacted as a part of information exchange or plan
invocation procedure; (BCI Glossary 2011)
e. Continual Improvement refers to recurring activity to enhance performance;

(ISO 22300)
f. Continuity Event refers to an emergency caused by natural disasters, accidents,

military or terrorist attacks, technological emergencies, and infectious
disease/pandemic influenza threats, which impacts or has the potential to impact
the performance of essential functions; (Department of Energy Continuity
Programs)
g. Continuity of Operations pertains to the capability to continue essential

program functions and to preserve essential facilities, equipment, and records
across a broad range of potential emergencies; (Emergency Management
Standard 2007)
h. Crisis is an abnormal situation that threatens the operations, staff, customers, or

reputation of an enterprise; (BCI Glossary 2011)
Page I 13
Revision No. 0
Effective Date
i. Disruption is an eventthat interrupts normal business, functions, operations, or

processes, whether anticipated; (e.g., hurricane, political unrest) or
unanticipated; (e.g., a blackout, terror attack, technology failure, or earthquake)
(BCI Glossary 2011)
j. Emergency or emergent situations is an impending or actual situation that

may cause injury, loss of life, destruction of property or cause the interference,
loss or disruption of an organisation's normal business operations to such an
extent that it poses a threat; (BCI Glossary)
k. Exercise is a process to train for, assess, practice, and improve performance in

an organization; Exercises can be used for: validating policies, plans,
procedures, trammg, equipment, and inter-organizational agreements;
clarifying and training personnel in roles and responsibilities; improving inter-
organizational coordination and communications; identifying gaps in resources;
improving individual performance; and identifying opportunities for
improvement; and controlled opportunity to practice improvisation;
I. Incident is an event that has the capacity to lead to loss of or a disruption to an

organization's operations, services, or functions which, if not managed, can
escalate into an emergency, crisis, or disaster; (BCI Glossary 2011)
m. Mission Essential Function is the limited set of organization-level government

functions that must be continued throughout or resumed rapidly after, a
disruption of normal activities; (FEMA)
n. Recovery refers to the implementation of prioritized actions required to return

an organization's processes and support functions to operational stability
following an interruption or disaster; (FEMA)
o. Recovery Time Objectives (RTO) refers to the period of time following an

incident within which: a) product or service must be resumed, or b) activity
must be resumed, or c) resources must be recovered;
p. Service Continuity refers to the capability of the organization to continue

delivery of products or services at acceptable predefined levels following
disruptive incidents; (ISO 22300)
q. Skeleton (Skeletal) Workforce (SWF) refers to a work arrangement where a

minimum number. of employees is required to man the office to render service
when full staffing is not possible; (CSC MC 10, s. 2020)
r. Test refers to a unique and particular type of exercise, which incorporates an

expectation of a pass or fail element within the goal or objectives of the exercise
being planned; (ISO 22300)
Page [ 14
Revision No. 0
Effective Date
s. Testing refers to the procedure for evaluation; a means of determining the

presence, quality, or veracity of something; (ISO 22300)
t. Tier refers to a level or grade within a hierarchy; and
u. Work-from-Home (WFH) refers to an output-oriented work arrangement that

authorizes the worker to produce outputs/results and accomplishments outside
of the office. (CSC MC 10, s. 2020)
7.0 ASSUMPTIONS
The COA ASCP is based on the following assumptions:
General Assumptions:
1. There are available officials and personnel to constitute the CCT with the
appropriate authority.
2. Offices in the custody of hard copy of the audit or legal evidence have sufficient
scanners, or audited agencies submit records/documents through electronic means.
3. The confidentiality, integrity, and authenticity of electronic/digital records are
protected.
4. Infrastructure, equipment/hardware and software, and electronic storage facilities
are available and operational.
5. Essential Supporting Activities are sufficiently provided.
6. Sufficient funds are available to implement continuity strategies.
7. State of national or local emergency has been declared by the national or local
government, respectively.
8. Temporary housing facilities or dormitories and provisions are available for the
CCT.
9. Other government agencies continue to function.
Specific Assumptions:
A. Major disasters such as the anticipated 7 .2 magnitude earthquake caused by the "Big
One," strong typhoons, and fire
• Evacuation plans and procedures are established and aligned with the
Harmonized National Contingency Plan.
• COA premises may either be partially or completely damaged or inaccessible
for 30 to 60 days.
• Critical resources and lifeline services (e.g., water, electricity,
telecommunications) could be available within 48 hours.
• Mission-essential IT equipment, facilities, and data could be damaged or
unavailable.
• An offsite backup facility is available.
• Employees may not be able to work until the safety of the building structure is
ensured.
Page I 15
Revision No. 0
Effective Date
• Public transportation around the area might be affected due to possible damage
and/or unpassable infrastructures/road.
• Emergency medical services and facilities are available.
B. Minor incidents such as regular typhoons, rotating brownouts

• COA buildings can withstand regular typhoons and would remain in use. There
can be partial damage to the surroundings such as trees and light structures.
• Critical resources and lifeline services (e.g., water, electricity,
telecommunications) could be unavailable within 12 to 24 hours.
• A generator is on standby in a limited capacity in case the supply of electricity
is unavailable.
• Employees affected by the typhoon may not be able to report to work, and a
localized emergency has been issued by local chief executives.
• Shuttle buses are provided to transport personnel from the office to a place near
their residence or public transportation terminal.
C. Cyberattacks
• A Cybersecurity Incident Response Team under the Information Systems
Administration and Support Division (ISAdSD) is established with clear and
specific responsibilities and procedures.
• Mission-essential data could be lost. Restoration could take some time.
• The use of servers and networks could be unavailable for 24 hours.
• Soft copies of official files and records are available from the concerned sectors/
clusters/offices/teams.
D. Pandemic and other Health Hazards

• The workforce could be reduced to 50% or less, and a skeleton workforce is
imposed.
• Public transportation might be limited.
• Employees can work from home and remote auditing is enabled.
• Mission-essential IT equipment, facilities, and data are accessible online.
• Limited access and restricted visits of external clients/stakeholders to COA
premises for a particular transaction.
8.0 MISSION ESSENTIAL FUNCTIONS (MEF) AND RECOVERY TIME

OBJECTIVES (RTO)
After risk assessment (Appendix F) and impact analysis (Appendix G), the RTO was
determined to- be within 120 hours7 to restore these MEFs to avoid unbearable
consequences brought about by public complaints, loss of trust and confidence by the
stakeholders, or failure of COA to perform its constitutional and legal mandate.
7 The resumption of operations will be within 120 hours from the occurrence of disruption, provided the assum ptions under
Section 7.0 are true.
authorized representative. A printed copy of (his document is uncontrolled when unstamped.
Page 16 J
Revision No. 0
Effective Date
The identified COA's MEFs that must be continued throughout or resumed as soon as
practicable after a disruptive incident are the following:
MEF RTO
a. Conduct of audit on receipts and Tier 5: 120 hours
expenditures of government funds and
issuance of relevant audit decisions, either
through AOM, NS/ND/NC or conduct of
assessment on the adequacy and
effectiveness of controls to mitigate risks of
audited entities.
The audit is the core function of the

Commission and is much needed in times of
disaster to assess if disaster funds are properly
utilized and to assess if the government's
disaster response and recovery programs are
effective.
b. Submit Annual Audit. and Financial Tier 5: 120 hours

Reports on the financial condition and
operations of the government
Issuance/submission of Annual Audits and

Financial Reports in times of crisis is
necessary- to inform the government,
especially the President and Congress of the
Philippines, of the financial condition and
operations of various government agencies
and the results of the audit, to facilitate well-
informed decisions.
c. Promulgation of accounting and auditing Tier 5: 120 hours

rules and· regulations
As experienced at the onset of the COVID-19

pandemic, the circulars/issuances issued by
COA become vital in providing guidance to
the auditors and to all government agencies.
9.0 ACTIVATION, CRITERIA, PROCEDURES, AND AUTHORITIES
9.1 Authority to Activate the ASCP
The Chairperson, as authorized by the Commission Proper, is responsible for the

declaration of a continuity event that signals the activation of the ASCP. However,
in case of life-threatening emergencies, it will be automatically activated and the
Page [17
Revision No. 0
Effective Date
CPIRRT shall immediately perform the necessary emergency or recovery tasks,

without the need for activation.
In case of localized emergencies, the person holding the highest position in the area
shall take charge and oversee that certain emergency response procedures are timely
performed.
9.2 Activation and Deactivation Criteria
The ASCP may be activated when the Commission is prevented to perform its
MEFs due to any of the following events:
a. Catastrophic events that resulted in severe and widespread damage to mission-

critical COA property and equipment to the point where it becomes inoperable
or where continued use would endanger the health, well-being, or lives of
personnel. Examples include severe natural disasters like earthquakes, floods,
and storm.
b. Events that changed the working conditions such that, should personnel still be
allowed to go to work despite prevailing conditions, it would endanger human
life and well-being. Examples include epidemics, endemics, pandemics, severe
storms, and fallout from volcanic and nuclear explosions;
c. Events that prevented or disrupted the normal and regular conduct of COA
operations and/or its MEFs in an ordinary working day. Examples include
blockades, employee strikes (protests), cybercrimes, fires, forced takeover or
occupation of COA premises; and
d. Nationwide or localized declarations of a state of calamity, state of emergency,

or martial law.
The ASCP shall be deactivated once everything is normalized based on the

monitoring of Continuity Coordinators and Managers. When the effects of the event
that caused the activation of the ASCP ceased to exist, the CPIRRT will assess if
the Commission can operate at normal capacity when reverted to normal operation.
If the result of the assessment is favorable, they will recommend the deactivation of
the ASCP.
Page I 18
Revision No. 0
Effective Date
9.3 Timeline of Activities
• First person aware of the disaster or disruptive incident notifies the Continuity
Coordinators and Emergency Response/Recovery Team (ER/RT)
·ER/RT performs verification of the event and assessment of the situation within 24 hours.
• If the situation is apparently life-threatening, ER/RT automatically activates life-saving
emergency response measures and ensure that all personnel are accounted.
• ER/RT, Continuity Coordinators and Continuity Managers assess impact on facilities and
vital processes. They shall, within 72 hours, submit a report among other things, the extent
and impact of the disruptive incident, whether vital processes have been affected, and
when facilities are deemed inaccessible.
• The Chairperson will declare the activation of the ASCP as needed. However, in cases of
incidents requiring immediate response such as earthquakes, it will be automatically
activated. If critical IT application and systems are also affected, then the IT Disaster
Recovery plan shall also be activated.
• Continuity Coordinators shall continuously perform assessment of the situation to

determine whether operations can be restored completely. Continuity Managers with the
assisstance of CPIRRT shall develop a recommendation to the CP/Chairperson whether or
not the ASCP can be deactivated.
• Upon recommendation, the CP will declare the deactivation of the ASCP and resumption
of normal operations.
•Continuity Coordinators and CPIRRT shall conduct post incident evaluation for continual
improvement, within five days from the deactivation of the ASCP
10.0 CONTINUITY STRATEGIES
This section describes the strategies to prevent or mitigate the severity of potential
disruptions and enable the Commission to continue its MEFs and effectively respond
to incidents.
10.1 Vital Records
Vital records are those that are essential for the continuation or reconstruction of the
operations in times of disruptive incidents. This also includes those records essential to
the protection of the rights and interests of the Commission and its stakeholders. These
must be protected from all hazards as its loss during a disaster, emergency or crisis
could result in disruption of MEFs and loss of productivity due to information gaps.
Page I 19
Revision No. 0
Effective Date
The Commission shall incorporate its vital records program into the overall continuity
program, plans and procedures. Within 24 hours of activation ofthe ASCP, the CPIRRT
must have access to appropriate media for accessing vital records.
• Records Identification and Categorization
To provide sufficient and appropriate protection, the Records Management Division

(RMD) of the General Services Office, the Central Audit Evidence Management
Services, and all audit sectors shall identify which records are considered vital and
must be available during and after a disruption.
It shall be categorized into two:
a. Emergency Operating Records
These are immediately needed by the CCT during an emergency to

operationalize its disaster response and recovery procedures. These also include
records that support both critical activities and resumption of normal operations
based on the Commission's MEFs. These include the following documents,
among others:
o TheASCP
o The creation of the CCT
o Emergency plans and directives
o Order of Succession
o Delegations of authority
o Emergency staffing assignments including the lists of key personnel with
their address and contact details
o Employee contact list
o Vital Records inventory
o Evacuation Plans
o Records required to protect the health and safety of personnel
o Documents needed to perform audit services such as a complete set of
financial statements, updated books of accounts, trial balances and reports
with supporting schedules, Disbursement Vouchers (DVs), Official
Receipts (ORs) and validated deposit slips, Journal Entry Vouchers (JEVs),
AOM, NDs/NSs/NCs, audit working papers, audited entities' policies,
guidelines and procedures, contracts, information systems documentations,
etc.
b. Rights and Interest Records
These are needed to protect and preserve the Commission's legal and financial
rights and interests including the stakeholders affected by its activities. These
include the following documents, among others:
o Payroll, Financial- and Budget reports such as Project Procurement

Management Plan and Budget and Financial Accountability Reports
Page 20
Revision No. 0
Effective Date
o Personnel records
o Retirement records
o Contracts
o Systems documentation of the Financial Management Information System
o Cases pending before the Offices of the Director, Commission Proper and
the Supreme Court
Once identified and categorized, a Vital Records Register shall be developed

and maintained. The register shall capture the brief description of the record,
office/sector responsible for the record safekeeping, brief explanation on the
purpose of the record and why it is considered vital, storage location, date of
creation/update/disposal, retention, format, and accessibility requirements. An
annual review may be done to address new issues, update information and
incorporate any additional vital records identified.
• Records Duplication
One of the methods to protect vital records is through duplication. It is carried out
by creating a backup upon record creation, or by scheduling a periodic reproduction
of records. Vital records should be duplicated digitally as voluminous duplicate
paper copies are difficult and costly to maintain, fragile, and more exposed to
environmental hazards.
Electronic copies shall be maintained in a remote storage/cloud or offsite facility

strategically located in a place that is not susceptible to the same disaster that could
destroy the primary copy but yet be readily accessible if needed. For vital records
that need to be retained for a long time, a readable format such as Portable
Document Format (PDF) or plain text format will be used.
The Systems and Technical Services Sector developed an Electronic Document

Portal (EDP) and Agency Records Custodial Information System (ARCIS) that will
serve as a repository of audit evidence in electronic form. Auditors shall create an
account to the EDP to be able to view and download the files uploaded by audited
entities while the ARCIS is the electronic filing of the agency's records and
supporting documents that are turned over to the auditors being the custodian of
these financial documents pursuant to Sections 26 and 43(4) of PD No. 1445.
The Information Technology Office (ITO) databases and information systems are
maintained and controlled by Information Technology (IT) Disaster Recovery
Team. These files are periodically backed up and stored at an offsite location as part
of nonnal operations. The most current backup copies are kept in a secure onsite
location with an attached list indicating the content of data backed up with the
corresponding data sources and server name. The primary data that was backed up
and secured in the off-site location are Programs, Databases and Systems, and other
Application files. Server mirroring is primarily implemented to create a fault-
tolerant and redundant server computing infrastructure. Duplicating the entire
contents of a server on another remote or in-house server allows data to be restored
if the primary server fails (Appendices H and I).
Page I 21
Revision No. 0
Effective Date
• Records Protection
Pursuant to PD No. 1445 and COA Circular No. 2011-001 dated 5 July 2011,
audited entities are required to provide a storeroom for the vouchers and documents
over which COA has legal custody, which is adequate in size and properly secured
from the elements, including from individuals/groups with malicious/evil
intentions.8 The auditors shall monitor the compliance of their auditees with this
prov1s1on.
To safeguard the protection of vital records stored on-site, designated file rooms
should have appropriate hazard protection equipment such as fire and burglar alarm
systems, suitable fire suppression system and adequate controls for temperature,
humidity, ventilation, and lighting, and periodic maintenance of storage rooms must
be done such as pest controls to prevent pest infestation that can destroy paper
documents. Personnel designated to act during an emergency should know the
location of the vital records by referring to the Vital Records Register. Access shall
be restricted to authorized personnel only. The function of managing and
safeguarding records should be lodged in the dedicated administrative staff of the
Commission with continuous service.
For the electronic backups, the ITO shall be responsible for implementing technical
security measures. Hardware and software used shall also be adequately maintained
and routinely tested to ensure that it will work amid disaster.
"
• Records Recovery and Restoration
A recovery plan shall be established to facilitate systematic vital records recovery

during the disruptive incident. It shall include prioritization and options for recovery
and restoration based on the Vital Records Register. In the event that remote audit
is activated, records needed to perfonn audit shall be made available for remote
access.
• Dissemination of Guidelines and Procedures
All COA personnel shall be informed by the RMS of the Vital Records
Categorization and Protection guidelines and procedures for effective
implementation. Training that focuses on identifying, inventorying, protecting,
storing, accessing, and updating vital records may be conducted.
10.2 People
No organization can function without its people, being the essential resource for
continuity management and the organization will depend on their response as
individuals to disruptive events and as members of response, recovery, and restoration
8 Item 3.1.1 (b) of COA Circular No. 2011-011, p.2.
Page 122
Revision No. 0
Effective Date
teams.9 Hence, it is important to consider the people aspect of service continuity

including competence, awareness, and communication, and the organization's duty of
care.
• Personnel Support Mechanism and Protection
COA's main concern is to ensure the safety and safeguard the lives of its personnel
including its visitors and stakeholders that are within the vicinity of the Office. The
following continuity strategies aim to help employees in times of disaster,
emergency, or er1s1s:
o Develop, disseminate and post in a conspicuous place and COA website, the
COA's Emergency Evacuation Plan;
o Proper implementation of the COA Occupational Safety and Health Policy;
o Conduct periodic disaster preparedness training and annual conduct of
drills;
o Provide Emergency Response Equipment, First Aid Kits, and immediate
medical intervention, in case of injuries;
o Establish a Memorandum of Understanding/Memorandum of Agreement
with the nearest government health facility for emergency medical services
for occupational accidents and injuries to ensure medical services will be
available during emergency;
o Provide transportation services such as COA vehicles for CCT and
personnel performing MEFs;
o Provide temporary shelter (e.g., room in COA dormitory) for employees
displaced by a disaster;
o Ensure provision of health clinics or treatment rooms;
o Provide personal protective equipment and devices that conform to Rule
1080 of the Occupational Safety and Health (OSH) Standard for those
exposed to hazards;"
o Grant of emergency loan or loan moratorium during or after a disruptive
incident;
o Continue payroll and claims processing by ensuring continued services of
Planning, Financial and Management Sector, streamline approval for
funding requests and expense reimbursements and allow the use of digital
signature to expedite processing; and
o Implement the following measures in times of pandemic:
■ COA officials and employees who are reporting for work shall be
subjected to temperature checking. If the temperature reading is
above 37.5°C, the official/employee shall not be allowed to report
for work.
■ Social distancing shall be strictly implemented.
■ Frontliners shall be provided with Personal Protective Equipment
(e.g., face masks and face shields)
9 jg0TS 22330 Security and resilience-Business continuity management systems-Guidelines for people aspects of continuity.
10 Item I 081.0 I (I) of the OSH Standard.
Page I 23
Revision No. 0
Effective Date
■ Cleaning and disinfecting supplies such as alcohol/hand sanitizer,

acrylic shields in the working area shall also be provided to prevent
the spread of virus/infection.
■ The Medical and Dental Unit may provide webinars on how to cope
during the pandemic and/or may provide health/psychosocial
interventions such as counseling, stress debriefing to employees in
need.
• Order of Succession and Delegations of Authority
A COA Memorandum on the Order of Succession and Delegations of Authority

(Appendix J) shall be issued to provide clarity on who will be authorized to assume
the role, should the incumbent becomes unavailable. Pre-identifying orders of
succession is important to prevent delays in decision-making in case of buck-
passing during the disruptive incident. Pre-delegated authorities shall also be
defined to ensure that essential functions can continue even if the
Chairperson/Office and/or personnel who hold critical positions become
unavailable.
• Alternative Working Mechanism
An Alternative Work Arrangement (AWA) shall be adopted in accordance with the

applicable laws and regulations in the event of major disasters where COA premises
are completely damaged or inaccessible to help minimize exposure of COA
personnel to risks. These work arrangements include, but are not limited to, SWF,
WFH, compressed workweek, and staggered work hours. A COA Resolution and if
needed, a Memorandum shall be issued to provide guidance on the implementation
of the AWA and other precautionary measures. Updates shall also be released to
adopt the changes issued or ruled by the Civil Service Commission.
For the effective implementation of AWA, the Commission shall provide

computers, supplies, and internet/communication equipment needed by personnel
for the WFH arrangement. Access to documents of audited entities in an electronic
form necessary for the conduct of audit shall also be arranged. COA personnel may
defray reasonable expenses incurred during the WFH arrangement such as internet
fees and load, electricity, for reimbursement, subject to accounting and auditing
rules and regulations.
A COA Memorandum shall also be issued to raise awareness on how to protect the
data/audit evidence while in a WFH arrangement.
• Recruitment, Succession Planning and Manpower Augmentation Through

Technology
The fast turnover of retiring personnel without immediate replacement poses threats
to service continuity. The lack of manpower and overlapping responsibilities of
auditors may affect their capacity to deliver timely services with the required
quality. Hence, fast-tracking the recruitment process and effective succession
Page I 24
Revision No. 0
Effective Date
planning become part of the Commission's continuity strategy. Capacity building

for personnel next in rank shall be done to familiarize them with the processes and
responsibilities for the next level position. In addition, there is a modernization
initiative to make use of technology such as data analytics tools and explore the use
of Artificial Intelligence to augment manpower through machine power.
10.3 Facilities and Equipment
The following continuity strategies aim to provide adequate protection to facilities

and equipment necessary to mitigate risks and ensure effective response and
recovery procedures after a disruptive incident:
• Inspection and Maintenance of Buildings
The structural integrity of COA buildings shall be evaluated on a yearly basis.

During the inspection, identify the potential hazards and immediately address the
weaknesses found. The COA Memorandum on OSH Policy also provides that
building construction and maintenance, space requirement, walk way surface, floor
and wall openings, stairs, window openings, fixed ladders, among others, must
conform to the provisions of Rule 1060 of the OSH Standard. '
• Property Insurance
Building and high-value equipment shall be insured with the General Insurance
Fund of the Government Service Insurance System to cover loss of use from either
damage or theft, loss of value due to hazards and disasters, or the cost of
replacement.
• Physical and Environmental Security
Control measures to protect the systems, buildings, and related supporting

infrastructure against physical and environmental threats shall be implemented.
COA's Data Protection Policy and Control Framework provides a number of
controls as- follows, among others:
o Security perimeters should be used to protect areas that contain information

and information processing facilities.
o Secure areas should be protected by appropriate entry controls to ensure that
only authorized personnel are allowed access. The server room shall be
restricted to entry of authorized persons through a combination door lock.
A close circuit television (CCTV) camera shall be installed to ensure that
each person entering the restricted area is identified. A logbook shall be
maintained to document the date, time, and information of the person who
entered the server r.oom.
' Department of Labor and Employment, "Standard Colors of Signs for Safety Instruction and Warnings in Building Premises" in
Occupational Safety and Health Standards As Amended (Manila, 2007).
Page I 25
Revision No. 0
Effective Date
o Access points such as delivery and loading areas and other points where
unauthorized persons may enter the premises should be controlled and, if
possible, isolated from infonnation processing facilities to avoid
unauthorized access.
o Physical protection against damage from fire, flood, earthquake, explosion,
civil unrest, and other forms of natural or man-made disaster should be
designed and applied.
o Fire suppression equipment must be in a strategic location and should be
tagged and inspected at least annually.
o Equipment should be protected to reduce the risks from environmental
threats and hazards, and opportunities for unauthorized access.
o Equipment should be protected from power failures and other disruptions
caused by failures in supporting utilities. Surge protectors should be used to
reduce the risk of damage to equipment due to power spikes. There shall be
an uninterruptible power supply (UPS) in the server rooms to allow time to
save any unsaved work and to shut down safely in case of power
interruption/failure.
o Generator sets should also be maintained to ensure an adequate supply of
electricity to continue operations despite power interruptions.
o Air conditioning, humidity, and ventilation control systems for the computer
equipment should be properly controlled to ensure that power remains
within the manufacturer's specifications.
o Power and telecommunications cabling carrying data or supporting
information services should be protected from interception or damage.
o Periodic maintenance of server rooms should be observed through the
conduct of pest controls to ensure that all equipment is free from pest
infestation that can damage cables, circuits, and other peripherals.
• Alternate facility
An alternate facility provides a fallback location for an organization to safely

transfer operations should the main facility become inoperable due to adverse
effects of disruptive incidents.
The Commission has two alternate sites that are located at a specified
confidential site (Please see Appendix I). These facilities contain a complete and
updated version of data, software, and programs needed to restore IT operations
in case of disruption. In addition to the Offsite Backup facilities, cloud services
are also set up to ensure that data are readily available for recovery. The cloud
services are the following:
• Backup as a Service (BaaS)-a method of offsite data storage in which files,

folders, or the entire contents of a hard drive are regularly backed up to a
remote secure cloud-based data repository over a network connection. This
method protects the information from the risk of loss associated with user
error, hacking, or any other kind of technological disaster.
Page I 26
Revision No. 0
Effective Date
• Disaster Recovery as a Service (DRaaS) - a cloud computing service model

that allows an organization to back up its data and IT infrastructure in a
third-party cloud-computing environment. This makes it possible to regain
access and functionality to IT infrastructure after a disaster.
10.4 Communication and Technology
The Commission shall identify available and redundant critical communication

and IT systems to support connectivity among key personnel, audited entities and
the public during an emergency crisis and disaster conditions. A fully capable
continuity communication that supports the needs of the Commission during
emergencies shall be maintained. Within 24 hours from the activation of ASCP,
all necessary and required communications and IT capabilities must be
operational, with consideration to the safety of tech-support personnel.
The Commission shall undertake the following ICT continuity strategies:
o Identify primary and alternate communication system/medium.

o Develop guidelines on standard communication procedures during
disruptive incidents.
o Establish a call tree and hierarchy of communication.
o Maintain an updated employee emergency contacts/email addresses and key
contact lists.
o Develop and disseminate ICT Service Continuity Plan and Disaster
Recovery Plan.
o Ensure reliable internet connectivity.
o Acquire video conferencing platform licenses for online
meetings/conferences/webinars.
o Establish secure remote access connection to a central data repository.
11.0 RESOURCE REQUIREMENTS
This section includes a list of materials, finances, equipment, human resources,

augmentation, or other forms of resources required to implement continuity strategies.
1. End-user The Commission shall provide the employees with the

Requirements following in case of an emergency, crisis, or disaster:
• Cash advances
• Salary continuation
• Flexible work hours
• Reduced work hours
• Crisis or stress counseling
• Care packages or relief assistance
• Emergency loan or loan moratorium
• Shuttle service
Page [ 27
Revision No. 0
Effective Date
.
• In extreme cases, temporary shelter for displaced
personnel greatly affected by calamities
WFH employees shall be provided with the following:

• Laptop or desktop
• Internet and communication allowance
For CCT and personnel performing MEFs, the Commission
shall provide meals, transportations, and temporary housing
facilities, when needed.
2. Vital Records • ASCP
• Emergency/Evacuation Plan and Procedures
• IT Continuity/Disaster Recovery Plan
• CCT and employees contact details
@ Vital Records Inventory such as audit documents to
include among others, complete set of financial
statements, updated books of accounts, trial balances
with supporting schedules, DVs, ORs, JEVs Reports
and its supporting schedule, AOMs, NDs/NSs/NCs,
audit work papers, audited entities' policies,
guidelines and procedures, contracts, information
systems documentations, etc.
• Legal documents, contracts, employees' records, and
other documents pertaining to the Commission
For the complete list refer to the accomplished Key Resource
Requirements Form - vital records (Appendix K)
3. Facilities and Main Office
Equipment • Generator set
.
• Redundant/alternate power feeds and internet service
provider
• Periodic maintenance ofICT equipment
• Transportation equipment
• Property insurance
• Emergency Rescue Equipment
Alternate Facility
-• Backup server, data, application system
• Desktop/ laptop
• Printer
• Office tables and chairs
• Power feed
• Internet connection
• LAN or WAN connections
• Network devices
• File or storage cabinets
Page I 28
Revision No. 0
Effective Date
• Air-cooling equipment (e.g., Electric Fans, Air

Conditioning for ICT Equipment
• Emergency Lights
Requirements Form - vital equipment (Appendix K)
4. Communication • Call tree or employee contact list
and • Video Conferencing Platform Licenses for online
Technology meetings/conferences/webinars.
Requirements Form employee contact list (Appendix K)
5. Key supplies • Office Supplies such as bond paper, pens, etc.
and other • Emergency kit such as a whistle to signal help, hand
Materials sanitizer, medicines, portable flashlight, tissue, bottled
water, etc.
• Cleaning and disinfecting supplies such as alcohol,
.acrylic shields in the working area
• Personal Protective Equipment (e.g., face masks and
face shields), when needed
• Fuel, oil and lubricants, spare parts for Genset and
Transportation Equipment
• Cable wires, spare parts, and other peripherals for ICT
Equipment
For the complete list refer to the accomplished Key Resources

Form - vital inventory/ supplies (Appendix K)
6. Storage • Alternate site or Cloud Storage
Requirements
7. Key Contacts • Refer to the Key Contacts Form (Appendix L)
12.0 COMMUNICATION PROCEDURES

,
Communication Diagram
Communications to external stakeholders shall be disseminated through the

following process:
Page ] 29
Revision No. 0
Effective Date
A focal person / Data Protection Officer shallidentify, evaluate, and classify the
information for dissemination based on existing COA issuances and data privacy
law.
o.a
Recipients shall be properly identified to ensure that the information provided is
appropriate based on its classification level and need-to-know principle.
The information shall be approved by the COA Chairperson/authorized person before

release.
'
Release information to identified external stakeholders through the Public Information

Office under the Office of the COA Chairperson.
Notification
Cascading of emergency notification shall be as follows:
Chairperson/ Commissioners
Continuity Managers
Continuity Coordinators
woeoe
a
Communication Team
Office Representatives/Concerned Personnel or Stakeholders
Information Classification
All information, whether internal or external, shall be properly identified, evaluated,

and classified first before release based on the confidentiality and sensitivity of its
content. Information disseminated to identified recipients shall be based on a need-
to-know principle and information classification level.
Page [ 30
Revision No. 0
Effective Date
Communication Platform
Target audiences shall be notified in the proper channels approved by the

Commission. Communications to external stakeholders shall be made through an
official letter/document. On the other hand, internal communication can be
disseminated through memoranda, text messages, emails, calls, and social media
accounts.
Call Tree Hierarchy Chart
A two-way communication process shall be implemented. Internal communications

may be relayed from the COA Chairperson down to the employees or in reverse
through the following structure. A documented contact list containing the name of
the office, name of the employee, designation, and contact information shall be
maintained and updated regularly or as changes occur. In the occurrence of
disruptive event, officials and personnel in the call tree will need to contact the
person above and below them to determine the organization's active strength in
terms of human resources. This will also determine if the order of succession needs
to be activated.
Commission Proper
Chairper son
Commissi oners
t
Assistan t Commissi oners
-hew" -
: T
Directors
--
Ir
Supervising Auditors
lie
wee-iii
Division Chiefs
l t
Support Staff
Audit Team Lead ers
- 11
Audit Team Members
No part of this document may be reproduced-without prior permission from the Document Controller or his/her
Page I 31
Revision No. 0
Effective Date
Media Release
Release of information to the general public shall be disseminated through the

Public Information Office under the Office of the Chairperson. All communications
shall undergo the proper information classification and approval process.
13.0 TESTING AND MAINTENANCE OF THE ASCP

Frequency of-Testing the Plans
The ASCP shall be tested on a biennial basis unless situations arise where the testing
should be conducted immediately or at the soonest practicable time.
These situations include, but are not limited to, the following:
a.) In anticipation or preparation for an inevitable or upcoming disruption such as

a catastrophic event;
b.) A change of administration especially on the part of the CCT which will require
orientation of the new administrators or appointees on the ASCP procedures;
c.) A significant change in the Commission's resources, such as new equipment

being procured or old equipment being decommissioned, will affect the
execution of the ASCP procedures to ensure that existing resources will serve
their purpose when the ASCP is activated.
d.) A change in ASCP due to identification of new MEF. This is to ensure that
updates or additional requirements incorporated in the revised ASCP will
support the performance of the new MEF in a well-ordered manner especially
in times of the disastrous event.
ASCP Exercise/ Testing Methods
COA shall implement and maintain a program of exercising and testing to validate over
time the effectiveness of the ASCP strategies and solutions12 considering the change of
environment and equipment. An Exercise and Testing Plan shall be prepared for this
purpose (Appendix M). COA shall employ different testing methods which include, but
are not limited to, the following:
Discussion-based Exercises:
a.) Plan Review/Audit
1SO 22301:2019. Item 8.5.
Page I 32
Revision No. 0
Effective Date
This method involves a simple review and analysis of existing procedures in the
ASCP, discussing potential improvements thereat, ensuring that contact
information is up-to-date, ensuring that recovery contracts are still in place and
effective, and applicable disaster recovery scenarios are appropriately covered'.
b.) Training (Seminar/ Workshop)

This method involves informing personnel of their roles and responsibilities
within the ASCP and teaching them skills related to those roles and
responsibilities, thereby preparing them for participation in exercises, tests, and
actual emergencies related to the ASCP. Training personnel on their roles and
responsibilities before an exercise or test is typically split between a
presentation into their roles and responsibilities and activities that allow
personnel to demonstrate their understanding of the subject matter. 14
c.) Tabletop Exercise

This method involves personnel meeting in a classroom setting or in breakout
groups to discuss their roles during an emergency and their responses to a
particular emergency. A facilitator presents a scenario and asks the exercise
participants questions related to the scenario, which initiates a discussion among
the participants of roles, responsibilities, coordination, and decision-making.15
Operation-based Exercises:
d.) Drills
This method involves all personnel performing the pre-planned set of actions
for certain scenarios that threaten life and safety such as fires and earthquakes.
The pre-planned actions include what personnel should do during and after these
events in particular, where they should go and evacuate to, who they should
follow and contact, how they should act, and when they should perform these
actions.
e.) Functional Exercises

This method involves personnel validating their operational readiness for
emergencies by performing their duties in a simulated operational environment.
Functional exercises are designed to exercise the roles and responsibilities of
specific team members, procedures, and assets involved in one or more
functional aspects of a plan ( e.g., communications, emergency notifications, IT
equipment setup). Functional exercises allow staff to execute their roles and
responsibilities as they would in an actual emergency, but in a simulated
manner 16 • Functional exercises vary in complexity and scope but mostly validate
only specific functional aspects of the ASCP.
f.) Full-Scale Exercises
SBS CyberSecurity. Four Steps to Better Business Continuity Plan Testing, available at https://sbscyber.com/resources/four-steps-to-better-
business-continuity-plan-testing (last accessed: December 9, 2020).
NIST SP 800-84: Guide to Test, Training. and Exercise Programs for IT Plans and Capabilities, p. ES-2.
' Ibid.
Ibid.
Page ] 33
Revision No. 0
Effective Date
This method involves the same procedures as the functional exercises test, but
the scope includes all elements and functional aspects of the ASCP and is the
closest to a real-life catastrophic emergency. This exercise tries to ensure that
all functional aspects of the ASCP will work as planned.
ASCP Maintenance
COA shall review the ASCP regularly and update it to address changes to the
Commission, its systems, or environment of operation and problems encountered
during ASCP implementation, execution, or testing. These changes should be
communicated to the appropriate personnel. COA should also incorporate lessons
learned from ASCP testing, training, or actual contingency activities into its ASCP
testing and training.17 Comments or suggestions for improving this plan may be
provided to Training Facilitators, Continuity Managers, and Coordinators at any
time through their email addresses in Appendix L.
17
NIST SP 800-53, Revision 5: Security and Privacy Controls for lnfonnation Systems and Organizations, Chapter III, Section CP-2, Control
items (d) to (g).
Page [ 34
Revision No. 0
Effective Date
14.0 REFERENCES
• 1987 Philippine Constitution

• Business Continuity Institute Glossary
• COA Citizen's Charter 2019
• COA IT Business Continuity Plan
• COA Occupational Safety and Health Policy
• INTOSAI Crisis and Risk Management for SAI Performance
• Continuity" of Operations Plan Template and Instructions by Federal Emergency
Management Agency
• ISO 22301:2012 Societal Security- Business Continuity Management Systems
(BCMS)-Requirements by International Organization for Standardization
• ISO 22301 :2019 Security and resilience- BCMS - Requirements
• ISO/TS 22330 Security and Resilience- BCMS -Guidelines for people aspects of
continuity
• ISSAI 1000, Basic Fundamental Auditing Principles by the International Standards
of Supreme Audit Institutions
• National Institute of Standards and Technology (NIST) Special Publication (SP)
800-34 Rev. I Contingency Planning Guide for Federal Information Systems
• NDRRMC Memorandum No. 33, s 2018, Public Service Continuity Plan (PSCP)
Template for Government Agencies
• NIST SP 800-53, Revision 5: Security and Privacy Controls for Information
Systems and Organizations
• NIST SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and
Capabilities
• Public Service Continuity Guidebook by the Philippine Disaster Resilience
Foundation, Office of Civil Defense, and National Disaster Risk Reduction and
Management Council (NDRRMC)
• SBS CyberSecurity, Four Steps to Better Business Continuity Plan Testing
• World Risk Report 2019 edition by Bundnis Entwicklung Hilf and The Institute for
International Law of Peace and Armed Conflict (IFHV)
Page I 35
15.0 APPENDICES
APPENDIX A
REPUBLIC OF THE PHILIPPINES
COMMISSION ON AUDIT
COMM ONWEALTHI AVENUE, QUEZON CITY
OFFICE ORDER
No. 2023 - --
Subject: Creation of the Commission on Audit (COA) Continuity Core Team (CCT)
pursuant to the Audit Service Continuity Plan (ASCP)
Pursuant to COA Resolution No. dated adopting the ASCP, a CCT is hereby
constituted to (i) spearhead the review and continuous improvement of the COA ASCP, (ii) ensure
continuous and timely delivery of audit services and outputs during disruptive incidents, and (iii) help
COA to protect its human resource, recover its facility, data, and assets. The CCT shall be composed
of the following:
Head of the Agency Chairperson

Senior Leaders Commissioner I
Commissioner II
Continuity Managers Assistant Commissioners
Continuity Coordinator Team; (Per Cluster/ Office)

Team Leader Directors
Members (to be nominated by the Directors)
Continuity Planning and Incident Recovery/Response Team:

Team Supervisor: (Appointed by the Chairperson)
A. Communication Team
Team Leader: (Director, Public Information Office)
Members: (All Service Chiefs from all sectors, ex-officio)
B. Emergency Response/Recovery Team

Team Leader: (Appointed by the Chairperson)
Members: (All Service Chiefs from all sectors, ex-officio)
C. Medical Team
Team Leader: (Chief, Medical and Dental Unit, Human Resource
Management Office)
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 36
Members: (All Medical personnel, ex-officio)
D. Administration Team
Team Leader: (Director, General Services Office(GSO))
Members: (All Service Chiefs from GSO, ex-officio)
E. Information Technology and Disaster Recovery Team

Team Leader: (Director, Information Technology Office (ITO))
Members: (All Service Chiefs from ITO, ex-officio)
F. Audit Service Continuity Team (per Audit Group)

Team Leader: (Supervising Auditor)
Members: (All team leaders and members)
G. Finance and Procurement Team

Team Leader: (Director, Planning, Finance and Management Office (PFMS))
Members: (Service Chiefs from PFMS and GSO personnel)
In case of personnel movements, the successor of the position shall be given a copy of
responsibilities attached to their position.
The overall duties and responsibilities of the CCT are as follows:
a. Facilitate the periodic review and refinement of the ASCP to include testing,
evaluation, packaging, updating and improvement;
b. Develop a work plan for the refinement and updating of the ASCP;
c. Organize consultation meetings with the planners and relevant technical experts
regarding the refinement of the ASCP;
d. Facilitate the presentation and endorsement of the revised ASCP to the
authorities for comments and approval; and
e. Perform such other related duties and responsibilities as the need arises.
Specific duties and responsibilities of the CCT are provided in Item No. 5, Roles and
Responsibilities of the ASCP.
The Assistant Commissioners and the Directors concerned shall supervise the proper
implementation of this Order.
GAMALIEL A. CORDOBA
Chairperson
Page I 37
APPENDIXB
COMMISSION ON AUDIT
COMM ONWE AL TH A VENUE. QUEZON CITY
CONTINUITY CORE TEAM STRUCTURE
Head of the Agency

(Chairperson) I
t SeniorLeaders
(Commissioners)
I
Continuity Managers
(Assistant Commissioners)
a (Directors)
)
, Continuity Planning and IncidentResponse

RecoveryTeam I
I I Public Service
I
Finance and
Communication Emergency '
Medical Administration IT Disaster Continuity Procurement
Team Response/
Team Team Recovery Tcam Team Team
Recovery Team
I : HM I I I I
Page I 38
APPENDIXC
COMMISSION ON AUDIT
COMMONWEALTHI AVENUE, QUEZON CITY
DAMAGE ASSESSMENT AND NEEDS ANALYSIS

INITIAL REPORT
Note: This shall be accomplished by the Continuity Planning and Incident Recovery/Response Team
and must be submitted to the Coordinator Team within 72 hours after disaster hits and will answer
the question:
"What are the damages and immediate needs?"
I. PROFILE OF THE DISASTER
Site Location/Address
Type of Disaster
Date and Time of Occurrence
Summary of Disaster/Incident:
II. INITIAL EFFECTS
Surveyed Location: List of Affected Personnel
People (Name) Sex Age Minor Critical/Major Dead (Black)

"
Injuries Injuries (Red)
(Green)
III. STATUS OF LIFELINES AND CRITICAL FACILITIES
Roads and Bridges

Electricity
Communication Networks
Clinic
Water Supply System
Page [ 39
I Residential Houses
Others
IV. INITIAL NEEDS ASSESSMENT CHECKLIST
Summary of Damages Priority Needs

,
Health
Food and Nutrition
Water, Sanitation and Hygiene
(WASH)
Shelter and Non-Food Items
Electricity
Internet Connection
Others ,
V. FACILITIES AND EQUIPMENT CHECKLIST
FACILITIES
Building/Area Minor/Repairable Critical/Unsafe Demolished/Collapsed
OTHER ASSETS
..
Asset (Count) Operational Damage/Repairable Completely Damage
Laptop
,
Desktop
Printer
Photocopier
Lighting Fixtures
Vehicle
Aircon Unit
Server
Prepared By: Witnessed By:
Signature Over Printed Name Signature Over Printed Name

Position and Official Designation Position and Official Designation
Contact Number: Contact Number:
Email address: Email address:
Date: --------- Date: --------
Page I 40
APPENDIXD
COMMISSION ON AUDIT
COMM ONWEAL TH A VENUE. QUEZON CITY
IT DISASTER RECOVERY TEAM (DRT)
t
ITO-ORT
Director IV
Director III
.,
' ITO-ORT
Management Team
. -
ORT Head
I I
DRT- ISAdSD DRT- ISDMD DRT-QuAID
Service Chief" Service Chief Service Chief
. I I
No part of this document may be· reproduced without prior permission from the Document Controller or his/her authorized
Page I 41
APPENDIX E
REPUBLIC OF THE PffiLIPPTNES
COMMISSION ON AUDIT
COMM ONWE AL TH A VENUE, QUEZON CITY
IT DISASTER RECOVERY PLAN WORKFLOW
Incident A-lru:1agc.ment Process DR Proccdurcs
A.cti,,ation Phase
lmpu:t A..~enm.,mt
iHIGH ~ @t.rim.u t.,
Dourtime duration,
#$j
Atte.mpt ro ~~ Jusol-n,bll
mc.:knt w/oDIV
! NO
Decle Disaster
l
Execution
r yyeagerer range
ifs6toil ion a ta
representative, A printed copy of this document is uncontrolled when unstamped
Pagel42
APPENDIXF
COMMISSION ON AUDIT
COMMONWEALIHI AVENUE, QUEZON CHY
RISK ASSESSMENT FOR CONTINUITY OF OPERATIONS
HAZARD AND RISK

RISK ANALYSIS RISK EVALUATION AND CONTROL
IDENTIFICATION
CURRENT
CONTROL
THREAT RISK LIKELIHOOD IMPACT RISK SCORE EFFECTIVENESS RISK MITIGATING MEASURES
MEASURES IN
PLACE
Assess the
effectiveness of
current controls:
5- With controls in
Assess place which are
Assess the risk
Risks can be likelihood in working and controls
as:
categorized as terms of in place are industry-
Very High
affecting the FREQUENCY Assess the leading practices.
High Indicate current
Natural, Human- following: and impact as: 4- With highly
Moderate control measures in
Induced, PROBABILITY 5- Extreme effective controls in
Low place Action plan to further reduce or mitigate risks
Technological, 1. People 5- 4- Major place, with little room
Very Low (consider both infra if current controls are not sufficient
Biological, 2. Facility Frequent/Almost 3- Moderate for improvement.
and non-infra
External, Internal 3. Public Certain 2- Minor 3- With fairly
interventions)
4. Process 4- Likely 1- Incidental effective controls in
5. Supply Chain 3- Possible place but needs
6. ICT 2- Unlikely improvement
1- Rare 2- With Controls in
place but are
ineffective
1- No Controls in
Place
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized representative. A printed copy of this document is uncontrolled when
unstamped.
Page [ 43
%!u s% ¢r¢
.,_.., ,/, ; ,!.. .,y4%$4
is
" • ~ SI9
EEEI RISK ANALYSIS RISK EVALUATION AND CONTROL
CURRENT
CONTROL
MEASURES IN
PLACE
Earthquake People: ]3-Possible 5- Extreme 15-Moderate Non-infra: Annual 3- With fairly 1. Provision of a regular employee and
(ground shaking) Employees are earthquake drills, effective controls in family preparedness training.
affected and evacuation plan place but needs 2. Proper dissemination of the evacuation
critical function improvement plan and emergency procedures during
holders will not earthquakes.
be able to report 3. Provision for temporary shelter safe from
for work an earthquake and falling debris.
4. Provision of Personal Protective
Equipment (e.g., Hard Hats and Emergency
Response Equipment) and first aid kits to all
personnel/offices/units.
5. Provision of sturdy work desk that can fit
for "Duck, Cover and Hold" practice
Facility: Central 3- Possible 4- Major 12-Moderate Infra: 3- With fairly I. Identify potential hazards in the workplace
Office and Regular effective controls in and ensure the structural integrity of the
auditing units inspection/check-up place but needs buildings by stabilizing the structures.
will be affected of structural improvement 2. Immediately address the weaknesses found
and rendered integrity of buildings during the building inspection.
inaccessible and conduct of
repairs and
maintenance
JCT: Failure of 3-Possible 4-Major 12-Moderate Infra: Regular 3- With fairly I. Provision of another off-site backup
IT-dependent inspection of data effective controls in facility and cloud subscription agreement for
systems and center to check place but needs Backup as a Service and Disaster Recovery
applications structural integrity improvement as a Service.
and proper
unstamped.
Page [ 44
HAZARD AND RISK
IDENTIFICATION
CURRENT
CONTROL
MEASURES IN
PLACE
, positioning of
·,
servers
Tropical People: , 5-Frequent or 4- Major 20- Very High Non-infra: Work 3- With fairly k, 1. Provision of Service Vehicle for
Cyclone/Heavy Employees are Almost Certain from Home effective controls in employees with difficulty accessing office for
Rainfall affected and arrangement, place but needs work
critical function Back up strategies improvement 2. Effective implementation of alternate
holders will not for key personnel working mechanism (e.g., WFH) for a
be able to report percentage of personnel
for work 3. Provision for temporary shelter in case the
residence of the employee is flooded.
Facility: Central 2- Unlikely 4-Major 8-Low Infra: Regular 3- With fairly 1. Provision for an alternate site
Office and building effective controls in 2. Address the weaknesses found during an
auditing units maintenance and place but needs inspection of the building's structural
will be affected inspection of its improvement integrity.
and rendered structural integrity, 3. Provision of online access by authorized
inaccessible Adequate elevation employees on the internal information
of the building systems.
Fire I People: 3- Possible 4-Major 12-Moderate Non-infra: Annual 3- With fairly 1. Proper dissemination of the evacuation
Employees are fire drills, evacuation effective controls in plan and emergency procedures during a fire.
affected and plan place but needs 2. Provision of first aid kits.
critical function improvement
holders will not
be able to report
for work
unstamped.
Page I 45
HAZARD AND RISK
IDENTIFICATION
CURRENT
CONTROL
MEASURES IN
PLACE
Facility: Central 3-Possible 5-Extreme 15-Moderate»4 Infra: Annual fire ·.

3- With fairly 1. Continuous maintenance and regular
Office and safety inspection of effective controls in inspection of the building to ensure fire
auditing units the building, place but needs safety.
will be affected existence of fire improvement 2. Regular inspection of fire suppression
and rendered suppression systems, equipment to ensure that it will function
inaccessible fire drills and effectively in times of disaster.
People: evacuation plan 3. Provision for more fire exits in office
Employees are k 1,
' buildings.
affected and 4. Posting of Fire Evacuation Plan on
critical function conspicuous places of office premises.
holders will not 5. Provision of online access by authorized
be able to report employees on the internal information
for work systems.
Cyberattack/ ICT: Failure of 3-Possible 3-Moderate 9-Low Infra and Non-Infra: 4- With highly I. Existence of the functioning alternative
Malwares I IT-dependent Existence of effective controls in off-site backup facility and in force cloud
systems and physical, place, with little room service agreement as a Back-up as a Service
applications organization and for improvement. and Disaster Recovery as a Service
technical measures 2. Regular update and provide security patch
to maintain security to software
of information 3. Regular conduct of information security
assets. awareness training to auditors, budget and
IT infrastructure of accounting personnel, GAS personnel,
COA is upgraded System and Database Administrators
with the latest 4. Implement security controls such as
cabling wires and installation of firewall, Intrusion
fiber optic with high- Detection/Prevention Systems and ensure that
end generator set to these are updated.
ensure continuous
service.
Pandemic (e.g., People: 2-Unlikely 5-Extreme 10-Moderate Non-Infra: Conduct 3- With fairly I. Implementation ofWFH arrangement and
COVID-19) I Employees are of health awareness effective controls in safety protocols
affected and and strict 2. Provision of Personal Protective
unstamped.
Page I 46
$
$
HAZARD AND RISK

IDENTIFICATION
CURRENT
CONTROL
MEASURES IN
PLACE
critical function implementation of place but needs Equipment (PPE) (e.g., face mask and face
¢
holders will not safety protocols to improvement shields), Cleaning and Disinfecting Supplies,
be able to report prevent spread of Acrylic Shields in Personnel Working Table
for work infections and the like to protect employees from spread
of viruses/infection.
3. Provision for laptops and supplies needed
for the WFH arrangement and internet/load
allowance.
4. Issuance of
Guidelines/Circulars/Memoranda/Resolutions
for remote audits and compliance of
management with new audit requirements
Process: Safety 2-Unlikely 5-Extreme 10-Moderate Non-Infra: Alternate 3- With fairly I. Upgrade of ICT and procurement of cloud
and travel working mechanism effective controls in services to allow conduct of audit remotely.
restrictions such as WFH place but needs 2. Use of electronic/digitalized documents in
affect the arrangements and improvement audit.
operations. remote audit 3. Provision of secured remote access to
auditors.
Power and Facility: Central 3-Possible 4-Major 12-Moderate Infra: Existence of 3- With fairly 1. Upgrade of generator sets to ensure supply
telecommunication Office and generator sets, effective controls in of adequate electricity in all buildings.
failure auditing units backup electrical place but needs 2. Conduct of capacity planning to ensure
will be affected supplies (i.e., solar- improvement that equipment is sufficient to meet the
and rendered powered sources) increasing needs of the users.
inaccessible Proper maintenance 3. Provision of alternate network provider in
of case currently used telecommunication
telecommunication provider is down.
equipment
unstamped.
Page [ 47
HAZARD AND RISK
IDENTIFICATION
CURRENT
THREAT RISK CONTROL
LIKELIHOOD IMPACT RISK SCORE EFFECTIVENESS RISK MITIGATING MEASURES
MEASURES IN
PLACE
ICT: Failure of 3-Possible 4-Major 12-Moderate

+
Infra: Existence of 3 - With fairly 1. Existence of the functioning alternative
IT-dependent backup · effective controls in off-site backup facility and in force cloud
systems and Proper maintenance place but needs service agreement as a Backup as a Service
applications of ICT equipment improvement and Disaster Recovery as a Service.
Lack of manpower People: 5-Frequent or 5-Extreme Non-infra: Conduct 3 - With fairly 1. Implement an effective succession
due to fast Experienced Almost Certain of executive effective controls in planning.
turnover of aging workers/critical trainings for middle place but needs 2. Fast-track the hiring of qualified and
workforce without function holders management improvement competent applicants and devise strategies to
immediate will retire personnel, conduct retain them with the COA for a long period.
replacement leaving a gap in of coaching and 3. Observance of ladder succession and
the workforce mentoring, capacity building.
designation of next- 4. Implement Mentoring and Coaching
in rank employees as Program with immediate Supervisors so that
OIC-Supervisors and personnel next in rank be familiarized and
OIC-Team Leaders. prepared with the processes and
responsibilities of the next level position.
Process: 3-Possible 4-Major 12-Moderate Non-infra: 3 - With fairly 1. Continuously conduct capacity building
Inefficient Modernization effective controls in interventions/trainings for all concerned
operations may initiative to make place but needs personnel to utilize available IT and audit
affect the use of technology improvement tools/techniques and put in place an efficient
Commission's such as data and effective monitoring utilization tool.
capacity to analytics tools to 2. Explore the use of Artificial Intelligence
deliver services improve and (AI) to augment its manpower through
at the lowest optimize its machine power to increase efficiency in
cost and shortest processes. audit.
time possible.
unstamped.
Page I 48
HAZARD AND RISK
IDENTIFICATION
CURRE NT
CONTROL
MEASURES IN
PLACE
People: I 3-Possible 4-Major 12-Moderate

+
Non-infra: 3- With fairly 1.Provision for transportation in case public
Employees are Presence of security effective controls in transport becomes unavailable.
affected and personnel place but needs 2. Development of communication plan to
critical function improvement ensure normal lines of communication during
holders will not terrorist attacks.
Terrorism
be able to report 3.Provision for counseling and other
for work psychological help for employees affected.
INSTRUCTIONS:
Hazard and Risk Identification
1. Threat:
• Identify hazard/threat that could impact your office or organization.
• Consider possible external, natural, procedural, and internal hazards/ threats.
• Identify location-specific hazards. If an organization has different locations (e.g., same main office but different distant buildings), indicate scope
of Risk Assessment. Specify which hazards/threats are unique for certain locations.
2. Risk:
• Categorize the identified hazards/threats according to risk categories (People, Facility, Public, Process, Supply Chain, and ICT).
• Provide descriptions on how the categories are affected by the identified hazard/threat.
unstamped.
Page ] 49
Risk Analysis
3. Likelihood:
• Conduct a risk analysis. Determine likelihood and severity.
• Assess likelihood or possibility in terms of FREQUENCY and PROBABILITY of occurrence: Five (5) as almost certain and one (1) as rare.
• Check hazard maps and assess previous occurrences.
4. Impact:
• Determine the risk rating and rate impact (consequence). Five (5) as extreme and one (1) as incidental/negligible.
5. Risk Score:
• This will automatically compute the Risk Rating/Score. (Risk score= Likelihood x Impact)
Risk Evaluation and Control
6. Current Controls Measures in Place:

• Identify controls that are currently in place for the potential threats. Examples of current controls include having fire detection, alarm, and suppression
system installed in the facility, conduct of regular earthquake and fire drills, IT backup.
• Emphasize that the identified controls should currently exist. Note that these are not yet the action plans.
• If there are no existing controls, indicate "none".
7. Effectiveness:
• Determine the effectiveness of the current controls in terms ofrating. Indicate "none", if there is no control.
• Rate five (5) if controls are in place and leading to practice and one (I) with no controls in place.
• Check the appropriate rating as indicated in the Risk Assessment template.
8. Risk Mitigating Measures:
• Indicate risk mitigating measures to address the gaps of current controls.

• Given the effectiveness rating, come up with risk mitigating measures (e.g., Action Plan) to address the current gaps of the controls.
unstamped.
Page I 50
REPUBLIC OF THE PHILIPPINES APPENDIX G
COMMISSION ON AUDIT
COMMONWEALIII AVENUE, QUEZON CHIY
IMPACT ANALYSIS
RECOVERY
IMPACT TO
TIME RESOURCE
MISSION ESSENTIAL FUNCTION MEFOUTPUT MEF INPUT ORGAN IZATION IF NOT
OBJECTIVE REQUIREMENT
PERFORM ED
(RTO)
Conduct of audit of receipts and Audit Observation Complete set of Financial Operational: Failure to Tier5: 120 People: Assistant
expenditures of government funds and Memorandum, Statements (FS) accompanied by perfonn audit services may hours Commissioners,
issuance of relevant audit decisions, NS/ND/NC , Information Statement of Management expose the Commission on Directors, Supervising
either through Audit Observation ' Systems Review '· Responsibility for FS, updated Audit (COA) to Auditor (SA)/ OIC-SA,
Memorandum, Notice of Observation books of accounts, supporting stakeholder/public complaints Audit Team Leader
Suspension/Disallowance/Charge Memorandum, Audit schedules, DVs, JEVs, ORs, Reputational: Non-conduct (ATL)/OIC-ATL, Audit
(NS/ND/NC) and evaluate adequacy and Highlights, Audit Reports, Liquidation Reports (LRs), Cash of audit and non-preparation Team Members ( 1-10
effectiveness of controls to mitigate risks Management Letters Examination Reporting System, of audit reports may damage members)
of audited entities (MLs), Summary of Audit Various Reports from Management, COA's reputation that will Facility/ Equipment:
Observations and Minutes of Meetings of the Board of lead to loss of trust and Office space, stock room,
Recommendations Directors/Trustees or/Board confidence by the office e uipment
(SAORs), Cash Resolution, Information Systems stakeholders (legislative, Communication/ IT:
Examination Reports Documentations, Audited entities' government and the public) Desktop/laptop, printer,
(CERs), Technical policies, guidelines and Regulatory: Non- scanner,
Evaluation Reports procedures,contracts, Memorandum performance of this function telephone/cellphones,
of Agreement/Understanding is a violation to Presidential internet connection
(MOA/MOU) and other audit Decree (PD) No. 1445, may Others: Budget,
evidences raise accusation of culpable Technical support
violation of the Constitution
Transmitted and stamped Operational: Audited People: Assistant
received by Audit Reviewed Audit Reports, MLs, Agencies may not be aware of Commissioners,
Submit Annual Reports on the financial
Reports, MLs, Audit Audit Highlights/ SAORs, CERs, deficiencies and weaknesses Tier 5: 120 Directors, SA/OIC-SA,
condition and operation of government
Highlights/ SAORs, Signed Transmittal Letters and and not take immediate hours ATL/OIC-ATL, Audit
agencies
CERs and Transmittal Audit Opinions corrective actions to improve Team Members ( 1-10
Letters government o erations. Public members)
unstamped.
Page I 51
RECOVERY
IMPACT TO
TIME RESOURCE
MISSION ESSENTIAL FUNCTION MEFOUTPUT MEF INPUT ORGANIZATION IF NOT
OBJECTIVE REQUIREMENT
PERFORMED
(RTO)
will not be well-informed Facility/ Equipment:
regarding whereabouts of Office space, stock room,
government agencies and office equipment
commitment to transparency Communication / IT:
and ensuring accountability Desktop/laptop, printer,
for public resources will not scanner,
be properly adhered. telephone/cellphones,
Reputationai: Decrease of internet connection
trust and confidence of public
and other stakeholders
Regulatory: Non-
performance of this function Others: Budget,
is a violation to PD No. 1445, Technical support
General Appropriations Act
(GAA) and other applicable
laws and regulations
Operational: Failure to issue People: Chairperson,
a policy in response to a Commissioners,
pressing concern will result in Assistant
confusion, inconsistencies and Commissioners,
Draft policy, research, comments inaccuracies of audited Directors, Policy
and suggestions from COA officials entities' process. Without roponents
Promulgation of accounting and auditing
and employees from various sectors policies, it may be difficult to Tier 5: 120 Communication/ IT:
rules and regulations I Approved COA Policies
and stakeholders that may be hold individuals accountable hours Desktop/laptop, printer,
affected by the issuance of the for their actions. scanner,
policy telephone/cellphones,
Reputational: Loss of internet connection
credibility and trust in COA's
Others: Budget,
leadership and decision
Technical support
making
INSTRUCTIONS:
1. Mission Essential Function (MEF) List down the MEFs of the organization
2. MEF Output - Identify the products or services that are delivered by a particular MEF ( e.g., vital reports produced, and information released through the
operations services
unstamped.
Page I 52
3. MEF Input - Determine whether the MEF requires information (e.g., reports from Local Government Units (LGUs), other agencies), services or
authorization from other offices (e.g., internal units, other government agencies) in perfonning the MEF
4. Impact to Organization if not performed - Classify the impact of disruption to the MEFs in terms of operational (affecting the service-provision of the
organization), regulatory (non-compliance to a legal or regulatory requirement), infrastructural (potential for losses due to failures of basic services,
organizational structures and facilities), and/or reputational (impact affecting the image of the organization)
5. Recovery Time Objective (RTO)- Determine each MEF's RTO. This is the target time for resumption of services per MEF once interrupted.
Impact Analysis Tiers: RTO
Tier 1: 0- 12 hours
Tier 2: 12 - 24 hours
Tier 3: 24- 48 hours
Tier 4: 48 - 72 hours
Tier 5: Beyond 72 hours
6. Resource Requirement - Detennine what resources are needed in performing the MEF. Specify resource requirements for people,
communications/technology, facilities/equipment, partners and interdependencies.
unstamped.
Page I 53
APPENDIXH
COMMISSION ON AUDIT
COMMONWEALTH AVENUE. QUEZON CITY
NETWORK FAILOVER PLAN (NFP)
In case of a disaster resulting to inaccessibility of the COA Central Office Data Center,
all access to web applications and information systems servers (e.g. COA website, Online
Portal, and Audit Related Data Information System etc.) will he directed at Off-site
Backup location depending on the severity of the damage. Offsite replication will be
operated through Muliprotocol Label Switching based Virtual Private Network (MPLS
VPN). This connection is widely used fo.r interconnec11.ing data centers and branches.
1. NFP during minor disaster
CCA Centre! Office Data Center PIS Ort-sBackup
2. NFP during major disaster
No part of this document may be reproduced· without prior permission from the Document Controller or his/her authorized
Page I 54
APPENDIX I
COMMISSION ON AUDIT
COMM ONWl::ALTH A VENUE, QUEZON CITY
WEBSITES/INFORMATION SYSTEMS FAILOVER PLAN
In the event of website/ information system failure in which the primary server is down, a
mirror server will he used as temporarily replacement until the primary server is operational.
Mirror servers are simultaneously running duplicate or backup computers that performs the
same function.
#$
Failover Monitoring
Synchronized
. Servers
I
I
v Primary Server
is down!
End Users
Mirror Servers to the rescue
*CONFIDENTIAL* The Commission has two alternate sites that are located at Professional Development
Center, COA Central Office, Commonwealth, Avenue, Quezon City, and COA Regional Office No. III, City
of San Fernando, Pampanga. *CONFIDENTIAL*
Page I 55
APPENDIX J
0
COMMISSION ON AUDIT
COMMONWEALTH AVENUE. QUEZON CITY
MEMORANDUM
No.:
-----------
Date:
-----------
FOR: All Assistant Commissioners, Cluster Directors/Assistant Cluster Directors, Head of

Offices, Division/Service Chiefs and all Other Personnel Concerned
SUBJECT: Delegation of Authority and Order of Succession
This is a delegation of authority for the continuity of Mission Essential Functions through the
orderly succession of officials at the Commission on Audit (COA) in case of the Chairperson's
absence, a vacancy at that office, or the inability of the Chairperson to act during a disaster or national
security emergency.
DELEGATION
Authority and corresponding duties are hereby delegated to the following officials, in the order
listed below, to exercise the powers and perform the duties of the role, in case of absence, inability to
perform, or vacancy of the office, and until that condition ceases.
ROLE PERMANENT/ Alternate 1 Alternate 2

FOCAL
PERSON
Head of the Agency COA Chairperson Commissioner I, then Assistant Commissioner,
Commissioner II Administration Sector
Senior Leaders Commissioners Assistant Commissioner, Assistant Commissioner,
Administration Sector Planning, Finance and
Management Sector
Continuity Manager Assistant Director upon the Director upon the
Commissioners recommendation of recommendation of
. Sector Head Sector Head
Continuity Director IV Director III ,Service Chiefupon the
Coordinator recommendation of
Director
Page I 56
ROLE PERMANENT/ Alternate 1 Alternate 2
FOCAL
PERSON
Communication Team Leader, CT * Service Chiefupon the Service Chiefupon the
Team (CT) recommendation of recommendation of
Director Director
Emergency Team Leader, ER/RT Service Chiefupon the * Service Chiefupon the
Response/Recovery recommendation of recommendation of
Team (ER/RT) Director Director
Administration Team Leader, AT Service Chiefupon the Service Chiefupon the
Team (AT) recommendation of recommendation of
Director Director
Medical Team Team Leader, MT Service Chiefupon the Service Chiefupon the
(MT) recommendation of recommendation of
Director Director
Information Team Leader, IT DRT Service Chiefupon the Service Chiefupon the
Technology (IT) . recommendation of recommendation of
Disaster Recovery Director Director
Team (IT DRT)
Eligibility for succession to the role shall be limited to officially assigned incumbents of the
positions listed in the order of succession above. Only officials specifically designed in the approved
order of succession are eligible. Persons appointed on an acting basis, or on some other temporary
basis, are ineligible to serve as a successor; therefore, the order of succession would fall to the next
designated official in the approved order of succession.
The order of succession shall be triggered when the official concerned is incapacitated or
inaccessible for more than 72 hours from the start of event causing the disruption to operation.
In the extreme case that lasted for more than 72 hours, the Human Resource Management
Office shall inform the most senior COA official to step-in to prevent further damage to properties and
mitigate the effects of the situation.
For the guidance of all concerned.
GAMALIEL A. CORDOBA
Chairperson
No part of this document may be. reproduced without prior permission from the Document Controller or his/her authorized
Page I 57
REPUBLIC OF THE PHTUPPTNES APPENDIXK
COMMISSION ON AUDIT
COMMONWEALIII AVENUE, QUEZON CITY
KEY RESOURCE REQUIREMENTS FORM
These are the list of resource requirements by each office that should be provided and made available to the
employees for the resumption of operations after an incident (emergency, disaster, or crisis)
.
Office Name
Head of the Office
Phone and Cellphone Number
Email Address
Employee contact list
A complete contact details of employees needed in the operations.
Details of Employees Emergency Contact

Cellphone
Alternate
Cellphone Number/
Name Sex Age Office Address Phone Name Relation
number Telephone
Number
Number
Vital Records
A complete list of documents is needed to support the Office operations.

Primary Location Backup location of Format (Hard, scanned,
Description
of Records Records softcopy)
Financial Statement
Payroll register
"
Page I 58
Vital Equipment18 ·
A complete list of equipment needed to support the Office operations.

Description of the Primary Location Alternate Sources Name of Vendors/Suppliers
Equipment to Obtain and Contact No.
Laptop
Desktop
Printer
Vital Inventory/ Supplies
A complete list of all inventories needed to support the Office operations.

Description of the Primary Location Alternate Sources to Name of Vendors/Suppliers
Inventory of Storage Obtain and Contact No.
Office Supplies (bond,
pens, etc)
Name of drugs and
,
medicine
Fuel, oil and
lubricants
18 office equipment. ICT equipment, Transportation equipment, etc.

Page I 59
APPENDIXL
COMMISSION ON AUDIT
COMM ONWEAL TH AVENUE. QUEZON CITY
KEY CONTACTS FORM
Head of Agency/ Senior Leader
Name Office Address Cellphone Alternate phone

number Number
Continuity Managers
Name . Office Address Cellphone Alternate phone

number Number
-
Name Office Address Cellphone Alternate phone

. number Number
Continuity Planning and Incident Recovery/ Recovery Team (CPIRRT)
Alternate
Designation in Cellphone
Name
the CPIRRT . Office Address
number
phone
Number
Communication
Team {CT) Team
Leader
Page I 60
Government Emergency/ Hotline Contacts
Contact Address Hotline number Alternate phone

Number
Bureau of Fire Protection
Bureau of Jail Management and ,
Penology
Police Station
Key suppliers/ vendors
Contact Office Address Cellphone Alternate phone

number Number
,
Page I 61
q
APPENDIXM
COMMISSION ON AUDIT
COMMONWEALTH AVENUE, QUEZON CITY
EXERCISE AND TEST PLAN
EXERCISE ,
PARTICIPANTS EXERCISE OBJECTIVES SCHEDULE
METHOD
Commission Proper,
Within two months
Assistant
To provide an overview of the ASCP from adoption ofthe
Commissioners,
policy.
Directors
To orient personnel on the ASCP,
specifically, to:
Orientation on
National Capital 1) Communicate the roles of each
the ASCP Within three
Region (NCR) personnel relative to the established ASCP;
monthsfrom
Service Chiefs, and
adoption ofthe
SAs/OIC-SAs and
policy.
ATLs/OIC-ATLs 2) Convey to the staff the established chain
of command in time of disruptive incidents
(emergency, crisis, or disaster)
1)To demonstrate understanding of COA
personnel, CCT, and CPIRRT on their
roles and responsibilities during disruptive
Tabletop incidents;
Continuity Core
Exercise for Withinfour months
Team (CCT),
Activation and 2) To demonstrate understanding of from adoption ofthe
CPIRRT,NCR
Communication procedures on the activation of ASCP, call- policy and every
Service Chiefs,
during tree, the hierarchy of communication, month ofJuly
SAs/OIC-SAs, and
disruptive primary and alternate communication thereafter.
ATLs/OIC-ATLs
incidents system/medium; and
3) To document the exercise and assess the

plan for improvement
Simulation 1 )To simulate emergency scenarios and
eXer1ses: determine if personnel, core team, and
1) Earthquake disaster control group understand and can Withinfour months
CCT, CPIRRT, All from adoption ofthe
Drill carry out emergency duties; and
COA Central Office
policy and every
2) Call-Tree personnel
2) To assess the effectiveness of month ofJuly
evacuation plans for earthquake and fire thereafter.
3) Fire Drill
drills
Page I 62

Coa Audit Service Continuity Plan - 0001

Uploaded by

Copyright:

Available Formats

You might also like

Coa Audit Service Continuity Plan - 0001

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Coa Audit Service Continuity Plan - 0001

Uploaded by

Copyright:

Available Formats

n u it

Document Revision History

AI Artificial Intelligence International Organization for

Public-sector auditing is indispensable for public administration, as the management of

An effective COA ASCP helps the organization to ensure continued performance of

to operations, establish succession if agency leadership is disrupted, and improve

3.0 CONTINUITY POLICY STATEMENT

• Develop, implement, maintain, monitor, review, and continually improve the

Public Service Continuity Guidebook.

5.0 ROLES AND RESPONSIBILITIES

The overall duties and responsibilities of the CCT are as follows:

The specific duties and responsibilities of each Officer/Teams are as follows:

The Commission Proper or the Chairperson

8. Approves the Consolidated ASCP Approved Consolidated ASCP

Emergency or Recovery Task Deliverables

Continuity Managers- the Assistant Commissioners' (AsComs) Group

Planning Tasks Deliverables

6. Review the Consolidated ASCP Budget

Emergency or Recovery Task Deliverables

1. Assess the level of the disruptive

4. Review the Consolidated Supplemental

Continuity Coordinators -Directors IV and Directors III (as alternate)

Planning Tasks Deliverables

1. Coordinate plan refinement,

4. Maintain updated contact details of Updated contact details of the

Planning Tasks Deliverables

8. Ensure that all records and resources

10. Prepare Consolidated ASCP Budget Consolidated ASCP Budget

Memorandum, electronic mail, or

Planning Tasks Deliverables

Continuity Planning and Incident Recovery/Response Team (CPIRRT the

Planning Tasks Deliverables

1. Review and update procedures to Updated ASCP, emergency/ recovery

Inventory of resources needed

4. Work with the technical support team

5. Ensure that all staff members are

6. Develop emergency evacuation plan,

7. Coordinate continuity testing,

Emergency or Recovery Task Deliverables

Emergency or Recovery Task Deliverables

Emergency or Recovery Task Deliverables

Emergency_ or Recovery Task Deliverables

Emergency or Recovery Task Deliverables

. • Information Systems Audit

Emergency or Recovery Task Deliverables

6.0 DEFINITION OF TERMS

e. Continual Improvement refers to recurring activity to enhance performance;

f. Continuity Event refers to an emergency caused by natural disasters, accidents,

g. Continuity of Operations pertains to the capability to continue essential

h. Crisis is an abnormal situation that threatens the operations, staff, customers, or

i. Disruption is an eventthat interrupts normal business, functions, operations, or

j. Emergency or emergent situations is an impending or actual situation that

k. Exercise is a process to train for, assess, practice, and improve performance in

I. Incident is an event that has the capacity to lead to loss of or a disruption to an

m. Mission Essential Function is the limited set of organization-level government

n. Recovery refers to the implementation of prioritized actions required to return

o. Recovery Time Objectives (RTO) refers to the period of time following an