The Importance of Performing Regularly Scheduled Audits – Business Continuity and Disaster Recovery Plans
Business Continuity and Disaster Recovery Plans.
Over the past decade, many devastating events such as hurricane Katrina and Rita have made having business continuity and disaster recovery plans an essential part of an organization. Business Continuity (BC) is defined as the capability of an organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (Source: ISO 22301:2012)
Most casino companies do not expect to experience an interruption or a lengthy delay of their normal business processes and operations due to a disaster or any unforeseen event however, being unprepared for such an event can be catastrophic to an organization. Such unforeseen circumstances include a loss of information, loss of access, and/or loss of personnel as a result of such an unexpected event. Advanced and effective planning is a must to help minimize loss and ensure continuity of an organization’s critical business functions. As many might anticipate, recovering and returning an organization to normal conditions after experiencing a disaster is a complex and continuous process and as with any complex situation, not planning ahead can make the situation extremely difficult.
A critical component of recovery is a comprehensive and current disaster recovery plan. Adequate disaster recovery plans should be in place for the routine backup of critical data, programs, documentation, and personnel and for the recovery of these items after an interruption of processing. A written plan for resuming operations in the event of an unforeseen event or disaster should be developed and periodically tested to ensure the plan works with current operations. Another key component of the plan is to document an alternate site in the event the computer facility is inoperable or destroyed during the event or disaster.
While casino management is primarily responsibility for establishing the plan, such as the employee’s involvement and where the backup data is stored, other resources, such as internal audit and regulators, can be utilized to assist with evaluating risk analysis during the planning process, evaluating /auditing the plan, and providing assurance that the plan is current through regular audits.
Casino Management should establish the plan and review or update the plan as changes occur within operations, such as employee turnover or system changes. If no significant changes occur throughout the year then the plan should be reviewed, and if necessary, updated at least annually. As changes or updates are made to the disaster recovery plan, the plan should be tested to ensure employees understand their role in the event of a disaster. Executive management should sign off on the plan as proof that the plan has been approved by upper management.
Internal auditors and regulators should periodically audit the organization’s disaster recovery plan. The main reason for this is that disaster recovery plans can become outdated very quickly due to employee turnover, system configurations/interface changes, or updated software where new releases might not be compatible with prior versions. Annually is ideal; however, if significant changes occur in the operations either with employees or business processes, the audit should occur more frequently either quarterly or semi-annual. The audit objective is to verify that the plan is adequate enough to ensure operations and processes are restored timely during undesirable circumstances, and that it reflects the current business operating environment.
During the audit, among other things, the review should include:
- Obtaining and reviewing a copy of the disaster recovery plan and the alternate site agreement.
- Reviewing when the plan was last updated (verify it was reviewed/updated within the past 12 months) and that executive management has signed off on the plan.
- Verifying that procedures for updating the plan are in place.
- Verifying where the plan is stored and perform the following:
- Review the backup materials.
- Determine if the backup and recovery procedures are being followed.
- Inquire to IT personnel to determine if they have been cross-trained.
- Review training records to determine the amount of cross-training provided.
- Inquire about and review what critical systems are covered by the plan.
- Inquire about what critical systems are NOT covered by the plan, and why.
- Reviewing the location of the backup facility site.
- Take a tour of the off-site storage facility and determine if the facility is adequate.
- Complete an inventory of the log of items stored at the facility with the items present at the facility. Determine if the log is complete and up-to-date.
- Visiting the alternate processing site in order to assess its suitability and compatibility with the current computer facility.
- If possible, observing a test of the plan.
- Reviewing the results of the test of the disaster recovery plan. Determine if corrective action has been taken on any problems incurred during the test.
Identifying key problem areas during audits of business continuity and disaster recovery plans can enhance an organization’s disaster recovery efforts and ensure the quick return of business activities and services.