Professional Documents
Culture Documents
Coa Audit Service Continuity Plan - 0001
Coa Audit Service Continuity Plan - 0001
Coa Audit Service Continuity Plan - 0001
23)
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
TABLE OF CONTENTS
1.0 Introduction I
2.0 Purpose : I
3.0 Continuity Policy Statement 2
4.0 Scope 2
5.0 Roles and Responsibilities 3
6.0 Definition ofTerms 13
7.0 Assumptions 15
8.0 Mission Essential Functions and Recovery Time Objective 16
9.0 Activation, Criteria, Procedures and Authorities..........................................................17
I 0.0 Continuity Strategies 19
11.0 Resource Requirements 27
12.0 Communication Procedures 29
13.0 Testing and Maintenance of the ASCP 32
14.0 References 35
15.0 Appendices 1 36
Appendix A (Creation ofCOA Continuity Core Team) 36
Appendix B (Continuity Core Team Structure) 38
Appendix C (Damage Assessment and Needs Analysis Initial Report) 39
Appendix D (IT Disaster Recovery Team) 41
Appendix E (IT Disaster Recovery Plan Worliflow) 42
Appendix F (Risk Assessmentfor Continuity of Operations) 43
Appendix G (Impact Analysis) 51
Appendix H (Netvvork Failover Plan) 54
Appendix I(Websites/Information Systems Failover Plan) 55
Appendix J (Delegation ofAuthority and Order of Succession) 56
Appendix K (KeyResource Requirements Form) 58
Appendix L (Key Contacts Form) 60
Appendix M (Exercise and Test Plan) 62
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
ACRONYMS
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
1.0 INTRODUCTION
Amid the emergency and emergent situations, delivery of audit services heightens
relevance and significance to the public necessity to assess the efficiency, effectiveness,
and economy of the government's disaster risk intervention and response programs,
including the utilization of a huge amount of emergency public funds allocated for the
purpose.
In order to fulfill its constitutional mandate and maintain public trust in government
through continuous audit operations and incessant protection of its personnel during the
period of uncertainties or calamities, the COA develops and adopts a comprehensive
Audit Service Continuity Plan (ASCP) that provides the framework for building and
strengthening its organizational resiliency and capacity for emergency preparedness
and disaster response and recovery.
2.0 PURPOSE
Given that the Philippines ranks as the 9" riskiest country worldwide," government
agencies are exposed to both natural and human-induced hazards that can affect
operational continuity. Developing the COA ASCP is a key strategy to provide
roadmaps and methods that support the organization and its operation in times of
unforeseen disruptions and emergencies.
1
ISSAI I 00 Fundamental Principles of Public-Sector Auditing.
Section 2( I) of Article IX-D of 1987 Philippine Constitution.
3
World Risk Report 2019 edition.
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
As the Supreme Audit Institution of the Philippines, COA recognizes the need to
establish, implement and maintain appropriate and effective continuity plan to ensure
timely delivery of audit services during emergency and emergent situations that cause
work disruptions to ensure transparency and accountability over public resources, and
help improve government operations as an enabling partner in good governance, after
taking into consideration the welfare and protection of its employees and resources, as
well as the needs of its stakeholders.
The Commission commits to the attainment of the following public service continuity
objectives:
4.0 SCOPE
The ASCP covers the COA Central Office and auditing units situated in the National
Capital Region (NCR), including all its personnel and external service providers. After
the first iteration, the succeeding version of this document will include sections for
offices and auditing units located outside NCR.
This ASCP does not cover certain incidents that may lead to a long-running crisis,
safety threat and work disturbances such as war, invasion and rebellion.
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page[2
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
a. Facilitate the periodic review and refinement of the ASCP to include testing,
evaluation, packaging, updating, and improvement;
b. Develop a work plan for the refinement and updating of the ASCP;
C. Organize consultation meetings with the planners and relevant technical experts
regarding the refinement of the ASCP;
d. Facilitate the presentation and endorsement of the revised ASCP to the authorities
for comments and approval;" and
e. Perform such related duties and responsibilities as the need arises.
,,
Planning Tasks Deliverables
1. Evaluates and approves the ASCP Updated and Approved ASCP
2. Ensures the continual improvement and
update of the ASCP on a yearly basis or Minutes of Meeting
as the need arises
3. Ensures that continuity programs are
properly resourced by providing the
Approved Budget
necessary and sufficient funds and staff
complement .
4. Appoints continuity managers to oversee
Office Order appointing
plan development, maintenance, and
Continuity Manager/s
testing activities
COA Memorandum relative to
5. Approves Order of Succession and
Order of Succession and
Delegations of Authority
Delegations of Authority
6. Approves MEFs; acceptable
"downtime" for each function; and risk
for exposures which they elect not to List of Approved MEFs
address that has been identified in impact
analysis
5
PSCP Guidelines, p. 52.
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page[3
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
~- Planning Tasks
' Deliverables
7. Approves all alternate site decisions for COA Resolution for Alternate
the relocation of the MEFs Site Decisions
" For clarity, only the procedures concerning the shift to alternative work arrangements for the continuity of audit services need activation.
Procedure to prevent further loss of lives and property are automatically triggered by the emergent situation.
No part of this document may be reproducedwithout prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page [4
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 5
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 6
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page ]7
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page [8
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page [9
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page [10
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page [11
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page [ 12
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
b. Alternate Site refers to a site held in readiness for use during Business
Continuity invocation to continue the urgent and important processes of an
organization. The term applies equally to office or technology requirements;
(BCI Glossary 2011)
c. Audit Service Continuity Plan refers to the documented procedures that will
guide the Commission on Audit to respond, recover, resume, and restore to a
pre-defined level of operation following disruption; (ISO 22301)
d. Call Tree is a structured cascade process that enables a list of persons, roles
and/or organizations to be contacted as a part of information exchange or plan
invocation procedure; (BCI Glossary 2011)
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 13
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page [ 14
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
7.0 ASSUMPTIONS
General Assumptions:
1. There are available officials and personnel to constitute the CCT with the
appropriate authority.
2. Offices in the custody of hard copy of the audit or legal evidence have sufficient
scanners, or audited agencies submit records/documents through electronic means.
3. The confidentiality, integrity, and authenticity of electronic/digital records are
protected.
4. Infrastructure, equipment/hardware and software, and electronic storage facilities
are available and operational.
5. Essential Supporting Activities are sufficiently provided.
6. Sufficient funds are available to implement continuity strategies.
7. State of national or local emergency has been declared by the national or local
government, respectively.
8. Temporary housing facilities or dormitories and provisions are available for the
CCT.
9. Other government agencies continue to function.
Specific Assumptions:
A. Major disasters such as the anticipated 7 .2 magnitude earthquake caused by the "Big
One," strong typhoons, and fire
• Evacuation plans and procedures are established and aligned with the
Harmonized National Contingency Plan.
• COA premises may either be partially or completely damaged or inaccessible
for 30 to 60 days.
• Critical resources and lifeline services (e.g., water, electricity,
telecommunications) could be available within 48 hours.
• Mission-essential IT equipment, facilities, and data could be damaged or
unavailable.
• An offsite backup facility is available.
• Employees may not be able to work until the safety of the building structure is
ensured.
No part of this document may be reproducedwithout prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 15
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
• Public transportation around the area might be affected due to possible damage
and/or unpassable infrastructures/road.
• Emergency medical services and facilities are available.
C. Cyberattacks
• A Cybersecurity Incident Response Team under the Information Systems
Administration and Support Division (ISAdSD) is established with clear and
specific responsibilities and procedures.
• Mission-essential data could be lost. Restoration could take some time.
• The use of servers and networks could be unavailable for 24 hours.
• Soft copies of official files and records are available from the concerned sectors/
clusters/offices/teams.
7 The resumption of operations will be within 120 hours from the occurrence of disruption, provided the assum ptions under
Section 7.0 are true.
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of (his document is uncontrolled when unstamped.
Page 16 J
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
The identified COA's MEFs that must be continued throughout or resumed as soon as
practicable after a disruptive incident are the following:
MEF RTO
a. Conduct of audit on receipts and Tier 5: 120 hours
expenditures of government funds and
issuance of relevant audit decisions, either
through AOM, NS/ND/NC or conduct of
assessment on the adequacy and
effectiveness of controls to mitigate risks of
audited entities.
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page [17
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
In case of localized emergencies, the person holding the highest position in the area
shall take charge and oversee that certain emergency response procedures are timely
performed.
The ASCP may be activated when the Commission is prevented to perform its
MEFs due to any of the following events:
b. Events that changed the working conditions such that, should personnel still be
allowed to go to work despite prevailing conditions, it would endanger human
life and well-being. Examples include epidemics, endemics, pandemics, severe
storms, and fallout from volcanic and nuclear explosions;
c. Events that prevented or disrupted the normal and regular conduct of COA
operations and/or its MEFs in an ordinary working day. Examples include
blockades, employee strikes (protests), cybercrimes, fires, forced takeover or
occupation of COA premises; and
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 18
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
• First person aware of the disaster or disruptive incident notifies the Continuity
Coordinators and Emergency Response/Recovery Team (ER/RT)
·ER/RT performs verification of the event and assessment of the situation within 24 hours.
• If the situation is apparently life-threatening, ER/RT automatically activates life-saving
emergency response measures and ensure that all personnel are accounted.
• ER/RT, Continuity Coordinators and Continuity Managers assess impact on facilities and
vital processes. They shall, within 72 hours, submit a report among other things, the extent
and impact of the disruptive incident, whether vital processes have been affected, and
when facilities are deemed inaccessible.
• The Chairperson will declare the activation of the ASCP as needed. However, in cases of
incidents requiring immediate response such as earthquakes, it will be automatically
activated. If critical IT application and systems are also affected, then the IT Disaster
Recovery plan shall also be activated.
• Upon recommendation, the CP will declare the deactivation of the ASCP and resumption
of normal operations.
•Continuity Coordinators and CPIRRT shall conduct post incident evaluation for continual
improvement, within five days from the deactivation of the ASCP
This section describes the strategies to prevent or mitigate the severity of potential
disruptions and enable the Commission to continue its MEFs and effectively respond
to incidents.
Vital records are those that are essential for the continuation or reconstruction of the
operations in times of disruptive incidents. This also includes those records essential to
the protection of the rights and interests of the Commission and its stakeholders. These
must be protected from all hazards as its loss during a disaster, emergency or crisis
could result in disruption of MEFs and loss of productivity due to information gaps.
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 19
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
The Commission shall incorporate its vital records program into the overall continuity
program, plans and procedures. Within 24 hours of activation ofthe ASCP, the CPIRRT
must have access to appropriate media for accessing vital records.
o TheASCP
o The creation of the CCT
o Emergency plans and directives
o Order of Succession
o Delegations of authority
o Emergency staffing assignments including the lists of key personnel with
their address and contact details
o Employee contact list
o Vital Records inventory
o Evacuation Plans
o Records required to protect the health and safety of personnel
o Documents needed to perform audit services such as a complete set of
financial statements, updated books of accounts, trial balances and reports
with supporting schedules, Disbursement Vouchers (DVs), Official
Receipts (ORs) and validated deposit slips, Journal Entry Vouchers (JEVs),
AOM, NDs/NSs/NCs, audit working papers, audited entities' policies,
guidelines and procedures, contracts, information systems documentations,
etc.
These are needed to protect and preserve the Commission's legal and financial
rights and interests including the stakeholders affected by its activities. These
include the following documents, among others:
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page 20
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
o Personnel records
o Retirement records
o Contracts
o Systems documentation of the Financial Management Information System
o Cases pending before the Offices of the Director, Commission Proper and
the Supreme Court
• Records Duplication
One of the methods to protect vital records is through duplication. It is carried out
by creating a backup upon record creation, or by scheduling a periodic reproduction
of records. Vital records should be duplicated digitally as voluminous duplicate
paper copies are difficult and costly to maintain, fragile, and more exposed to
environmental hazards.
The Information Technology Office (ITO) databases and information systems are
maintained and controlled by Information Technology (IT) Disaster Recovery
Team. These files are periodically backed up and stored at an offsite location as part
of nonnal operations. The most current backup copies are kept in a secure onsite
location with an attached list indicating the content of data backed up with the
corresponding data sources and server name. The primary data that was backed up
and secured in the off-site location are Programs, Databases and Systems, and other
Application files. Server mirroring is primarily implemented to create a fault-
tolerant and redundant server computing infrastructure. Duplicating the entire
contents of a server on another remote or in-house server allows data to be restored
if the primary server fails (Appendices H and I).
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 21
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
• Records Protection
Pursuant to PD No. 1445 and COA Circular No. 2011-001 dated 5 July 2011,
audited entities are required to provide a storeroom for the vouchers and documents
over which COA has legal custody, which is adequate in size and properly secured
from the elements, including from individuals/groups with malicious/evil
intentions.8 The auditors shall monitor the compliance of their auditees with this
prov1s1on.
To safeguard the protection of vital records stored on-site, designated file rooms
should have appropriate hazard protection equipment such as fire and burglar alarm
systems, suitable fire suppression system and adequate controls for temperature,
humidity, ventilation, and lighting, and periodic maintenance of storage rooms must
be done such as pest controls to prevent pest infestation that can destroy paper
documents. Personnel designated to act during an emergency should know the
location of the vital records by referring to the Vital Records Register. Access shall
be restricted to authorized personnel only. The function of managing and
safeguarding records should be lodged in the dedicated administrative staff of the
Commission with continuous service.
For the electronic backups, the ITO shall be responsible for implementing technical
security measures. Hardware and software used shall also be adequately maintained
and routinely tested to ensure that it will work amid disaster.
"
• Records Recovery and Restoration
All COA personnel shall be informed by the RMS of the Vital Records
Categorization and Protection guidelines and procedures for effective
implementation. Training that focuses on identifying, inventorying, protecting,
storing, accessing, and updating vital records may be conducted.
10.2 People
No organization can function without its people, being the essential resource for
continuity management and the organization will depend on their response as
individuals to disruptive events and as members of response, recovery, and restoration
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page 122
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
COA's main concern is to ensure the safety and safeguard the lives of its personnel
including its visitors and stakeholders that are within the vicinity of the Office. The
following continuity strategies aim to help employees in times of disaster,
emergency, or er1s1s:
o Develop, disseminate and post in a conspicuous place and COA website, the
COA's Emergency Evacuation Plan;
o Proper implementation of the COA Occupational Safety and Health Policy;
o Conduct periodic disaster preparedness training and annual conduct of
drills;
o Provide Emergency Response Equipment, First Aid Kits, and immediate
medical intervention, in case of injuries;
o Establish a Memorandum of Understanding/Memorandum of Agreement
with the nearest government health facility for emergency medical services
for occupational accidents and injuries to ensure medical services will be
available during emergency;
o Provide transportation services such as COA vehicles for CCT and
personnel performing MEFs;
o Provide temporary shelter (e.g., room in COA dormitory) for employees
displaced by a disaster;
o Ensure provision of health clinics or treatment rooms;
o Provide personal protective equipment and devices that conform to Rule
1080 of the Occupational Safety and Health (OSH) Standard for those
exposed to hazards;"
o Grant of emergency loan or loan moratorium during or after a disruptive
incident;
o Continue payroll and claims processing by ensuring continued services of
Planning, Financial and Management Sector, streamline approval for
funding requests and expense reimbursements and allow the use of digital
signature to expedite processing; and
o Implement the following measures in times of pandemic:
■ COA officials and employees who are reporting for work shall be
subjected to temperature checking. If the temperature reading is
above 37.5°C, the official/employee shall not be allowed to report
for work.
■ Social distancing shall be strictly implemented.
■ Frontliners shall be provided with Personal Protective Equipment
(e.g., face masks and face shields)
9 jg0TS 22330 Security and resilience-Business continuity management systems-Guidelines for people aspects of continuity.
10 Item I 081.0 I (I) of the OSH Standard.
No part of this document may be reproducedwithout prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 23
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
A COA Memorandum shall also be issued to raise awareness on how to protect the
data/audit evidence while in a WFH arrangement.
The fast turnover of retiring personnel without immediate replacement poses threats
to service continuity. The lack of manpower and overlapping responsibilities of
auditors may affect their capacity to deliver timely services with the required
quality. Hence, fast-tracking the recruitment process and effective succession
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 24
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
• Property Insurance
Building and high-value equipment shall be insured with the General Insurance
Fund of the Government Service Insurance System to cover loss of use from either
damage or theft, loss of value due to hazards and disasters, or the cost of
replacement.
' Department of Labor and Employment, "Standard Colors of Signs for Safety Instruction and Warnings in Building Premises" in
Occupational Safety and Health Standards As Amended (Manila, 2007).
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 25
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
o Access points such as delivery and loading areas and other points where
unauthorized persons may enter the premises should be controlled and, if
possible, isolated from infonnation processing facilities to avoid
unauthorized access.
o Physical protection against damage from fire, flood, earthquake, explosion,
civil unrest, and other forms of natural or man-made disaster should be
designed and applied.
o Fire suppression equipment must be in a strategic location and should be
tagged and inspected at least annually.
o Equipment should be protected to reduce the risks from environmental
threats and hazards, and opportunities for unauthorized access.
o Equipment should be protected from power failures and other disruptions
caused by failures in supporting utilities. Surge protectors should be used to
reduce the risk of damage to equipment due to power spikes. There shall be
an uninterruptible power supply (UPS) in the server rooms to allow time to
save any unsaved work and to shut down safely in case of power
interruption/failure.
o Generator sets should also be maintained to ensure an adequate supply of
electricity to continue operations despite power interruptions.
o Air conditioning, humidity, and ventilation control systems for the computer
equipment should be properly controlled to ensure that power remains
within the manufacturer's specifications.
o Power and telecommunications cabling carrying data or supporting
information services should be protected from interception or damage.
o Periodic maintenance of server rooms should be observed through the
conduct of pest controls to ensure that all equipment is free from pest
infestation that can damage cables, circuits, and other peripherals.
• Alternate facility
The Commission has two alternate sites that are located at a specified
confidential site (Please see Appendix I). These facilities contain a complete and
updated version of data, software, and programs needed to restore IT operations
in case of disruption. In addition to the Offsite Backup facilities, cloud services
are also set up to ensure that data are readily available for recovery. The cloud
services are the following:
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 26
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page [ 27
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
.
• In extreme cases, temporary shelter for displaced
personnel greatly affected by calamities
Communication Diagram
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page ] 29
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
A focal person / Data Protection Officer shallidentify, evaluate, and classify the
information for dissemination based on existing COA issuances and data privacy
law.
o.a
Recipients shall be properly identified to ensure that the information provided is
appropriate based on its classification level and need-to-know principle.
Notification
Chairperson/ Commissioners
Continuity Managers
Continuity Coordinators
woeoe
a
Communication Team
Information Classification
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page [ 30
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
Communication Platform
Commission Proper
Chairper son
Commissi oners
t
Assistan t Commissi oners
-hew" -
: T
Directors
--
Ir
Supervising Auditors
lie
wee-iii
Division Chiefs
l t
Support Staff
- 11
Audit Team Members
No part of this document may be reproduced-without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 31
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
Media Release
The ASCP shall be tested on a biennial basis unless situations arise where the testing
should be conducted immediately or at the soonest practicable time.
These situations include, but are not limited to, the following:
b.) A change of administration especially on the part of the CCT which will require
orientation of the new administrators or appointees on the ASCP procedures;
d.) A change in ASCP due to identification of new MEF. This is to ensure that
updates or additional requirements incorporated in the revised ASCP will
support the performance of the new MEF in a well-ordered manner especially
in times of the disastrous event.
COA shall implement and maintain a program of exercising and testing to validate over
time the effectiveness of the ASCP strategies and solutions12 considering the change of
environment and equipment. An Exercise and Testing Plan shall be prepared for this
purpose (Appendix M). COA shall employ different testing methods which include, but
are not limited to, the following:
Discussion-based Exercises:
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 32
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
This method involves a simple review and analysis of existing procedures in the
ASCP, discussing potential improvements thereat, ensuring that contact
information is up-to-date, ensuring that recovery contracts are still in place and
effective, and applicable disaster recovery scenarios are appropriately covered'.
Operation-based Exercises:
d.) Drills
This method involves all personnel performing the pre-planned set of actions
for certain scenarios that threaten life and safety such as fires and earthquakes.
The pre-planned actions include what personnel should do during and after these
events in particular, where they should go and evacuate to, who they should
follow and contact, how they should act, and when they should perform these
actions.
SBS CyberSecurity. Four Steps to Better Business Continuity Plan Testing, available at https://sbscyber.com/resources/four-steps-to-better-
business-continuity-plan-testing (last accessed: December 9, 2020).
NIST SP 800-84: Guide to Test, Training. and Exercise Programs for IT Plans and Capabilities, p. ES-2.
' Ibid.
Ibid.
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page ] 33
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
This method involves the same procedures as the functional exercises test, but
the scope includes all elements and functional aspects of the ASCP and is the
closest to a real-life catastrophic emergency. This exercise tries to ensure that
all functional aspects of the ASCP will work as planned.
ASCP Maintenance
COA shall review the ASCP regularly and update it to address changes to the
Commission, its systems, or environment of operation and problems encountered
during ASCP implementation, execution, or testing. These changes should be
communicated to the appropriate personnel. COA should also incorporate lessons
learned from ASCP testing, training, or actual contingency activities into its ASCP
testing and training.17 Comments or suggestions for improving this plan may be
provided to Training Facilitators, Continuity Managers, and Coordinators at any
time through their email addresses in Appendix L.
17
NIST SP 800-53, Revision 5: Security and Privacy Controls for lnfonnation Systems and Organizations, Chapter III, Section CP-2, Control
items (d) to (g).
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page [ 34
Classification INTERNAL USE
Document Title Audit Service Continui Plan
COMMISSION ON AUDIT Document No.
Revision No. 0
Effective Date
14.0 REFERENCES
No part of this document may be reproduced without prior permission from the Document Controller or his/her
authorized representative. A printed copy of this document is uncontrolled when unstamped.
Page I 35
15.0 APPENDICES
APPENDIX A
COMMISSION ON AUDIT
COMM ONWEALTHI AVENUE, QUEZON CITY
OFFICE ORDER
No. 2023 - --
Subject: Creation of the Commission on Audit (COA) Continuity Core Team (CCT)
pursuant to the Audit Service Continuity Plan (ASCP)
Pursuant to COA Resolution No. dated adopting the ASCP, a CCT is hereby
constituted to (i) spearhead the review and continuous improvement of the COA ASCP, (ii) ensure
continuous and timely delivery of audit services and outputs during disruptive incidents, and (iii) help
COA to protect its human resource, recover its facility, data, and assets. The CCT shall be composed
of the following:
A. Communication Team
Team Leader: (Director, Public Information Office)
Members: (All Service Chiefs from all sectors, ex-officio)
C. Medical Team
Team Leader: (Chief, Medical and Dental Unit, Human Resource
Management Office)
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 36
Members: (All Medical personnel, ex-officio)
D. Administration Team
Team Leader: (Director, General Services Office(GSO))
Members: (All Service Chiefs from GSO, ex-officio)
In case of personnel movements, the successor of the position shall be given a copy of
responsibilities attached to their position.
a. Facilitate the periodic review and refinement of the ASCP to include testing,
evaluation, packaging, updating and improvement;
b. Develop a work plan for the refinement and updating of the ASCP;
c. Organize consultation meetings with the planners and relevant technical experts
regarding the refinement of the ASCP;
d. Facilitate the presentation and endorsement of the revised ASCP to the
authorities for comments and approval; and
e. Perform such other related duties and responsibilities as the need arises.
Specific duties and responsibilities of the CCT are provided in Item No. 5, Roles and
Responsibilities of the ASCP.
The Assistant Commissioners and the Directors concerned shall supervise the proper
implementation of this Order.
GAMALIEL A. CORDOBA
Chairperson
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 37
APPENDIXB
COMMISSION ON AUDIT
COMM ONWE AL TH A VENUE. QUEZON CITY
t SeniorLeaders
(Commissioners)
I
Continuity Managers
(Assistant Commissioners)
Continuity Coordinators
a (Directors)
)
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 38
APPENDIXC
COMMISSION ON AUDIT
COMMONWEALTHI AVENUE, QUEZON CITY
Note: This shall be accomplished by the Continuity Planning and Incident Recovery/Response Team
and must be submitted to the Coordinator Team within 72 hours after disaster hits and will answer
the question:
"What are the damages and immediate needs?"
Site Location/Address
Type of Disaster
Date and Time of Occurrence
Summary of Disaster/Incident:
FACILITIES
Building/Area Minor/Repairable Critical/Unsafe Demolished/Collapsed
OTHER ASSETS
..
Asset (Count) Operational Damage/Repairable Completely Damage
Laptop
,
Desktop
Printer
Photocopier
Lighting Fixtures
Vehicle
Aircon Unit
Server
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 40
APPENDIXD
COMMISSION ON AUDIT
COMM ONWEAL TH A VENUE. QUEZON CITY
t
ITO-ORT
Director IV
Director III
.,
' ITO-ORT
Management Team
. -
ORT Head
I I
DRT- ISAdSD DRT- ISDMD DRT-QuAID
Service Chief" Service Chief Service Chief
. I I
No part of this document may be· reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 41
APPENDIX E
COMMISSION ON AUDIT
COMM ONWE AL TH A VENUE, QUEZON CITY
A.cti,,ation Phase
lmpu:t A..~enm.,mt
iHIGH ~ @t.rim.u t.,
Dourtime duration,
#$j
Atte.mpt ro ~~ Jusol-n,bll
mc.:knt w/oDIV
! NO
Decle Disaster
l
Execution
r yyeagerer range
ifs6toil ion a ta
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative, A printed copy of this document is uncontrolled when unstamped
Pagel42
REPUBLIC OF THE PHILIPPINES
APPENDIXF
COMMISSION ON AUDIT
COMMONWEALIHI AVENUE, QUEZON CHY
CURRENT
CONTROL
THREAT RISK LIKELIHOOD IMPACT RISK SCORE EFFECTIVENESS RISK MITIGATING MEASURES
MEASURES IN
PLACE
Assess the
effectiveness of
current controls:
5- With controls in
Assess place which are
Assess the risk
Risks can be likelihood in working and controls
as:
categorized as terms of in place are industry-
Very High
affecting the FREQUENCY Assess the leading practices.
High Indicate current
Natural, Human- following: and impact as: 4- With highly
Moderate control measures in
Induced, PROBABILITY 5- Extreme effective controls in
Low place Action plan to further reduce or mitigate risks
Technological, 1. People 5- 4- Major place, with little room
Very Low (consider both infra if current controls are not sufficient
Biological, 2. Facility Frequent/Almost 3- Moderate for improvement.
and non-infra
External, Internal 3. Public Certain 2- Minor 3- With fairly
interventions)
4. Process 4- Likely 1- Incidental effective controls in
5. Supply Chain 3- Possible place but needs
6. ICT 2- Unlikely improvement
1- Rare 2- With Controls in
place but are
ineffective
1- No Controls in
Place
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized representative. A printed copy of this document is uncontrolled when
unstamped.
Page [ 43
%!u s% ¢r¢
.,_.., ,/, ; ,!.. .,y4%$4
is
" • ~ SI9
CURRENT
CONTROL
THREAT RISK LIKELIHOOD IMPACT RISK SCORE EFFECTIVENESS RISK MITIGATING MEASURES
MEASURES IN
PLACE
Earthquake People: ]3-Possible 5- Extreme 15-Moderate Non-infra: Annual 3- With fairly 1. Provision of a regular employee and
(ground shaking) Employees are earthquake drills, effective controls in family preparedness training.
affected and evacuation plan place but needs 2. Proper dissemination of the evacuation
critical function improvement plan and emergency procedures during
holders will not earthquakes.
be able to report 3. Provision for temporary shelter safe from
for work an earthquake and falling debris.
4. Provision of Personal Protective
Equipment (e.g., Hard Hats and Emergency
Response Equipment) and first aid kits to all
personnel/offices/units.
5. Provision of sturdy work desk that can fit
for "Duck, Cover and Hold" practice
Facility: Central 3- Possible 4- Major 12-Moderate Infra: 3- With fairly I. Identify potential hazards in the workplace
Office and Regular effective controls in and ensure the structural integrity of the
auditing units inspection/check-up place but needs buildings by stabilizing the structures.
will be affected of structural improvement 2. Immediately address the weaknesses found
and rendered integrity of buildings during the building inspection.
inaccessible and conduct of
repairs and
maintenance
JCT: Failure of 3-Possible 4-Major 12-Moderate Infra: Regular 3- With fairly I. Provision of another off-site backup
IT-dependent inspection of data effective controls in facility and cloud subscription agreement for
systems and center to check place but needs Backup as a Service and Disaster Recovery
applications structural integrity improvement as a Service.
and proper
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized representative. A printed copy of this document is uncontrolled when
unstamped.
Page [ 44
HAZARD AND RISK
RISK ANALYSIS RISK EVALUATION AND CONTROL
IDENTIFICATION
CURRENT
CONTROL
THREAT RISK LIKELIHOOD IMPACT RISK SCORE EFFECTIVENESS RISK MITIGATING MEASURES
MEASURES IN
PLACE
, positioning of
·,
servers
Tropical People: , 5-Frequent or 4- Major 20- Very High Non-infra: Work 3- With fairly k, 1. Provision of Service Vehicle for
Cyclone/Heavy Employees are Almost Certain from Home effective controls in employees with difficulty accessing office for
Rainfall affected and arrangement, place but needs work
critical function Back up strategies improvement 2. Effective implementation of alternate
holders will not for key personnel working mechanism (e.g., WFH) for a
be able to report percentage of personnel
for work 3. Provision for temporary shelter in case the
residence of the employee is flooded.
Facility: Central 2- Unlikely 4-Major 8-Low Infra: Regular 3- With fairly 1. Provision for an alternate site
Office and building effective controls in 2. Address the weaknesses found during an
auditing units maintenance and place but needs inspection of the building's structural
will be affected inspection of its improvement integrity.
and rendered structural integrity, 3. Provision of online access by authorized
inaccessible Adequate elevation employees on the internal information
of the building systems.
Fire I People: 3- Possible 4-Major 12-Moderate Non-infra: Annual 3- With fairly 1. Proper dissemination of the evacuation
Employees are fire drills, evacuation effective controls in plan and emergency procedures during a fire.
affected and plan place but needs 2. Provision of first aid kits.
critical function improvement
holders will not
be able to report
for work
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized representative. A printed copy of this document is uncontrolled when
unstamped.
Page I 45
HAZARD AND RISK
RISK ANALYSIS RISK EVALUATION AND CONTROL
IDENTIFICATION
CURRENT
CONTROL
THREAT RISK LIKELIHOOD IMPACT RISK SCORE EFFECTIVENESS RISK MITIGATING MEASURES
MEASURES IN
PLACE
CURRENT
CONTROL
THREAT RISK LIKELIHOOD IMPACT RISK SCORE EFFECTIVENESS RISK MITIGATING MEASURES
MEASURES IN
PLACE
critical function implementation of place but needs Equipment (PPE) (e.g., face mask and face
¢
holders will not safety protocols to improvement shields), Cleaning and Disinfecting Supplies,
be able to report prevent spread of Acrylic Shields in Personnel Working Table
for work infections and the like to protect employees from spread
of viruses/infection.
3. Provision for laptops and supplies needed
for the WFH arrangement and internet/load
allowance.
4. Issuance of
Guidelines/Circulars/Memoranda/Resolutions
for remote audits and compliance of
management with new audit requirements
Process: Safety 2-Unlikely 5-Extreme 10-Moderate Non-Infra: Alternate 3- With fairly I. Upgrade of ICT and procurement of cloud
and travel working mechanism effective controls in services to allow conduct of audit remotely.
restrictions such as WFH place but needs 2. Use of electronic/digitalized documents in
affect the arrangements and improvement audit.
operations. remote audit 3. Provision of secured remote access to
auditors.
Power and Facility: Central 3-Possible 4-Major 12-Moderate Infra: Existence of 3- With fairly 1. Upgrade of generator sets to ensure supply
telecommunication Office and generator sets, effective controls in of adequate electricity in all buildings.
failure auditing units backup electrical place but needs 2. Conduct of capacity planning to ensure
will be affected supplies (i.e., solar- improvement that equipment is sufficient to meet the
and rendered powered sources) increasing needs of the users.
inaccessible Proper maintenance 3. Provision of alternate network provider in
of case currently used telecommunication
telecommunication provider is down.
equipment
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized representative. A printed copy of this document is uncontrolled when
unstamped.
Page [ 47
HAZARD AND RISK
RISK ANALYSIS RISK EVALUATION AND CONTROL
IDENTIFICATION
CURRENT
THREAT RISK CONTROL
LIKELIHOOD IMPACT RISK SCORE EFFECTIVENESS RISK MITIGATING MEASURES
MEASURES IN
PLACE
Lack of manpower People: 5-Frequent or 5-Extreme Non-infra: Conduct 3 - With fairly 1. Implement an effective succession
due to fast Experienced Almost Certain of executive effective controls in planning.
turnover of aging workers/critical trainings for middle place but needs 2. Fast-track the hiring of qualified and
workforce without function holders management improvement competent applicants and devise strategies to
immediate will retire personnel, conduct retain them with the COA for a long period.
replacement leaving a gap in of coaching and 3. Observance of ladder succession and
the workforce mentoring, capacity building.
designation of next- 4. Implement Mentoring and Coaching
in rank employees as Program with immediate Supervisors so that
OIC-Supervisors and personnel next in rank be familiarized and
OIC-Team Leaders. prepared with the processes and
responsibilities of the next level position.
Process: 3-Possible 4-Major 12-Moderate Non-infra: 3 - With fairly 1. Continuously conduct capacity building
Inefficient Modernization effective controls in interventions/trainings for all concerned
operations may initiative to make place but needs personnel to utilize available IT and audit
affect the use of technology improvement tools/techniques and put in place an efficient
Commission's such as data and effective monitoring utilization tool.
capacity to analytics tools to 2. Explore the use of Artificial Intelligence
deliver services improve and (AI) to augment its manpower through
at the lowest optimize its machine power to increase efficiency in
cost and shortest processes. audit.
time possible.
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized representative. A printed copy of this document is uncontrolled when
unstamped.
Page I 48
HAZARD AND RISK
RISK ANALYSIS RISK EVALUATION AND CONTROL
IDENTIFICATION
CURRE NT
CONTROL
THREAT RISK LIKELIHOOD IMPACT RISK SCORE EFFECTIVENESS RISK MITIGATING MEASURES
MEASURES IN
PLACE
INSTRUCTIONS:
1. Threat:
• Identify hazard/threat that could impact your office or organization.
• Consider possible external, natural, procedural, and internal hazards/ threats.
• Identify location-specific hazards. If an organization has different locations (e.g., same main office but different distant buildings), indicate scope
of Risk Assessment. Specify which hazards/threats are unique for certain locations.
2. Risk:
• Categorize the identified hazards/threats according to risk categories (People, Facility, Public, Process, Supply Chain, and ICT).
• Provide descriptions on how the categories are affected by the identified hazard/threat.
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized representative. A printed copy of this document is uncontrolled when
unstamped.
Page ] 49
Risk Analysis
3. Likelihood:
• Conduct a risk analysis. Determine likelihood and severity.
• Assess likelihood or possibility in terms of FREQUENCY and PROBABILITY of occurrence: Five (5) as almost certain and one (1) as rare.
• Check hazard maps and assess previous occurrences.
4. Impact:
• Determine the risk rating and rate impact (consequence). Five (5) as extreme and one (1) as incidental/negligible.
5. Risk Score:
• This will automatically compute the Risk Rating/Score. (Risk score= Likelihood x Impact)
7. Effectiveness:
• Determine the effectiveness of the current controls in terms ofrating. Indicate "none", if there is no control.
• Rate five (5) if controls are in place and leading to practice and one (I) with no controls in place.
• Check the appropriate rating as indicated in the Risk Assessment template.
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized representative. A printed copy of this document is uncontrolled when
unstamped.
Page I 50
REPUBLIC OF THE PHILIPPINES APPENDIX G
COMMISSION ON AUDIT
COMMONWEALIII AVENUE, QUEZON CHIY
IMPACT ANALYSIS
RECOVERY
IMPACT TO
TIME RESOURCE
MISSION ESSENTIAL FUNCTION MEFOUTPUT MEF INPUT ORGAN IZATION IF NOT
OBJECTIVE REQUIREMENT
PERFORM ED
(RTO)
Conduct of audit of receipts and Audit Observation Complete set of Financial Operational: Failure to Tier5: 120 People: Assistant
expenditures of government funds and Memorandum, Statements (FS) accompanied by perfonn audit services may hours Commissioners,
issuance of relevant audit decisions, NS/ND/NC , Information Statement of Management expose the Commission on Directors, Supervising
either through Audit Observation ' Systems Review '· Responsibility for FS, updated Audit (COA) to Auditor (SA)/ OIC-SA,
Memorandum, Notice of Observation books of accounts, supporting stakeholder/public complaints Audit Team Leader
Suspension/Disallowance/Charge Memorandum, Audit schedules, DVs, JEVs, ORs, Reputational: Non-conduct (ATL)/OIC-ATL, Audit
(NS/ND/NC) and evaluate adequacy and Highlights, Audit Reports, Liquidation Reports (LRs), Cash of audit and non-preparation Team Members ( 1-10
effectiveness of controls to mitigate risks Management Letters Examination Reporting System, of audit reports may damage members)
of audited entities (MLs), Summary of Audit Various Reports from Management, COA's reputation that will Facility/ Equipment:
Observations and Minutes of Meetings of the Board of lead to loss of trust and Office space, stock room,
Recommendations Directors/Trustees or/Board confidence by the office e uipment
(SAORs), Cash Resolution, Information Systems stakeholders (legislative, Communication/ IT:
Examination Reports Documentations, Audited entities' government and the public) Desktop/laptop, printer,
(CERs), Technical policies, guidelines and Regulatory: Non- scanner,
Evaluation Reports procedures,contracts, Memorandum performance of this function telephone/cellphones,
of Agreement/Understanding is a violation to Presidential internet connection
(MOA/MOU) and other audit Decree (PD) No. 1445, may Others: Budget,
evidences raise accusation of culpable Technical support
violation of the Constitution
Transmitted and stamped Operational: Audited People: Assistant
received by Audit Reviewed Audit Reports, MLs, Agencies may not be aware of Commissioners,
Submit Annual Reports on the financial
Reports, MLs, Audit Audit Highlights/ SAORs, CERs, deficiencies and weaknesses Tier 5: 120 Directors, SA/OIC-SA,
condition and operation of government
Highlights/ SAORs, Signed Transmittal Letters and and not take immediate hours ATL/OIC-ATL, Audit
agencies
CERs and Transmittal Audit Opinions corrective actions to improve Team Members ( 1-10
Letters government o erations. Public members)
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized representative. A printed copy of this document is uncontrolled when
unstamped.
Page I 51
RECOVERY
IMPACT TO
TIME RESOURCE
MISSION ESSENTIAL FUNCTION MEFOUTPUT MEF INPUT ORGANIZATION IF NOT
OBJECTIVE REQUIREMENT
PERFORMED
(RTO)
will not be well-informed Facility/ Equipment:
regarding whereabouts of Office space, stock room,
government agencies and office equipment
commitment to transparency Communication / IT:
and ensuring accountability Desktop/laptop, printer,
for public resources will not scanner,
be properly adhered. telephone/cellphones,
Reputationai: Decrease of internet connection
trust and confidence of public
and other stakeholders
Regulatory: Non-
performance of this function Others: Budget,
is a violation to PD No. 1445, Technical support
General Appropriations Act
(GAA) and other applicable
laws and regulations
Operational: Failure to issue People: Chairperson,
a policy in response to a Commissioners,
pressing concern will result in Assistant
confusion, inconsistencies and Commissioners,
Draft policy, research, comments inaccuracies of audited Directors, Policy
and suggestions from COA officials entities' process. Without roponents
Promulgation of accounting and auditing
and employees from various sectors policies, it may be difficult to Tier 5: 120 Communication/ IT:
rules and regulations I Approved COA Policies
and stakeholders that may be hold individuals accountable hours Desktop/laptop, printer,
affected by the issuance of the for their actions. scanner,
policy telephone/cellphones,
Reputational: Loss of internet connection
credibility and trust in COA's
Others: Budget,
leadership and decision
Technical support
making
INSTRUCTIONS:
1. Mission Essential Function (MEF) List down the MEFs of the organization
2. MEF Output - Identify the products or services that are delivered by a particular MEF ( e.g., vital reports produced, and information released through the
operations services
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized representative. A printed copy of this document is uncontrolled when
unstamped.
Page I 52
3. MEF Input - Determine whether the MEF requires information (e.g., reports from Local Government Units (LGUs), other agencies), services or
authorization from other offices (e.g., internal units, other government agencies) in perfonning the MEF
4. Impact to Organization if not performed - Classify the impact of disruption to the MEFs in terms of operational (affecting the service-provision of the
organization), regulatory (non-compliance to a legal or regulatory requirement), infrastructural (potential for losses due to failures of basic services,
organizational structures and facilities), and/or reputational (impact affecting the image of the organization)
5. Recovery Time Objective (RTO)- Determine each MEF's RTO. This is the target time for resumption of services per MEF once interrupted.
Impact Analysis Tiers: RTO
Tier 1: 0- 12 hours
Tier 2: 12 - 24 hours
Tier 3: 24- 48 hours
Tier 4: 48 - 72 hours
Tier 5: Beyond 72 hours
6. Resource Requirement - Detennine what resources are needed in performing the MEF. Specify resource requirements for people,
communications/technology, facilities/equipment, partners and interdependencies.
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized representative. A printed copy of this document is uncontrolled when
unstamped.
Page I 53
APPENDIXH
COMMISSION ON AUDIT
COMMONWEALTH AVENUE. QUEZON CITY
In case of a disaster resulting to inaccessibility of the COA Central Office Data Center,
all access to web applications and information systems servers (e.g. COA website, Online
Portal, and Audit Related Data Information System etc.) will he directed at Off-site
Backup location depending on the severity of the damage. Offsite replication will be
operated through Muliprotocol Label Switching based Virtual Private Network (MPLS
VPN). This connection is widely used fo.r interconnec11.ing data centers and branches.
No part of this document may be reproduced· without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 54
APPENDIX I
COMMISSION ON AUDIT
COMM ONWl::ALTH A VENUE, QUEZON CITY
In the event of website/ information system failure in which the primary server is down, a
mirror server will he used as temporarily replacement until the primary server is operational.
Mirror servers are simultaneously running duplicate or backup computers that performs the
same function.
#$
Failover Monitoring
Synchronized
. Servers
I
I
v Primary Server
is down!
End Users
Mirror Servers to the rescue
*CONFIDENTIAL* The Commission has two alternate sites that are located at Professional Development
Center, COA Central Office, Commonwealth, Avenue, Quezon City, and COA Regional Office No. III, City
of San Fernando, Pampanga. *CONFIDENTIAL*
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 55
APPENDIX J
0
COMMISSION ON AUDIT
COMMONWEALTH AVENUE. QUEZON CITY
MEMORANDUM
No.:
-----------
Date:
-----------
This is a delegation of authority for the continuity of Mission Essential Functions through the
orderly succession of officials at the Commission on Audit (COA) in case of the Chairperson's
absence, a vacancy at that office, or the inability of the Chairperson to act during a disaster or national
security emergency.
DELEGATION
Authority and corresponding duties are hereby delegated to the following officials, in the order
listed below, to exercise the powers and perform the duties of the role, in case of absence, inability to
perform, or vacancy of the office, and until that condition ceases.
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 56
ROLE PERMANENT/ Alternate 1 Alternate 2
FOCAL
PERSON
Communication Team Leader, CT * Service Chiefupon the Service Chiefupon the
Team (CT) recommendation of recommendation of
Director Director
Emergency Team Leader, ER/RT Service Chiefupon the * Service Chiefupon the
Response/Recovery recommendation of recommendation of
Team (ER/RT) Director Director
Administration Team Leader, AT Service Chiefupon the Service Chiefupon the
Team (AT) recommendation of recommendation of
Director Director
Medical Team Team Leader, MT Service Chiefupon the Service Chiefupon the
(MT) recommendation of recommendation of
Director Director
Information Team Leader, IT DRT Service Chiefupon the Service Chiefupon the
Technology (IT) . recommendation of recommendation of
Disaster Recovery Director Director
Team (IT DRT)
Eligibility for succession to the role shall be limited to officially assigned incumbents of the
positions listed in the order of succession above. Only officials specifically designed in the approved
order of succession are eligible. Persons appointed on an acting basis, or on some other temporary
basis, are ineligible to serve as a successor; therefore, the order of succession would fall to the next
designated official in the approved order of succession.
The order of succession shall be triggered when the official concerned is incapacitated or
inaccessible for more than 72 hours from the start of event causing the disruption to operation.
In the extreme case that lasted for more than 72 hours, the Human Resource Management
Office shall inform the most senior COA official to step-in to prevent further damage to properties and
mitigate the effects of the situation.
GAMALIEL A. CORDOBA
Chairperson
No part of this document may be. reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 57
REPUBLIC OF THE PHTUPPTNES APPENDIXK
COMMISSION ON AUDIT
COMMONWEALIII AVENUE, QUEZON CITY
These are the list of resource requirements by each office that should be provided and made available to the
employees for the resumption of operations after an incident (emergency, disaster, or crisis)
.
Office Name
Head of the Office
Phone and Cellphone Number
Email Address
Vital Records
"
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 58
Vital Equipment18 ·
COMMISSION ON AUDIT
COMM ONWEAL TH AVENUE. QUEZON CITY
Continuity Managers
Continuity Coordinators
Alternate
Designation in Cellphone
Name
the CPIRRT . Office Address
number
phone
Number
Communication
Team {CT) Team
Leader
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 60
Government Emergency/ Hotline Contacts
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 61
q
APPENDIXM
COMMISSION ON AUDIT
COMMONWEALTH AVENUE, QUEZON CITY
EXERCISE ,
PARTICIPANTS EXERCISE OBJECTIVES SCHEDULE
METHOD
Commission Proper,
Within two months
Assistant
To provide an overview of the ASCP from adoption ofthe
Commissioners,
policy.
Directors
To orient personnel on the ASCP,
specifically, to:
Orientation on
National Capital 1) Communicate the roles of each
the ASCP Within three
Region (NCR) personnel relative to the established ASCP;
monthsfrom
Service Chiefs, and
adoption ofthe
SAs/OIC-SAs and
policy.
ATLs/OIC-ATLs 2) Convey to the staff the established chain
of command in time of disruptive incidents
(emergency, crisis, or disaster)
1)To demonstrate understanding of COA
personnel, CCT, and CPIRRT on their
roles and responsibilities during disruptive
Tabletop incidents;
Continuity Core
Exercise for Withinfour months
Team (CCT),
Activation and 2) To demonstrate understanding of from adoption ofthe
CPIRRT,NCR
Communication procedures on the activation of ASCP, call- policy and every
Service Chiefs,
during tree, the hierarchy of communication, month ofJuly
SAs/OIC-SAs, and
disruptive primary and alternate communication thereafter.
ATLs/OIC-ATLs
incidents system/medium; and
No part of this document may be reproduced without prior permission from the Document Controller or his/her authorized
representative. A printed copy of this document is uncontrolled when unstamped.
Page I 62