Recently, I had a very sobering experience. Last week I asked a group of about 100 internal auditors if, in the last five years, they had done an audit of the organization's disaster recovery plan, or had been involved in a disaster recovery test.
No one raised their hand.
I repeated and clarified the question. Still, no hands rose.
I was shocked and sobered.
A few days later I was telling this story. Someone overheard me and decided to ask another group of auditors the same question. Only one-third of the room raised their hands.
I am three levels of shocked.
1) That these auditors hadn't done an audit of the area in the last five years
2) That the organizations for which the auditors worked hadn't tested the plan in five years
3) (Maybe a worse scenario) That the organizations had performed tests, but hadn't included the auditors.
Am I missing something here? Isn't this the kind of work that is core to audit, to risk, and to the organization? Isn't this one of those no-brainer audit areas?
Or, as I say, am I missing something?
I look forward to your clarifications.