To persuade senior management to accept the business case for business continuity, you sometimes need all the friends you can get. One friend in particular that may be worth cultivating is your internal company auditor. Auditors by virtue of their job know about the different business operations of an enterprise and have a double advantage. Firstly, they take a fresh look at BC plans and can make a (constructively) critical review for adequacy, effectiveness and efficiency. Secondly, by virtue of their status and title if for no other reason, they tend to be taken seriously. If an auditor says “it’s not good enough for the business”, then management is more likely to take action.
The auditors’ contribution doesn’t stop there. Business continuity plans can become rapidly out-dated. Changes in an organisation will mean changes in the business case for business continuity. Checking that the plan remains in alignment with an evolving enterprise is an auditing function, as is verifying that any revised plan has been issued to the right people both internally and externally. During regular audits of business continuity and disaster recovery plans, internal auditors should also check when such plans were last updated, what procedures are in place for keeping the plans current and where the plans are stored, as well as the location of backup facilities.
Equally important in the audit function is to determine which critical systems are covered by the plans, and which critical systems are not (in which case, back to the business case for business continuity, again). If business interruption does occur, the recovery period is also a crucial time for auditors to monitor how well operations are being restarted and how effective internal controls are. Disaster recovery planning as it concerns the audit department therefore needs to make this monitoring part of the recovery procedure.