​Are You Prepared?

Recent natural disasters and technology failures demonstrate why disaster recovery should be a part of risk assessments, says c​onsultant Steven Ulmer.​

Comments Views

​What is internal audit's role in ensuring the organization has a disaster recovery plan? 

As we've recently seen, disasters — whether natural or from human activity — have shown the need for sound disaster recovery plans. Internal auditors play an assurance and consulting role in this arena, so they need to understand attitudes toward disaster recovery risk within their organizations. Disaster recovery should be part of the overall business continuity management process. For organizations that are ad hoc or reactive in their level of disaster recovery maturity, internal audit may need to assist in making the case to senior management for better preparedness.

As part of its risk assessment process, internal audit should examine the plan to determine if operations have been prioritized appropriately, and risk assessments and responses are sufficient and cost effective. Internal audit should note whether the plan is a working document that is updated timely as important changes take place, including acquired businesses and new software and technologies. Based on the level of risk, internal audit should schedule audits of the disaster recovery processes to provide assurance there are no significant gaps. ​Another opportunity for internal audit is educating senior management and the board on their responsibilities for ensuring effective risk management practices are in place for any outsourcing arrangements.​

What should internal audit look for in a disaster recovery audit?

The areas to cover in a disaster recovery audit can depend to some extent on the size, number of locations, and complexity of the organization. The most common areas to review are which functions and systems are covered or excluded in the plan and why, testing multiple scenarios to identify vulnerabilities and gaps in the plan, inventory of equipment and software, and documentation of backup and recovery processes (IT and non-IT). Auditors should consider critical data back-up storage and frequency — including data stored on computers, smartphones, and devices, which employees may use for work and personal use. Other items to review include testing of back-up systems to be sure data can be restored; insurance coverage; legal involvement and review; disaster recovery contract provisions, including service-level agreements with outsourcers and suppliers; and whether responsibilities are clearly defined.​​

Staff
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author

 

 

Ia Online StaffIa Online Staff<p>Written by <em>Internal Auditor </em>magazine staff.</p>https://iaonline.theiia.org/authors/Pages/Ia-Online-Staff.aspx

 

Comment on this article

comments powered by Disqus
  • ITACS_Dec1_Dec15_A_Dec2017_Prem1
  • PwC RPA_Dec2017_Prem2_Cx
  • IIA BkStr-Fall-Catalog_Dec2017_Prem3