Contingency Audit Plan ensuring Effective Disaster Recovery

Increased Contingency Awareness

With increasing awareness of the need for disaster recovery planning, firstly with Y2K and subsequently 9/11, business has awoken to the need to protect continuity as downtime in any critical business services can have dire consequences.

The many threats to continuity from natural and man-made causes, both internally and externally, has brought business focus onto DR strategies. Increasingly important are contingency planning and contingency auditing.

Management and security personnel need be aware of the deficiencies in their organization's DR planning and may seek professional help to audit existing continuity applications and systems. Terrorism and climate changes have heightened the need to be prepared for any eventually that may affect business continuity.

Contingency Audit Objectives

Initially the audit plan itself will need to be prepared with a structure decided upon. The audit should focus on individual aspects of the continuity and recovery plan subsequently tied into an overall effectiveness assessment. Recommendations will include efficiencies within each area of DR planning and DR applications, the overall structure, and with suggested cost saving measures.

Effective auditing should reap rewards both in terms of efficiency and in costs. This should compensate for the expense and time taken for the audit process. If a hosted DR provider has been utilized then the audit process would include a review of their processes and may even be included periodically as part of the service.

Stages of the Audit

An audit may begin with an investigation of the DR planning stage and the personnel involved seeking any deficiencies or bias in the development process. With a recovery plan constructed one critical area at a time there may be considerable failings in overall impact, with each area focused on immediate disaster needs and with scant attention paid to the company mission statement.

Auditing will assess the background of each decision during the development of the recovery plan, plus the personnel involved, and offer constructive advice on adjusting for any slant that may have reduced the overall effectiveness of the DR plan.

The effectiveness of the plan will also be evaluated against current threats plus any increase in likelihood of a particular threat since the recovery plan was devised. Assessment of overall structure ensures all the mission critical areas and objectives of business are protected in the event of downtime or emergency.

Contingency Audit Steps

Develop audit plan focusing on business mission statement and objectives Define terminology to ensure clarity Assess bias in personnel involved in plan development Evaluate the recovery plan development process Review (macro) determination of critical services needing contingency protection Review (micro) of risk analysis and business impact assessments Audit overall structure of the contingency and continuity plan:      Threat determination      Threat mitigation via avoidance and preemption      Emergency preparedness including asset, staff and data protection      Management during initial emergency period and subsequent recovery      Business continuity during recovery period      Media liaison      Resumption of business as usual Auditing recovery plan maintenance schedules and methods Determination of cost effectiveness of aspects of the DR plan Auditing crisis management strategies:      Management structure during crisis period      Communications provisions, internal and external      Public relations and media information      Supervision of staff mechanisms      Control and understanding of DR applications Audit deployment of DR applications as interim restoration of critical services during crisis Evaluate backup applications and off-site alternate or outsourced provisions Assess workaround alternatives in the event of backup failure Evaluate restoration of critical services and products to customers during downtime Auditing full recovery and return to normalcy:      Assess procedures for restoration of non critical business services      Processing of transactions not actioned during the emergency period      Procedures for return to normal internal operations and customer service      Assess systems for testing services post recovery Evaluation of documentation for DR systems and maintenance Recommendations for improvements to both structure and costings

Telecoms Contingency Audit

It is often prudent to audit business communications to establish if chosen networks and providers are the most cost effective options. With the large array of telecoms providers in the market and with most offering varied plans and deductions for combined services establishing the best deals can be time consuming and requiring expertise. An independent audit is often a sensible solution and can prove very worthwhile.

Similarly telecom recovery solutions need to be assessed for cost effectiveness and this would be part of an overall DR strategy audit. Hosted disaster recovery applications providers will be using the most reliable and cost effective options as standard business practice, regular auditing being integral to the business methodology of any DR solutions provider.