Business continuity and disaster recovery auditing

Last updated October 18, 2024

Given organizations' increasing dependency on information technology (IT) to run their operations, business continuity planning (and its subset IT service continuity planning) covers the entire organization, while disaster recovery focuses on IT.

Overview
Metrics
DR metrics
The auditor's role
Documentation
Disaster recovery plan
Relationship to BCPs
Testing
Benefits
Planning and testing methodology
Caveats/controversies
Decisions and strategies
Other considerations
Insurance issues
Communication issues
Emergency procedures
Environmental issues
See also
References

Auditing documents covering an organization's business continuity and disaster recovery (BCDR) plans provides a third-party validation to stakeholders that the documentation is complete and does not contain material misrepresentations.

Overview

Often used together, the terms business continuity (BC) and disaster recovery (DR) are very different. BC refers to the ability of a business to continue critical functions and business processes after the occurrence of a disaster, whereas DR refers specifically to the IT functions of the business, albeit a subset of BC.^[1]^[2]

Metrics

The primary objective is to protect the organization in the event that all or part of its operations and/or computer services are rendered partially or completely unusable.

A DR plan illustrating the chronology of the
@media screen{html.skin-theme-clientpref-night .mw-parser-output div:not(.notheme)>.tmp-color,html.skin-theme-clientpref-night .mw-parser-output p>.tmp-color,html.skin-theme-clientpref-night .mw-parser-output table:not(.notheme) .tmp-color{color:inherit!important}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output div:not(.notheme)>.tmp-color,html.skin-theme-clientpref-os .mw-parser-output p>.tmp-color,html.skin-theme-clientpref-os .mw-parser-output table:not(.notheme) .tmp-color{color:inherit!important}}
RPO and the
RTO with respect to a
major incident (MI). Schematic ITSC and RTO, RPO, MI.jpg — A DR plan illustrating the chronology of the **RPO** and the **RTO** with respect to a **major incident (MI)**.

DR metrics

Minimizing downtime and data loss during disaster recovery is typically measured in terms of two key concepts:

Recovery time objective (RTO), time until a system is completely up and running
Recovery point objective (RPO), a measure of the ability to recover files by specifying a point in time the backup copy will restore to.

The auditor's role

An auditor examines and assesses

the procedures stated in the BCP and DR plan are actually consistent with real practice
a specific individual within the organization, who may be referred to as the disaster recovery officer, the disaster recovery liaison, the DR coordinator, or some other similar title, has the technical skills, training, experience, and abilities to analyze the capabilities of the team members to complete assigned tasks
more than one individual is trained and capable of doing a particular function during the DR exercise. Tests and inquiries of personnel can help achieve this objective.

Documentation

Disaster recovery plan

A disaster recovery plan (DRP) is a documented process or set of procedures to execute an organization's disaster recovery processes and recover and protect a business IT infrastructure in the event of a disaster.^[3] It is "a comprehensive statement of consistent actions to be taken before, during and after a disaster".^[4] The disaster could be natural, environmental or man-made. Man-made disasters could be intentional (for example, an act of a terrorist) or unintentional (that is, accidental, such as the breakage of a man-made dam or even "fat fingers" - or errant commands entered - on a computer system).

Types of plans

Although there is no one-size-fits-all plan,^[5] there are three basic strategies:^[3]^[5]

prevention, including proper backups, having surge protectors and generators
detection, a byproduct of routine inspections, which may discover new (potential) threats
correction^[6]

The latter may include securing proper insurance policies, and holding a "lessons learned" brainstorming session.^[3]^[7]

Best practices

To maximize their effectiveness, DRPs are most effective when updated frequently, and should:

be an integral part of all business analysis processes,
be revisited at every major corporate acquisition, at every new product launch and at every new system development milestone.
be thoroughly tested, not just unpracticed bureaucratic documentation

Adequate records need to be retained by the organization. The auditor examines records, billings, and contracts to verify that records are being kept. One such record is a current list of the organization's hardware and software vendors. Such list is made and periodically updated to reflect changing business practices and as part of an IT asset management system. Copies of it are stored on and off site and are made available or accessible to those who require them. An auditor tests the procedures used to meet this objective and determine their effectiveness.

Relationship to BCPs

Disaster recovery is a subset of business continuity. Where DRP encompasses the policies, tools and procedures to enable recovery of data following a catastrophic event, BCP involves keeping all aspects of a business functioning regardless of potential disruptive events. As such, a business continuity plan is a comprehensive organizational strategy that includes the DRP as well as threat prevention, detection, recovery, and resumption of operations should a data breach or other disaster event occur. Therefore, BCP consists of five component plans:^[8]

Business resumption plan
Occupant emergency plan
Continuity of operations plan
Incident management plan
Disaster recovery plan

The first three components (business resumption, occupant emergency, and continuity of operations plans) do not deal with the IT infrastructure. The incident management plan (IMP) does deal with the IT infrastructure, but since it establishes structure and procedures to address cyber attacks against an organization's IT systems, it generally does not represent an agent for activating the DRP; thus DRP is the only BCP component of active interest to IT.^[8]

Testing

The overall categorization of tests are functional- and discussion-based. Types of tests include: tabletop exercises,^[9] checklists, simulations, parallel processing (testing recovery site while primary site is in operation), and full interruption (fail over) tests.^[10]^[11] These apply to both BC and DR.

Benefits

Like every insurance plan, there are benefits that can be obtained from proper business continuity planning, including:^[4] Studies have shown a correlation between higher spending on auditing fees and lower rates of incidents.^[12]

Minimizing risk of delays
Guaranteeing the reliability of standby systems (even automating the failure detection and recovery in certain scenarios)
Providing a standard for testing the plan
Minimizing decision-making during a disaster
Reducing potential legal liabilities
Lowering unnecessarily stressful work environment

Planning and testing methodology

According to Geoffrey H. Wold of the Disaster Recovery Journal, the entire process involved in developing a Disaster Recovery Plan consists of 10 steps:^[4]

Performing a risk assessment: The planning committee prepares a risk analysis and a business impact analysis (BIA) that includes a range of possible disasters. Each functional area of the organization is analyzed to determine potential consequences. Traditionally, fire has posed the greatest threat. A thorough plan provides for "worst case" situations, such as destruction of the main building.
Establishing priorities for processing and operations: Critical needs of each department are evaluated and prioritized. Written agreements for alternatives selected are prepared, with details specifying duration, termination conditions, system testing, cost, any special security procedures, procedure for the notification of system changes, hours of operation, the specific hardware and other equipment required for processing, personnel requirements, definition of the circumstances constituting an emergency, process to negotiate service extensions, guarantee of compatibility, availability, non-mainframe resource requirements, priorities, and other contractual issues.
Collecting data: This includes various lists (employee backup position listing, critical telephone numbers list, master call list, master vendor list, notification checklist), inventories (communications equipment, documentation, office equipment, forms, insurance policies, workgroup and data center computer hardware, microcomputer hardware and software, office supply, off-site storage location equipment, telephones, etc.), distribution register, software and data files backup/retention schedules, temporary location specifications, any other such lists, materials, inventories, and documentation. Pre-formatted forms are often used to facilitate the data gathering process.
Organizing and documenting a written plan
Developing testing criteria and procedures: reasons for testing include
- Determining the feasibility and compatibility of backup facilities and procedures.
- Identifying areas in the plan that need modification.
- Providing training to the team managers and team members.
- Demonstrating the ability of the organization to recover.
- Providing motivation for maintaining and updating the disaster recovery plan.
Testing the plan: An initial "dry run" of the plan is performed by conducting a structured walk-through test. An actual test-run must be performed. Problems are corrected.

Initial testing can be plan is done in sections and after normal business hours to minimize disruptions. Subsequent tests occur during normal business hours.

Caveats/controversies

Due to high cost, various plans are not without critics. Dell has identified five "common mistakes" organizations often make related to BCP/DR planning:^[13]

Lack of buy-in: When executive management sees DR planning as "just another fake earthquake drill" or CEOs fail to make DR planning and preparation a priority
Incomplete RTOs and RPOs: Failure to include each and every important business process or a block of data. Ripples can extend a disaster's impact. Payroll may not initially be mission-critical, but left alone for several days, it can become more important than any of your initial problems.
Systems myopia: A third point of failure involves focusing only on DR without considering the larger business continuity needs. Corporate office space lost to a disaster can result in an instant pool of teleworkers which, in turn, can overload a company's VPN overnight, overwork the IT support staff at the blink of an eye and cause serious bottlenecks and monopolies with the dial-in PBX system.
Lax security: When there is a disaster, an organization's data and business processes become vulnerable. As such, security can be more important than the raw speed involved in a disaster recovery plan's RTO. The most critical consideration then becomes securing the new data pipelines: from new VPNs to the connection from offsite backup services.
- In disasters, planning for post-mortem forensics
- Locking down or remotely wiping lost handheld devices

Decisions and strategies

Site designation: choice of a backup site. A hot site is fully equipped to resume operations while a cold site does not have that capability. A warm site has the capability to resume some, but not all operations.

A cost-benefit analysis is needed.

Occasional tests and trials verify the viability and effectiveness of the plan. An auditor looks into the probability that operations of the organization can be sustained at the level that is assumed in the plan, and the ability of the entity to actually establish operations at the site.
The auditor can verify this through paper and paperless documentation and actual physical observation. The security of the storage site is also confirmed.

Data backup: An audit of backup processes determines if (a) they are effective, and (b) if they are actually being implemented by the involved personnel.^[14]^[15] The disaster recovery plan also includes information on how best to recover any data that has not been copied. Controls and protections are put in place to ensure that data is not damaged, altered, or destroyed during this process.

Drills: Practice drills conducted periodically to determine how effective the plan is and to determine what changes may be necessary. The auditor's primary concern here is verifying that these drills are being conducted properly and that problems uncovered during these drills are addressed.

Backup of key personnel - including periodic training, cross-training, and personnel redundancy.

Other considerations

Insurance issues

The auditor determines the adequacy of the company's insurance coverage (particularly property and casualty insurance) through a review of the company's insurance policies and other research. Among the items that the auditor needs to verify are: the scope of the policy (including any stated exclusions), that the amount of coverage is sufficient to cover the organization's needs, and that the policy is current and in force. The auditor also ascertains, through a review of the ratings assigned by independent rating agencies, that the insurance company or companies providing the coverage have the financial viability to cover the losses in the event of a disaster.

Effective DR plans take into account the extent of a company's responsibilities to other entities and its ability to fulfill those commitments despite a major disaster. A good DR audit will include a review of existing MOA and contracts to ensure that the organization's legal liability for lack of performance in the event of disaster or any other unusual circumstance is minimized. Agreements pertaining to establishing support and assisting with recovery for the entity are also outlined. Techniques used for evaluating this area include an examination of the reasonableness of the plan, a determination of whether or not the plan takes all factors into account, and a verification of the contracts and agreements reasonableness through documentation and outside research.

Communication issues

The auditor must verify that planning ensures that both management and the recovery team have effective communication hardware, contact information for both internal communication and external issues, such as business partners and key customers.

Audit techniques include

testing of procedures, interviewing employees, making comparison against the plans of other company and against industry standards,
examining company manuals and other written procedures.
direct observation that emergency telephone numbers are listed and easily accessible in the event of a disaster.

Emergency procedures

Procedures to sustain staff during a round-the-clock disaster recovery effort are included in any good disaster recovery plan. Procedures for the stocking of food and water, capabilities of administering CPR/first aid, and dealing with family emergencies are clearly written and tested. This can generally be accomplished by the company through good training programs and a clear definition of job responsibilities. A review of the readiness capacity of a plan often includes tasks such as inquires of personnel, direct physical observation, and examination of training records and any certifications.

Environmental issues

The auditor must review procedures that take into account the possibility of power failures or other situations that are of a non-IT nature.

Flashlights and candles may be needed.
Safety procedures in case of gas leaks, fires or other such phenomena and PPE may be needed.

Related Research Articles

<span class="mw-page-title-main">Business continuity planning</span> Prevention and recovery from threats that might affect a company

Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", and business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations before and during execution of disaster recovery. Business continuity is the intended outcome of proper execution of both business continuity planning and disaster recovery.

<span class="mw-page-title-main">Financial audit</span> Type of audio

A financial audit is conducted to provide an opinion whether "financial statements" are stated in accordance with specified criteria. Normally, the criteria are international accounting standards, although auditors may conduct audits of financial statements prepared using the cash basis or some other basis of accounting appropriate for the organization. In providing an opinion whether financial statements are fairly stated in accordance with accounting standards, the auditor gathers evidence to determine whether the statements contain material errors or other misstatements.

IT disaster recovery (also, simply disaster recovery (DR)) is the process of maintaining or reestablishing vital infrastructure and systems following a natural or human-induced disaster, such as a storm or battle. DR employs policies, tools, and procedures with a focus on IT systems supporting critical business functions. This involves keeping all essential aspects of a business functioning despite significant disruptive events; it can therefore be considered a subset of business continuity (BC). DR assumes that the primary site is not immediately recoverable and restores data and services to a secondary site.

<span class="mw-page-title-main">Accounting information system</span> System of collecting, storing and processing financial and accounting data

An accounting information system (AIS) is a system of collecting, storing and processing financial and accounting data that are used by decision makers. An accounting information system is generally a computer-based method for tracking accounting activity in conjunction with information technology resources. The resulting financial reports can be used internally by management or externally by other interested parties including investors, creditors and tax authorities. Accounting information systems are designed to support all accounting functions and activities including auditing, financial accounting porting, -managerial/ management accounting and tax. The most widely adopted accounting information systems are auditing and financial reporting modules.

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

Computer-assisted audit tool (CAATs) or computer-assisted audit tools and techniques (CAATTs) is a growing field within the IT audit profession. CAATs is the practice of using computers to automate the IT audit processes. CAATs normally include using basic office productivity software such as spreadsheets, word processors and text editing programs and more advanced software packages involving use statistical analysis and business intelligence tools. But also more dedicated specialized software are available.

A Systems Applications Products audit is an audit of a computer system from SAP to check its security and data integrity. SAP is the acronym for Systems Applications Products. It is a system that provides users with a soft real-time business application. It contains a user interface and is considered very flexible. In an SAP audit, the two main areas of concern are security and data integrity.

A mainframe audit is a comprehensive inspection of computer processes, security, and procedures,with recommendations for improvement.

Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes.

A backup site is a location where an organization can relocate following a disaster, such as fire, flood, terrorist threat, or other disruptive event. This is an integral part of the disaster recovery plan and wider business continuity planning of an organization.

Information technology general controls (ITGC) are controls that apply to all systems, components, processes, and data for a given organization or information technology (IT) environment. The objectives of ITGCs are to ensure the proper development and implementation of applications, as well as the integrity of programs, data files, and computer operations.

The subject of computer backups is rife with jargon and highly specialized terminology. This page is a glossary of backup terms that aims to clarify the meaning of such jargon and terminology.

<span class="mw-page-title-main">Continuous auditing</span>

Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities.

In information technology, real-time recovery (RTR) is the ability to recover a piece of IT infrastructure such as a server from an infrastructure failure or human-induced error in a time frame that has minimal impact on business operations. Real-time recovery focuses on the most appropriate technology for restores, thus reducing the Recovery Time Objective (RTO) to minutes, Recovery Point Objectives (RPO) to within 15 minutes ago, and minimizing Test Recovery Objectives (TRO), which is the ability to test and validate that backups have occurred correctly without impacting production systems.

In the United States military integrated acquisition lifecycle the Technical section has multiple acquisition "Technical Reviews". Technical reviews and audits assist the acquisition and the number and types are tailored to the acquisition. Overall guidance flows from the Defense Acquisition Guidebook chapter 4, with local details further defined by the review organizations. Typical topics examined include adequacy of program/contract metrics, proper staffing, risks, budget, and schedule.

Operational acceptance testing (OAT) is used to conduct operational readiness (pre-release) of a product, service, or system as part of a quality management system. OAT is a common type of non-functional software testing, used mainly in software development and software maintenance projects. This type of testing focuses on the operational readiness of the system to be supported, and/or to become part of the production environment. Hence, it is also known as operational readiness testing (ORT) or operations readiness and assurance testing (OR&A). Functional testing within OAT is limited to those tests which are required to verify the non-functional aspects of the system.

Disk-based backup refers to technology that allows one to back up large amounts of data to a disk storage unit. It is often supplemented by tape drives for data archival or replication to another facility for disaster recovery. Backup-to-disk is a popular in enterprise use for both technical and business reasons. Storage devices have gotten faster access time and higher storage capacity. There are different forms of disks used for back up, standard mechanical disks and solid state disks.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

ISO 22300:2021, Security and resilience – Vocabulary, is an international standard developed by ISO/TC 292 Security and resilience. This document defines terms used in security and resilience standards and includes 360 terms and definitions. This edition was published in the beginning of 2021 and replaces the second edition from 2018.

References

↑ Susan Snedaker (2013). Business continuity and disaster recovery planning for IT professionals (2 ed.). Burlington: Elsevier Science. ISBN 9780124114517.
↑ "What Is the Difference Between Disaster Recovery and Business Continuity". Cloudian. 2019-11-25.
1 2 3 Bill Abram (14 June 2012). "5 Tips to Build an Effective Disaster Recovery Plan". Small Business Computing. Retrieved 9 August 2012.
1 2 3 Wold, Geoffrey H. (1997). "Disaster Recovery Planning Process". Disaster Recovery Journal. Adapted from Volume 5 #1. Disaster Recovery World. Archived from the original on 15 August 2012. Retrieved 8 August 2012.
1 2 "Disaster Recovery Planning - Step by Step Guide". Michigan State University. Archived from the original on 8 March 2014. Retrieved 9 May 2014.
↑ "Backup Disaster Recovery". Email Archiving and Remote Backup. 2010. Archived from the original on 22 January 2013. Retrieved 9 May 2014.
↑ "Disaster Recovery & Business Continuity Plans". Stone Crossing Solutions. 2012. Archived from the original on 23 August 2012. Retrieved 9 August 2012.
1 2 Chad Bahan. (June 2003). "The Disaster Recovery Plan" . Retrieved 24 August 2012.
↑ "Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities" (PDF). NIST. p. 21.
↑ "What is the difference between a tabletop exercise, a drill, a functional exercise, and a full-scale exercise?".
↑ "Homeland Security Exercise and Evaluation Program (HSEEP)" (PDF). Homeland Security. Jan 2020.
↑ Li, He; No, Won Gyun; Boritz, J. Efrim (24 Nov 2021). "Are External Auditors Concerned about Cyber Risk disclosure". Auditing: A Journal of Practice & Theory. doi:10.2139/ssrn.2880928. S2CID 168198159.
↑ Cormac Foster; Dell Corporation (25 October 2010). "Five Mistakes That Can Kill a Disaster Recovery Plan". Archived from the original on 2013-01-16. Retrieved 8 August 2012.
↑ Constance Gustke (October 7, 2015). "Hurricane Joaquin Highlights the Importance of Plans to Keep Operating". The New York Times .
↑ Berman, Alan. : Constructing a Successful Business Continuity Plan. Business Insurance Magazine, March 9, 2015. http://www.businessinsurance.com/article/20150309/ISSUE0401/303159991/constructing-a-successful-business-continuity-plan

Messier, W. F. Jr. (2011). Auditing & Assurance Services: A Systematic Approach (8th ed.). New York: McGraw-Hill/Irwin. ISBN 9780077520151.
Gallegos, F.; Senft, S.; Davis, A. L. (2012). Information Technology Control and Audit (4th ed.). Boca Raton, FL: Auerbach Publications. ISBN 9781439893203.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Susan Snedaker (2013). Business continuity and disaster recovery planning for IT professionals (2 ed.). Burlington: Elsevier Science. ISBN 9780124114517.

[2] "What Is the Difference Between Disaster Recovery and Business Continuity". Cloudian. 2019-11-25.

[5_tips-3] 1 2 3 Bill Abram (14 June 2012). "5 Tips to Build an Effective Disaster Recovery Plan". Small Business Computing. Retrieved 9 August 2012.

[DR_journal-4] 1 2 3 Wold, Geoffrey H. (1997). "Disaster Recovery Planning Process". Disaster Recovery Journal. Adapted from Volume 5 #1. Disaster Recovery World. Archived from the original on 15 August 2012. Retrieved 8 August 2012.

[MSU-5] 1 2 "Disaster Recovery Planning - Step by Step Guide". Michigan State University. Archived from the original on 8 March 2014. Retrieved 9 May 2014.

[6] "Backup Disaster Recovery". Email Archiving and Remote Backup. 2010. Archived from the original on 22 January 2013. Retrieved 9 May 2014.

[7] "Disaster Recovery & Business Continuity Plans". Stone Crossing Solutions. 2012. Archived from the original on 23 August 2012. Retrieved 9 August 2012.

[SANS-8] 1 2 Chad Bahan. (June 2003). "The Disaster Recovery Plan" . Retrieved 24 August 2012.

[9] "Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities" (PDF). NIST. p. 21.

[10] "What is the difference between a tabletop exercise, a drill, a functional exercise, and a full-scale exercise?".

[11] "Homeland Security Exercise and Evaluation Program (HSEEP)" (PDF). Homeland Security. Jan 2020.

[12] Li, He; No, Won Gyun; Boritz, J. Efrim (24 Nov 2021). "Are External Auditors Concerned about Cyber Risk disclosure". Auditing: A Journal of Practice & Theory. doi:10.2139/ssrn.2880928. S2CID 168198159.

[13] Cormac Foster; Dell Corporation (25 October 2010). "Five Mistakes That Can Kill a Disaster Recovery Plan". Archived from the original on 2013-01-16. Retrieved 8 August 2012.

[14] Constance Gustke (October 7, 2015). "Hurricane Joaquin Highlights the Importance of Plans to Keep Operating". The New York Times .

[15] Berman, Alan. : Constructing a Successful Business Continuity Plan. Business Insurance Magazine, March 9, 2015. http://www.businessinsurance.com/article/20150309/ISSUE0401/303159991/constructing-a-successful-business-continuity-plan

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]