Having a disaster recovery plan in place is a key step toward making sure your business can recover data and continue operations in the event of a disaster. Auditing the plan ensures that it addresses people, process and technology issues and relevant controls. Business continuity expert Paul F. Kirvan, FBCI, CBCP, CISSP, discusses disaster recovery auditing in this Q&A. His answers are also available as an mp3 below.
What is a disaster recovery audit?
Let's begin by quickly reviewing IT audits, since a disaster recovery (DR) audit may be an area addressed in the IT audit process. An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, procedures, operations and governance. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives.
These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. IT audits focus on determining risks that are relevant to information assets, and in assessing controls so as to reduce or mitigate these risks. By implementing controls, the impact of risks can be minimized, but controls, no matter how comprehensive, cannot completely eliminate all risks.
The key to successful disaster recovery is to have a plan (such as an emergency plan, technology recovery plan, business continuity plan) well before disaster ever strikes. Auditing the plan ensures that it addresses people, process and technology issues and relevant controls so that the plan is likely to work as anticipated, especially when faced with a real emergency.
What factors should be considered as a part of a disaster recovery audit?
The following are items that should be addressed in a disaster recovery audit:
- Disaster recovery policies, mission statement
- Written disaster recovery plan with continual updating
- Designated hot site or cold site
- Ability to recover data and systems
- Processes for frequent backup of systems and data
- Tests and drills of disaster procedures
- Data and system backups stored offsite
- Appointed disaster recovery committee and chairperson
- Visibly listed emergency telephone numbers
- Procedures allowing effective communication
- Updated and validated system and operational documentation
- Emergency procedures
- Backup of key personnel positions
- Hardware and software vendor lists
- Both manual and automated procedures in place
- Contractual agreements with external agencies/companies, such as service-level agreements (SLAs)
How can a company benefit from performing a disaster recovery audit?
Audit results can identify areas of the disaster recovery program that are incomplete, lack suitable procedures, lack suitable documentation, are untested, and not up to date. Satisfying the audit findings will ensure that the disaster recovery program, and its various components (including plans), are up to date, appropriate for their anticipated function, and capable of fulfilling the organization's business objectives. The organization will thus be better prepared to respond to unplanned incidents, and should be able to mitigate the severity and long-term impact of the incident.
What are the major challenges people face when performing a disaster recovery audit?
The most important challenge is to have senior management support for the audit (this includes facilitating access to key staff as well as funding); otherwise, recommended actions from the audit may not be implemented, putting the organization at continued risk. Additional challenges include securing interviews and follow-up meetings with key staff, obtaining the information required by the audit, ensuring that the information is the most current available, and ensuring that the BC/DR program addresses the most critical technology and business-related issues.
What about bringing in a third party to perform the audit? What are the pros and cons of taking that approach?
Assuming there are no internal staff qualified or experienced with conducting disaster recovery audits, experienced third-party organizations can be considered. The staff should have appropriate professional credentials, including the Certified Information Systems Auditor (CISA) and relevant BC/DR credentials, such as those available from the Business Continuity Institute (BCI) and DRI International. Lack of experience and/or proper credentials should generate red flags when considering a third-party auditing firm.
Large "Big Four" firms may have this capability but the cost could be prohibitive. Dozens of small- to medium-sized independent consulting firms that specialize in BC/DR provide excellent value for money, assuming they have the experience and credentials.
Using an inexperienced or unqualified firm could result in useless or irrelevant recommendations, or ignorance of critical operational issues that need to be addressed. Result: The organization is unable to validate and improve its BC/DR capabilities, thus putting the firm at continued risk.
It's also a good idea to use IT disaster standards in the audit process. The best examples include National Institute of Standards and Technology (NIST) Special Publication 800-34; international standard ISO/IEC 24762; and British Standard BS 25777. Simply following the standards provides an excellent template for conducting an audit. A number of hard copy and software-based audit tools are available to simplify the audit process. They can be obtained through various sources, such as Rothstein Associates and of course SearchDisasterRecovery.com.
Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.