While disaster recovery audit has been recognized as a desirable goal for most organizations for some time.
There is still a large percentage of institutions that do not have disaster recovery plans in place.
The recent years’ disasters and the resulting media coverage may be causing an increase in disaster preparation.
Organizations should plan to conduct disaster recovery audits at least every year, sometimes even more if there are significant changes to your institution’s disaster recovery or business continuity plan.
Even if your institution stores most of its data in a secure cloud network, there are still issues that can arise such as if the data was sent to the correct location.
What Is A Disaster Recovery Audit?
A disaster recovery audit is a type of IT audit used to collect and evaluate information about the institution’s IT systems, procedures, practices, operations, and governance.
The internal auditor or expert third-party auditor evaluates all of the gathered information to determine if the IT systems are adequately protecting company assets, maintaining data integrity, and operating properly.
Most Companies Aren’t Prepared for a Disaster Recovery Audit
Studies show that over half of companies are ill-prepared for disaster recovery. With such a low number of companies being prepared, it is safe to expect even less of those companies to commit to regular disaster recovery audits.
Knowing this should not be an excuse for organizations to not conduct disaster recovery audits.
Frequent disaster recovery audits allow the institution to be aware of their disaster readiness and will help in preparing them for future disaster recovery audits.
Pre-Disaster Recovery Audit Checklist
This disaster recovery audit checklist can be used to help an institution get ready for disaster recovery audits.
- Be sure the disaster recovery plan is current
- Is there a dedicated disaster planning person?
- Has disaster planning been communicated throughout the organization?
- Does disaster planning address different types of disasters and the trends in which they occur?
- Are disaster recovery plans tested regularly?
- Is there more than one disaster recovery plan?
- Does disaster planning cover all department operations?
What Your Institution Should Consider When Completing a Disaster Recovery Audit
It’s a bit tough to keep up with what you need to protect your data and technology assets when the technological landscape is always changing.
These important topics can be used by your institution to help shape and execute your next disaster recovery audit as efficiently as possible.
- Disaster recovery objectives, policies, and company mission statement
- Copy of most updated disaster recovery plan, including version controls
- A designated secondary site to sustain business operations should the primary data center go down
- data and system recovery capabilities
- Details about backing up data and systems
- Test drills of disaster procedures
- Systems and data backups stored in the cloud or off-site locations
- Current and relevant listing of disaster recovery personnel
- Facility-specific practices, such as emergency contact information
- Communication tools
- Current and validated system and operational documentation
- Emergency procedures for all employees at all facilities, including IT assets
- Vendor lists for all hardware and software
- company workflows for both manual and automated processes
- Institutional business continuity standards
The Disaster Recovery Audit Process
A disaster recovery audit process should start with a discussion about all of the potential risks that could occur at your institution.
During disaster recovery audits, disaster recovery plans are tested to uncover weaknesses and gaps that should be addressed.
As the disaster recovery audit tests the disaster preparedness plan, all testing procedures should follow established disaster preparedness testing protocols.
Testing should occur frequently and should include:
The disaster recovery audit should include a disaster report detailing any disaster recovery inefficiencies.
This disaster report should contain recommendations for disaster preparedness improvements.
The disaster recovery audit results are recorded in the disaster recovery testing record which is retained by the disaster recovery auditor.
For disaster audits to be effective, they must be clear about how much work is required of the auditee and what standards are being employed, especially disaster recovery standards.
Adequate disaster recovery plans should include the disaster recovery plan testing schedule.
Disaster Recovery Audits Don’t Stop After Completing Internal Audit Procedures
An organization’s disaster recovery audit will not be complete until they have completed their disaster recovery audit procedures with disaster recovery testing standards.
An organization’s disaster recovery audit is only as good as the disaster preparedness disaster recovery standards they use.
Disaster recovery audits should always be conducted using disaster preparedness disaster recovery standards.
All of the disaster preparedness disaster recovery standards and procedures used during the disaster readiness audit must meet or exceed industry disaster preparedness disaster recovery standards and disaster readiness disaster recovery procedures.
To complete a disaster recovery audit, disaster preparedness disaster recovery audits should be conducted by a third-party disaster assistance provider that can meet all industry disaster preparedness disaster continuity requirements.
A disaster recovery audit is a good opportunity to review disaster recovery plans, test disaster recovery processes, and identify disaster recovery risks.
It is much easier to complete disaster recovery audits if the organization has established a disaster management team.
This type of multidisciplinary team should be composed of both operational and IT personnel to represent all disaster recovery stages.
The disaster management team should also be responsible for disaster training, disaster response, and disaster testing to keep disaster preparation consistent across the organization.
It may seem overwhelming to have to test disaster recovery plans, but if you are practicing disaster techniques regularly, there should not be many issues in restoring data after a disaster occurs.
Before disaster strikes:
- Perform disaster training regularly at least once a week that includes disaster response and disaster testing to keep disaster plans consistent across the organization.
- Use disaster recovery audits to test disaster management plans regularly such as every six months. This will help identify gaps in disaster planning which can lead to potential disaster risks.
- Create disaster management teams to represent the disaster recovery process in all disaster stages. This will help keep disaster preparation consistent across the organization and will also test disaster plans regularly.
After disaster strikes:
- Restore disaster data as needed, if your disaster management team is multidisciplinary it should include disaster response and disaster testing representatives to help you restore disaster data.
- Follow disaster recovery processes to restore disaster databases, disaster storage nodes, and disaster remote file servers consistently with your disaster management team’s established disaster plan.
- If your organization does not have a disaster management team make sure to document the whole disaster process so that the disaster response team will be able to quickly restore disaster data.
Challenges You May Experience During a Disaster Recovery Audit
The following list presents some of the disaster recovery audits challenges you may experience during disaster recovery audits:
- Putting together an effective disaster management team
- Proper documentation of the audit
- Retrieving all pertinent information
- Keeping disaster recovery plans consistent across the organization
- Ensuring the proper staff have received disaster recovery training for their responsibilities
- Post-audit meetings with pertinent staff
- Make sure all information is current
- Verifying business continuity and data recovery programs and procedures effectively address the most crucial business and technology issues
Disaster recovery audits should be done regularly to test disaster management plans, disaster training, and disaster processes.
The disaster plan should include procedures for restoring disaster data so that when disaster strikes, all necessary resources are available to promptly recover disaster data.
If your organization does not have an established disaster management team, make sure to document the disaster recovery process so that disaster data can be restored quickly.
Disaster recovery audits are a good opportunity to integrate disaster training and disaster testing into disaster recovery preparations for more efficient disaster recovery plans.
Once you have tested all disaster scenarios, written down your disaster plan then you should not have many issues in restoring disaster data after disaster strikes.
Disaster recovery audits are a good opportunity to integrate disaster training and disaster testing into disaster plans for more efficient disaster planning.
After you have tested all scenarios, written down your disaster management plan then there should not be many issues in restoring disaster data after disaster strikes.
If you are unsure if your institution is qualified to conduct its disaster recovery audit, you may benefit from reaching out to an expert third-party auditing firm such as RADD, LLC.
Our experienced team can help you develop your disaster recovery and business continuity plans as well as perform the audit.