Your audit client, Bank of Vancouver, a new client of your audit form has provided you with some background information about their IT process:

Bank of Vancouver is a holding company that operates banks in five provinces and two states to provide commercial lending and banking operationsas well as credit card, trust, mortgage, investment, and advisory services. They expect to report $20 Billion in assets for 2020.Responsibility for Business Continuity Management (BCM) falls to the CIO, who joined the company in 2019 to oversee the organization's Business Continuity Planning (BCP), Disaster Recovery Plan (DRP), and Information Security.With the threats of cyberattack in the financial industry, Bank of Vancouver is also looking into its cybersecurity program to identify ways to improve it.

The CIO came from many years of IT experience in the manufacturing sector.External consultant are also hired to handle the development of the BCP and DRP, as well as the security program in order to obtain external knowledge and expertise.The External vendors manage the project and keep all the documentation on behalf of the Bank.The External vendors will inform the Bank when there are areas needed for attention and also notify the Bank when there are security incidents that the Bank should be aware of.

The CIO meet with the external vendors on an annual basis to make sure that the vendors have no issues delivering their service to the Bank.Other than this annual meeting, the Bank receives one SOC report from one of the vendors who are hosting a cold site for the Bank and also many other companies.The SOC report is filed by the Accounting Department for Vendor management purpose.

With respect to the program, IT involves the Procurement Department headed by the Financial Controller to make sure the purchases are made in accordance to the Financial Plan and Budget of the Company.The CEO annually approves the Budget. For the DRP, the External Vendor run annual test at their sites to make sure it is workable.They would also contact the various departments of the Bank if they require any information to update the DRP.A standard questionnaire form is used by the Vendor.

As the IT auditor to Bank of Vancouver, please a prepare memo to your audit partner outlining some potential issues to the BCP/DRP and Cybersecurity program at the Bank.