AASCIF - Spring 2002 News - Internal Auditor's Role in Disaster Recovery

By Patricia F. Wagner, CIA New York State Insurance Fund

dis-as-ter: A sudden calamitous event bringing great damage, loss or destruction (Merriam Webster's Collegiate Dictionary)

Merely hearing the word "disaster" can evoke alarm and confusion. It can leave lingering uncertainty in managers' minds about how they would regain business momentum in a time of crisis.

No organization expects to experience the interruption or a lengthy delay of normal business processes and operations due to a disaster or any unforeseen event. So the "It won't happen to me" syndrome takes hold. And the remote probability of a disaster occurring can interfere with an organization's judgment in dealing with the reality of a disaster's possibility and its potential impact. But an organization cannot categorically forestall ramifications such as loss of information, loss of access and/or loss of personnel as a result of such an event. Thus, advance planning is necessary to minimize loss and ensure continuity of an organization's critical business functions.

re-cov-er-(y): Bring back to normal position or condition. (Merriam Webster's Collegiate Dictionary)

Recovering and returning an organization to normal conditions after experiencing a disaster is a complex and continuous process. And the recovery process actually is made more difficult by not planning ahead. Therefore, if an unfortunate event should occur, organizations should be prepared to resume operations and return to normal conditions as swiftly and effortlessly as possible. In order to survive, the organization must assure that critical operations can resume normal processing within a reasonable time frame.

A crucial element of recovery is a comprehensive and current disaster recovery plan. And internal auditors can play a critical role in planning for disaster recovery. They can (1) assist with the risk analysis during plan development, (2) critically evaluate the plan after it has been drawn up, and (3) provide assurance that the plan is being kept up to date through regular audits.

Plan Development

Historically, internal auditors have provided independent, objective opinions relating to the adequacy of internal controls in an organization's operations. However, internal auditors have expanded their role to consulting activities designed to add value and improve an organization's operations.

In addition to assessing and recommending internal controls, organizations rely upon internal auditors for analysis of operations and assessment of risk. Internal auditors' unique perspective and understanding of the overall business operations, the individual department/unit functions, and how they interrelate with each other, positions them as a valuable resource in disaster recovery plan development.

Internal auditors can help with a full assessment of an organization's internal and external environment. Internal factors such as management turnover, and changes in information systems, in controls and in major projects and programs should be considered. External factors such as changes in the outside regulatory and business environment, including changing markets, financial and economic conditions, competitive conditions, and new technology also should be considered. Internal auditors can help identify risks involving critical business activities and help prioritize functions for recovery purposes.

The mission statement of the American Association of State Compensation Insurance Funds (AASCIF) states that, "State Funds... have a mission... to take a position of leadership in the provision of service to employers and injured workers..."

In support of this mission, AASCIF's threefold commitment includes, through the effective and efficient operation of its member Funds, providing:

A disaster resulting in a breakdown of communication and/or data lines may cause the carrier to lose the business of potential policyholders and/or render a carrier incapable of serving its current policyholders. Or unscheduled delay or termination of compensation payments can result in inadequate or late payments, causing great hardship to a claimant's livelihood. An effective disaster recovery plan can facilitate a recovery with minimal delay in order for a carrier to continue providing essential services to its customers.

Organizations are more vulnerable when they are in disaster mode and trying to recover. And the recovery period is a critical time for internal auditors to be monitoring the recovery of operations and internal controls. Therefore, as part of its own disaster recovery plan, internal auditors should plan how to monitor internal controls when recovery is under way.

Plan Evaluation

Internal auditors make a valuable contribution as a "clean" eye when they review the disaster recovery plan for design, completeness and overall adequacy. They also can examine the plan to determine that it reflects operations that have been appropriately prioritized, that appropriate risk assessments and analyses have been included, and that the plan contains sufficient internal control considerations. Their considerable knowledge of all business operations and applications uniquely qualifies them for this role.

Regular Audits of the Plan

Internal auditors should periodically audit the organization's disaster recovery plan. The audit objective is to verify that the plan is adequate to insure timely resumption of operations and processes during adverse circumstances, and that it reflects the current business operating environment.

Disaster recovery plans can become outdated very quickly. Changes occur, such as employee turnover, system configurations/interface changes, or updated software where new releases might not be compatible with prior versions. Internal auditors should examine the recovery plan to determine that it incorporates important changes that take place over time, and that the revised plan has been communicated to the appropriate people, internally and externally.

Internal auditors should report any observations or recommendations to management immediately.

Organizations can anticipate and plan for the adverse effects of a disaster. The challenge for internal auditors is to help their organizations understand risk awareness/risk assessment and develop an effective response.

Ultimately, the tone at the top determines how effective internal auditors can be in planning for a disaster. It is important for organizations to recognize the importance of the internal auditor's role in disaster recovery. Competent internal auditors bring to the planning process objectivity, integrity, expertise in communication, the ability to identify enterprise-wide risks, and the skill to assess the effectiveness of controls put in place to mitigate those risks. They can provide insightful information regarding the organization's operations, and its interrelated processes and functions.

After a disaster occurs and as the crisis eases, internal auditors need to look at the impact of the disaster on control processes. Internal auditors should make sure that as many normal controls as possible remain in place during an emergency. They should push for the return to normal controls as soon as it is expedient.

The outcome of some disasters cannot be averted. But with proper planning - including involvement of the right people - organizations can recover operations and return to normal processing expeditiously following a disaster.