Disaster recovery and business continuity auditing

Disaster recovery and business continuity refers to an organization’s ability to recover from a disaster and/or unexpected event and resume or continue operations. Organizations should have a plan in place (usually referred to as a "Disaster Recovery Plan", or "Business Continuity Plan") that outlines how this will be accomplished. The key to successful disaster recovery is to have a plan (emergency plan, disaster recovery plan, continuity plan) well before disaster ever strikes.

Some of the key metrics to be measured in a disaster recovery environment is the Recovery Time Objective (RTO) and Recovery Point Objective (RPO ). RTO is a metric that measures the time that it takes for a system to be completely up and running in the event of a disaster. RPO measures the ability to recover files by specifying a point in time restore of the backup copy.

When conducting an audit of a disaster recovery plan several factors should be considered. These are described below.

Written disaster recovery plan with continual updating

To be effective the plan must be written, must be understandable, and must be accessible to those who need it when they need it. Because of the constant changes that occur in the modern business environment, a plan should be updated frequently to deal with new and existing threats as they develop. The auditor needs to determine if procedures stated in the plan to achieve these ends are actually used in practice.

This can be accomplished through:

• Direct observation of procedures
• Examination of the disaster recovery plan
• Inquiries of personnel

In other words, this needs to be a living and breathing program, so to speak, that is audited and updated on a regular basis as changes are identified that could affect the personnel and or area that has been devastated.

Designated hot site or cold site

A hot/cold site is a location that an organization can move to after a disaster if the current facility is unusable. The difference between the two is that a hot site is fully equipped to resume operations while a cold site does not have that capability. There is also what is referred to as a warm site which has the capability to resume some, but not all operations. The decision a company makes when determining what type of site to establish depends on a cost-benefit analysis and the needs of the individual organization. The plan should also spell out how relocation to a new facility is to be conducted. A company should have occasional tests and conduct trials to verify the viability and effectiveness of the plan and to determine if any deficiencies exist and how they can be dealt with. An audit of a company Disaster Recovery Plan should primarily look into the probability that operations of the organization can be sustained at the level that is assumed in the plan, as well as the ability of the entity to actually establish operations at the site.

The auditor should:

• Examine and test the procedures involved
• Conduct outside research relating to Disaster recovery
• Determine reasonable standards relating to implementation
• Tour, examine, and research the outside facility.

Ability to recover data and systems

The continual backing up of data and systems can help minimize the impact of threats. Even so, the plan should also include information on how best to recover any data that has not been copied. Controls and protections should be in place to ensure that data is not damaged, altered, or destroyed during this process. Information technology experts and procedures need to be identified that can accomplish this endeavor. Vendor manuals can also assist in determining how best to proceed.

Processes for frequent backup of systems and data

The auditor should determine if these processes are effective and are actually being implemented by personnel. This can be accomplished through:

• Direct observation of the processes
• Analyzing and researching the equipment used
• Conducting computer assisted audit techniques and tests
• Examination of paper and paperless records

Tests and drills of disaster procedures

Practice drills should be conducted periodically to determine how effective the plan is and to determine what changes may be necessary. The auditor’s primary concern here is verifying that these drills are being conducted properly and that problems uncovered during these drills are addressed and procedures designed to deal with these potential deficiencies are implemented and tested to determine their effectiveness.

Data and system backups stored offsite

The auditor can verify this through paper and paperless documentation and actual physical observation. Testing of the backups and procedures should be done to confirm data integrity and effective processes. The security of the storage site also needs to be confirmed.

Appointed disaster recovery committee and chairperson

The entity needs to appoint individuals responsible for designing and implementing the plan when needed. Generally, this consists of a team headed by a project manager, with a deputy manager who has the capability to take over the responsibilities if needed. The qualities needed for this position vary depending upon the organization.

The qualities of the project manager generally include:

• Good leadership abilities
• Strong knowledge of company business
• Strong knowledge of management processes
• Experience and knowledge in Information technology and security
• Good project management skills

Other members of the team need to have a clear understanding and ability to perform the requisite procedures. An auditor needs to examine and assess the project and deputy project manager’s training, experience, and abilities as well as to analyze the capabilities of the team members to complete assigned tasks and that more than one individual is trained and capable of doing a particular function. Tests and inquiries of personnel can help achieve this objective.

Visibly listed emergency telephone numbers

The auditor can verify through direct observation that emergency telephone numbers are listed and easily accessible in the event of a disaster.

Insurance

The auditor should determine the adequacy of the company's insurance coverage (particularly property and casualty insurance) through a review of the company's insurance policies and other research. Among the items that the auditor needs to verify are: the scope of the policy (including any stated exclusions), that the amount of coverage is sufficient to cover the organization’s needs, and that the policy is current and in force. The auditor should also ascertain, through a review of the ratings assigned by independent rating agencies, that the insurance company or companies providing the coverage have the financial viability to cover the losses in the event of a disaster.

Procedures allowing effective communication

Management and the recovery team should have Disaster Recovery Procedures which allow for effective communication. This can be accomplished by making sure contact information is easily accessible and drills conducted test communication abilities. Procedures should include non-technological as well as technological methodologies in case of power or system failures. Communications between the organization and outside individuals and organizations also need to be taken into account when designing the plan. Procedures to test this communication ability generally mirror those of the organization itself. The auditor should evaluate these procedures and assumptions to determine if they are reasonable and likely to be effective.

An auditor evaluation can be accomplished through:

• Testing of procedures
• An inquiry of all employees
• Comparisons to other company plans and industry standards
• Examination of company manuals and other written procedures

Updated system and operation documentation confirmation

Adequate records need to be retained by the organization. The auditor should physically examine records, billings, and contracts to verify this. Outside research such as contacting vendors may also be conducted to determine the reasonableness of management’s assertions.

Emergency procedures

Procedures for the stocking of food and water, capabilities of administering CPR/first aid, and dealing with family emergencies should be clearly written and tested. This can generally be accomplished by the company through good training programs and a clear definition of job responsibilities.

The auditor can verify this is accomplished through:

• Inquires of personnel
• Physical observation
• Examination of training records and any certifications

Backup of key personnel positions

Clearly written policies and specific communication with employees should be used to substantiate this. There must also be confirmation that the personnel backups can actually do the duties assigned to them in an event of an emergency. Periodic training can also help alleviate this. This training should include updates to existing job positions and testing to confirm proficiency.

The auditor needs to verify that:

• Policies are being enforced
• Testing is effective
• Training is adequate.

Hardware and software vendor list

Copies of this should be periodically updated and stored on and off site, as well as being accessible by those who require them. An auditor should test the procedures used to meet this objective and determine their effectiveness.

Mission statement

This should clearly identify what the purpose and goals of the Disaster Recovery Plan are. The mission statement can also help the auditor obtain a better understanding of the organization’s environment. An auditor should examine this to determine what the objectives, priorities, and goals of the plan are.

Both manual and automated procedures in place

Procedures in place to accomplish the needed objectives should take into account the possibility of power failures or other situations in which technology cannot be utilized. The plan should indicate what procedures to be used in this situation and should also include information on storage of flashlights and candles, as well as additional safety procedures in case of gas leaks, fires or other phenomena. Trial runs should be conducted to test the procedures' effectiveness and viability.

The auditor should:

• Examine and test procedures for reasonableness
• Make inquiries on personnel
• Conduct outside research

Contractual agreements with external agencies/companies

The plan needs to take into account the extent of its responsibilities to other entities and their ability to make those commitments in lieu of a major event. Are their clauses in contracts that minimize against any legal liability for lack of performance in the event of disaster or any other unusual circumstance? Agreements pertaining to establishing support and assisting with recovery for the entity should also be outlined.

The auditor should:

• Examine the reasonableness of the plan
• Determine whether it takes all factors into account
• Verify the contracts and agreements through documentation and outside research

Summary

In conducting the audit, the individual or team should make use of various other procedures and processes to achieve the objectives of the audit. These objectives should be clearly stated in the audit plan. Certification to the British Standard on Business Continuity BS 25999 is available from BSI.

See also

• Disaster recovery
• Information technology audit
• Information technology audit - operations
• Business continuity planning

External links

• The American Institute of Certified Public Accountants (AICPA)
• Information Systems Audit and Control Association (ISACA)
• Association of Information Technology Professionals (AITP)
• Institute of Internal Auditors (IIA)
• International Association for Computer Information Systems (IACIS)
• Information Systems Security Association (ISSA)
• International Disaster Recovery Association (IDRA)
• Business Recovery Managers Association (BRMA)
• British Standards Institute (BSI)

References

• Messier jr., W., F. (2003) Auditing & Assurance Services: A Systematic Approach. (3rd ed.) New York: McGraw-Hill/Irwin.
• Gallegos, F., Senft, S., Manson, D., Gonzales, C. (2004). Information Technology Control and Audit. (2nd ed.) Boca Raton, Florida: Auerbach Publications.