Home Member Sign-in Contact Us Home Member Sign-in Contact Us


Internal Auditor's Role in Disaster Recovery


Spring 2002 News
Message from the President
AASCIF Conference in New York
President's Reception Aboard USS Intrepid
NY Plans More Than Insurance Seminars
NY Insurance Superintendent to Address AASCIF
AASCIF Speaker Knows a Thing or Two
$1000 Scholarship
Dim Sum
Pointing Fingers VS Helping Hands
Loss Prevention Shift in Focus
Internal Auditor's Role in Disaster Recovery
2002 AASCIF Standing Committee Goals

Related Links
Upcoming Events
Press Releases
Publication Awards
Newsletter Archive




By Patricia F. Wagner, CIA New York State Insurance Fund

Disaster Recovery Plandis-as-ter: A sudden calamitous event bringing great damage, loss or destruction (Merriam Webster's Collegiate Dictionary)

Merely hearing the word "disaster" can evoke alarm and confusion. It can leave lingering uncertainty in managers' minds about how they would regain business momentum in a time of crisis.

No organization expects to experience the interruption or a lengthy delay of normal business processes and operations due to a disaster or any unforeseen event. So the "It won't happen to me" syndrome takes hold. And the remote probability of a disaster occurring can interfere with an organization's judgment in dealing with the reality of a disaster's possibility and its potential impact. But an organization cannot categorically forestall ramifications such as loss of information, loss of access and/or loss of personnel as a result of such an event. Thus, advance planning is necessary to minimize loss and ensure continuity of an organization's critical business functions.

re-cov-er-(y): Bring back to normal position or condition. (Merriam                          Webster's Collegiate Dictionary)

Recovering and returning an organization to normal conditions after experiencing a disaster is a complex and continuous process. And the recovery process actually is made more difficult by not planning ahead. Therefore, if an unfortunate event should occur, organizations should be prepared to resume operations and return to normal conditions as swiftly and effortlessly as possible. In order to survive, the organization must assure that critical operations can resume normal processing within a reasonable time frame.

A crucial element of recovery is a comprehensive and current disaster recovery plan. And internal auditors can play a critical role in planning for disaster recovery. They can (1) assist with the risk analysis during plan development, (2) critically evaluate the plan after it has been drawn up, and (3) provide assurance that the plan is being kept up to date through regular audits.

Back to Top

Plan Development

Historically, internal auditors have provided independent, objective opinions relating to the adequacy of internal controls in an organization's operations. However, internal auditors have expanded their role to consulting activities designed to add value and improve an organization's operations.

In addition to assessing and recommending internal controls, organizations rely upon internal auditors for analysis of operations and assessment of risk. Internal auditors' unique perspective and understanding of the overall business operations, the individual department/unit functions, and how they interrelate with each other, positions them as a valuable resource in disaster recovery plan development.

Internal auditors can help with a full assessment of an organization's internal and external environment. Internal factors such as management turnover, and changes in information systems, in controls and in major projects and programs should be considered. External factors such as changes in the outside regulatory and business environment, including changing markets, financial and economic conditions, competitive conditions, and new technology also should be considered. Internal auditors can help identify risks involving critical business activities and help prioritize functions for recovery purposes.

The mission statement of the American Association of State Compensation Insurance Funds (AASCIF) states that, "State Funds... have a mission... to take a position of leadership in the provision of service to employers and injured workers..."

In support of this mission, AASCIF's threefold commitment includes, through the effective and efficient operation of its member Funds, providing:

  • An assured market for employers to secure workers' compensation coverage, and
  • Adequate, prompt, and equitable benefits to injured workers and their dependents.

A disaster resulting in a breakdown of communication and/or data lines may cause the carrier to lose the business of potential policyholders and/or render a carrier incapable of serving its current policyholders. Or unscheduled delay or termination of compensation payments can result in inadequate or late payments, causing great hardship to a claimant's livelihood. An effective disaster recovery plan can facilitate a recovery with minimal delay in order for a carrier to continue providing essential services to its customers.

Organizations are more vulnerable when they are in disaster mode and trying to recover. And the recovery period is a critical time for internal auditors to be monitoring the recovery of operations and internal controls. Therefore, as part of its own disaster recovery plan, internal auditors should plan how to monitor internal controls when recovery is under way.

Back to Top

Plan Evaluation

Internal auditors make a valuable contribution as a "clean" eye when they review the disaster recovery plan for design, completeness and overall adequacy. They also can examine the plan to determine that it reflects operations that have been appropriately prioritized, that appropriate risk assessments and analyses have been included, and that the plan contains sufficient internal control considerations. Their considerable knowledge of all business operations and applications uniquely qualifies them for this role.

Regular Audits of the Plan

Internal auditors should periodically audit the organization's disaster recovery plan. The audit objective is to verify that the plan is adequate to insure timely resumption of operations and processes during adverse circumstances, and that it reflects the current business operating environment.

Disaster recovery plans can become outdated very quickly. Changes occur, such as employee turnover, system configurations/interface changes, or updated software where new releases might not be compatible with prior versions. Internal auditors should examine the recovery plan to determine that it incorporates important changes that take place over time, and that the revised plan has been communicated to the appropriate people, internally and externally.

During the audit, internal auditors should, among other things, determine:

1. When the plan was last updated (verify it was updated
    within the past 12 months).
2. There are procedures for updating the plan.
3. Where the plan is stored.
4. The location of the backup facility site.
5. What critical systems are covered by the plan.
6. What critical systems are NOT covered by the plan, and

Internal auditors should report any observations or recommendations to management immediately.

Organizations can anticipate and plan for the adverse effects of a disaster. The challenge for internal auditors is to help their organizations understand risk awareness/risk assessment and develop an effective response.

Ultimately, the tone at the top determines how effective internal auditors can be in planning for a disaster. It is important for organizations to recognize the importance of the internal auditor's role in disaster recovery. Competent internal auditors bring to the planning process objectivity, integrity, expertise in communication, the ability to identify enterprise-wide risks, and the skill to assess the effectiveness of controls put in place to mitigate those risks. They can provide insightful information regarding the organization's operations, and its interrelated processes and functions.

After a disaster occurs and as the crisis eases, internal auditors need to look at the impact of the disaster on control processes. Internal auditors should make sure that as many normal controls as possible remain in place during an emergency. They should push for the return to normal controls as soon as it is expedient.

The outcome of some disasters cannot be averted. But with proper planning - including involvement of the right people - organizations can recover operations and return to normal processing expeditiously following a disaster.

Back to Top




Home | About Us | Directory | News & Events | Library | Contact Us | Member Sign-in

Copyright 2001-2002 American Association of State Compensation Insurance Funds.
All rights reserved.