Audit of Business Continuity and Disaster Recovery
VARUN SREEDHAR
Abstract
Every business is prone to unexpected turn of events and disasters. The management needs to have plans for both Business Continuity and also Disaster recovery to ensure that the activities are not stopped, nor is there any loss of valuable data. This brings out the importance of a Risk Assessment and subsequent planning, to handle such crisis. Hence an audit is conducted to assess the ability of the enterprise to continue all the critical operations during a contingency and recover from a disaster within a short span of time. This article aims to throw light on the “Audit of Business Continuity and Disaster Recovery”.
Introduction
When I think about the future, a quote by John F Kennedy comes to my mind “Change is the law of life. And those who look only to the past or present are certain to miss the future.”
I believe that all of us with a stake in the future of accounting services, understand the importance of how traditional accounting services are being transformed by technology. Nowadays every organization from the smallest to the largest one is increasingly dependent on digital technology.
I believe that all of us with a stake in the future of accounting services, understand the importance of how traditional accounting services are being transformed by technology. Nowadays every organization from the smallest to the largest one is increasingly dependent on digital technology. Although technology is undoubtedly one of the core aspects of an organization, there are some disruptions that can break the entire organization in seconds, even though many professionals operate under the assumption that their workplace will remain largely unchanged from one day to the next.
Background of the problem
We rarely get an advance notice that a disaster is about to strike. Even with high-end technology a disaster can never be expected or predicted. Even though a disaster cannot be prepared its impact can be reduced. Hence when a disaster strikes, recovering the disrupted systems and networks to rescue normal operation by minimizing any negative impacts on the organization should be our main objective. But before that what do we mean by a disaster. In simple terms, a disaster is any incident that can take a significant amount of time to recover. Some examples are Natural Disasters, Wilful or accidental damage caused by humans, Cyber-attack, Terrorism, Virus outbreak etc.
Going back to history when any adverse event occurs, the business is either on halt or put to an end. However, now the technology has grown to an extent where data can be protected and maintained securely even in the event of an interruption or a disaster. As the secret of survival is preparation, let me give you a few insights on Business Continuity Planning and Disaster Recovery which is commonly referred to as BCP and DR.
Understanding Business Continuity Planning and Disaster Recovery
Business Continuity Planning(BCP) refers to the ability of an enterprise to recover from an interrupted function and continue its operations with the least impact. In simple terms, BCP helps in continuing the operations even after a disaster occurs. An efficient BCP can be used to actively run and maintain business activities. The BCP is expected to provide :
- Reasonable assurance to recover from any unexpected incident or disaster with the minimal impact
- Anticipate various types of incidents and outline the action plan to minimize impact.
Planning is an activity that is performed before a disaster occurs otherwise it would be too late to plan an effective response. The BCP is a guiding document that allows the enterprise to continue its operation. The plan lays out steps to be initiated, combat and return to its normal operation.
Business continuity covers the following areas :
There are 3 stages for creating a business continuity plan:
- Conduct a Risk assessment and analyse the impact on the business
- Develop and document the Business Continuity Plan
- Test and approve the BCP to meet the changing demands of the business.
Business Continuity Plan vs Disaster Recovery Plan
It is assumed that Business Continuity and Disaster Recovery Plan are one and the same. However, BC & DR is always performed synonymously and is not one and the same. The primary objectives of the Business Continuity Plan are to ensure that all the critical functions and operations are made to recover and function in the least possible time frame. Whereas the Disaster Recovery Plan outlines the specific steps to be taken immediately after a disaster strikes to recover from the event. The key differences between a BCP and DR are given below :
| Sl. No | Business Continuity Plan | Disaster Recovery Plan |
|---|---|---|
| 1 | It is a plan to continue the critical business operations. | It is a plan to react to disaster and to recover from them |
| 2 | BCP is business-centric | DR is data-centric |
| 3 | BCP contains a series of Disaster Recovery plans | A DR plan can be built upon a strong Business Continuity Plan |
| 4 | BCP deals with “ how to keep the operation running during or immediately after an event occurs ” | DR deals with “ how to respond after the event has completed and how to return to normalcy ” |
Having discussed about the main concepts let me give you a few insights on the Audit of Business Continuity Plan
Audit of Business Continuity Plan
A BCP audit is a method for evaluating how a business continuity process is being managed. The BCP Audit should define the risks or threats of the plan and test the controls to ensure if the risks have reduced to an acceptably lower level. BCP audits are highly recommended to ensure that the current plan in place will prevent a disaster and also assures the management of the efforts taken in formalizing a method to evaluate any abnormal event. Similarly, an independent assessment by way of audit can provide feedback that helps and equip the organization in the event of a failure.
Types of BCP Audits
BCP Audits ranges from a straightforward health check to a relatively intense and thorough analysis of every aspect of the plan. The audit can be performed internally or with the assistance of a third-party audit firm.
In the simplest form, an auditor can conduct a quick BCP/DR check by reviewing the plans and the internal control placed in the organization. At the most complex level, an auditor can analyse every aspect of the program and evaluate its outcome. The type of audit depends on the nature of the organization and the extent of the assurance placed by the management. By doing such a process the auditors must give feedback if any updates or revision in the plan is required in responding to an abnormal event.
Now let's examine how to audit a business continuity plan in more detail
Audit Scope & Objectives
As with any audit, defining the scope and objectives is an integral part of the process. The primary objective of a business continuity plan is to limit the time downtime faced during a disruptive event and to minimize the financial losses due to it. A BCP Audit should be conducted to identify residual risk which is not identified and provide recommendations to mitigate them. The plan of action of each type of expected contingency and adequacy should also be addressed.
The Audit scope refers to the boundary within which the auditor has to operate. And the scope of audit increases with the increase in complexities of business. Similarly, any duties which fall outside the scope is not expected to be performed by the auditor.
Having defined the scope, the audit department has to plan the audit taking into considerations of the inherent limitations of audit and the resources available. The auditor should plan his work to enable him to conduct an effective audit in an efficient and timely manner. Planning is not a discrete phase of an audit but is rather a continual and iterative process.
Audit strategy sets the scope, timing and direction of the audit and guides the development of a detailed audit plan. The audit plan is more detailed than the audit strategy. And planning for these audit procedures takes place over the course of the audit. However, the audit plans should be based on the knowledge of the clients business.
Audit procedures/steps are the processes, techniques and methods that auditors perform to obtain audit evidence and enable them to make a conclusion on the audit objectives. These audit steps differ from organization to organization. The audit steps have to be made taking into considerations of professional skepticism and professional judgement. A sample list of audit steps are given below:
1. Determine if a disaster recovery plan exists and was developed using a sound methodology
2. Determine if backup procedures are sufficient to allow for the recovery of data
3. Obtain and review the existing plan by performing test checks and reviewing the impact on the business.
4. Determine if resources have been allocated to prevent the disaster
5. Ensure if the plan is updated within the last 12 months to its most current version
6. Review backup procedures, as the availability of backup data, could be critical in minimizing the time required to recover
7. Ensure if the plan includes the names and numbers of designated members of the management who can coordinate for the response and recovery.
8. Ensure if the organization is taking significant steps in preventing or mitigating a disaster before it even occurs.
9. Ensure if training programs are conducted regularly to educate the employees of the organization.
10. Ensure if all passwords and security protections are periodically changed
Waiting for a disaster to strike is not the right time to think about a disaster recovery or business continuity plan. The Management should be prepared to handle such a crisis and ensure that the business is not affected due to the untoward turn of events. Proper assessment and planning will definitely throw light on the best plan of action which can be launched immediately when there is a disaster, and also ensure that the business is back to normalcy within the shortest period of time.
In these uncertain times where every business relies on data, it is very important to develop the right attitude towards continuity at all levels. Not realizing the importance of such critical planning, many businesses face the perils of huge data loss and other after-effects of a disaster.
As often told : An ounce of prevention is worth a pound of cure. Being ready to face eventualities makes all the difference to the business, both in terms of future growth and also sustainability. Every management needs to realize that though such planning may not be seen tangibly, it is crucial for the business in the long run
https://starcom.node4.co.uk/how-to-audit-a-business-continuity-plan/
https://www.riskandresiliencehub.com/how-to-audit-business-continuityprograms/#:~:text=Audit%20tests%20of%20a%20BCP,accurate%2C%20and%20up%20to% 20date. https://searchdisasterrecovery.techtarget.com/definition/business-continuity-plan-audit
Published PDF’s on Business Continuity Planning and Disaster Recovery
