How Internal Auditors Lead Disaster Recovery Planning

Minimizing the potential fallout that accompanies a disaster, while also maximizing the recovery potential, is a critical aspect of the modern digital landscape of business. Disaster recovery, largely led by the internal auditor, is the solution that today’s businesses rely on to achieve these goals.

Aligned with business continuity planning, which allows an organization to continue fully functioning throughout a disaster, disaster recovery focuses on the process, policies and procedures related to ensuring that a company is able to restore its technology infrastructure and data assets after a natural or man-made disaster.

The internal auditor is instrumental in disaster recovery planning and efforts. His or her planning and enacting activities that assist the organization to identify and evaluate significant exposures to risk directly contribute to the improvement of risk management and control systems.

How an Internal Auditor Is Involved in Disaster Recovery

The process of ensuring that an organization recovers and returns to normal operating conditions after undergoing any type of disaster is complex and continuous. The internal auditor lies at the center of these efforts, as the person responsible for setting out a solid plan then implementing it.

Related article: How do Internal Audit Services Work?

The internal auditor in any organization serves to instill confidence in managers worried about any potential fires, floods, tornadoes, earthquakes or hurricanes, and how they might affect their technology and data assets. With the right internal audit services and disaster recovery plan, managers can relax and not have a lingering uncertainty swirling in their minds about how they might regain business momentum during and after a crisis.

What Is the Role of an Internal Auditor in Disaster Recovery?

Now that we know how important the consultation role of internal auditor is when it comes to disaster recovery, it’s time to learn why, in terms of what his or her role is. The internal auditor understands the number one rule of disaster recovery that is not remotely negotiable: planning.

With a solid plan in place—teeming with preparedness strategies—headed by a skilled internal auditor, an organization is far more likely to swiftly resume operations and return to standard operating conditions with minimal effort.

The regularly updated, comprehensive disaster recovery plan requires a few key activities of the internal auditor that include:

• Consulting with the company to understand their goals
• Assisting with risk analysis during the planning and development stages
• Critically evaluating the plan once drafted
• Providing the business with assurance the plan is current through regular audits

Let’s take a look at each of these activities in more detail.

Planning & Development

Traditionally, internal auditors provided independent, objective opinions that related to the adequacy, appropriateness and effectiveness of an organization’s internal controls and overall operations.

However, as technology has evolved over the years, so has the role of internal auditors. Internal audit consulting services have expanded its scope to include consulting activities that focus on risk, which serve to further add value and improve an organization’s operations.

The internal auditor has a unique understanding and perspective of an organization’s overall business operations. He or she has studied each department and all of its functions, as well as how they all relate to each other. This insight makes the internal auditor an invaluable component of disaster recovery plan development and implementation.

Following are a few insights that an internal auditor can offer when it is time to provide a full assessment of an organization’s environment, internally and externally:

• Internal Environmental Factors. These include management turnover and changes in information systems. Additionally, controls in major projects and programs must be considered.
• External Environmental Factors. Federal, state, local and outside private regulatory and statutory changes must always be considered, as well as matters like changing markets, global financial and economic conditions, competitive considerations and any new technology must also be addressed.

Internal auditors have a bird’s-eye view of these factors and more, which can help an organization identify risks that involve critical business activities, helping to prioritize critical data recovery functions.

Quality Assurance

Once drafted, the internal auditor must review the disaster recovery plan to ensure that the disaster recovery plan for its design, completeness and overall adequacy that makes it effective for quick recovery and seamless business continuity.

The internal auditor will also review the plan to make sure it shows that operations have been appropriately prioritized and that risk assessments and analyses have been included. The plan must also contain sufficient internal control factors and considerations.

Implementation

In the case that the business continuity plan needs to be enacted, the auditor plays a crucial role in the implementation phase as well. The auditor adds value to the business continuity process by keeping management informed of the progress of implementation. He or she will participate in the ensuing risk assessment and business impact analysis. The auditor also helps guide the implementation process by defining key business functions, controls, and affected processes.

Evaluation

Finally, the auditor will assist in evaluating the disaster recovery plan after it has been put to a real-life test and make recommendations for an even better response if a similar situation occurs again in the future. In this way, the auditor is also part of the process of continual improvement for the organization.

How Regular Audits Support Effective Disaster Recovery

The internal auditor should periodically prepare an audit to fully evaluate and reinforce the effectiveness of the disaster recovery plan for proper assurance.

The primary objective of the audit is to verify the merits of the plan and that it is adequate to ensure the timely resumption of business operations and processes during a disaster or other adverse conditions while reflecting the current operating environment of the business.

The disaster recovery audit may include some or all of the following activities and components:

• Interviews with management and the organization’s stakeholders to understand their involvement in disaster planning and business continuity.
• Review of the disaster recovery plan to ensure updates and maintenance for optimal completeness, accuracy and timeliness.
• Review and assessment of supporting documents that may include procedural manuals, guidelines and training resources.
• Evaluate the effectiveness of the disaster recovery plan by reviewing test results or the results of any actual experienced disasters. The internal auditor will ask questions such as “Did the plan work?” and “What worked, what did not work and why?”

What Should the Auditor Consider When Assessing a Business Continuity Plan?

Additional considerations that an internal auditor may keep in mind during the auditing process include:

• Is the disaster recovery plan fully up to date?
• Have all critical systems, business functions and internal controls been included in the plan?
• Do the plans take into account the risks and potential consequences of business interruptions?
• Is the plan adequately documented?
• Have all critical responsibilities been assigned?
• Is the organization capable and ready to put the plans into action?
• Is the disaster recovery plan based on risk assessment?
• Has the plan been tested and revised, based on those test results?
• Where is the plan stored? Is it safely stored, and is it easily accessible to authorized personnel?
• Does the plan’s steps correspond with those of local emergency services?
• Are there alternate data center locations, including the cloud, and are they known to all relevant staff?

Do You Feel Confident in Your Auditor When It Comes to Disaster Recovery?

Maybe you are still unsure about the specifics of the role of your internal auditor for disaster recovery? Maybe you need internal audit consulting? Either way, our I.S. Partners, LLC. team is here to help you work it all out. As the role of auditor continues to evolve to reflect the changing technological environment with factors like the cloud, we understand that you have a great deal to consider when it comes to this vital role and ensuring its effectiveness.

We can help make sure you are able to identify weakness and risks, minimize the duration of any disruption to your business operations, facilitate effective recovery tasks and generally reduce the complexity and anxiety generally associated with the recovery effort to smooth out your internal auditing efforts.

Call us at (215) 675-1400, launch a chat session, send a message or request a quote today , so we can discuss the important role of the internal auditor and anything else that may concern you.

About The Author

David Dunkelberger

During his 25-year career, David has successfully delivered assurance, business advisory and investigative services to the financial institutions industry, primarily commercial banks and insurance companies. Additionally, he possesses solid competencies in risk-based auditing and internal control evaluation, and has generated significant cost savings for clients engaged in Sarbanes-Oxley compliance. He has held senior positions in both public accounting and private industry.

Prior to joining IS Partners, LLC, David managed forensic investigations at a nationally-recognized accounting firm and provided fraud detection, forensic investigation and litigation support services for the FDIC.

David graduated from Temple University in Philadelphia, PA.