Preparing for the worst: Before any disaster recovery plan can be written and its implementation started, the internal auditor needs to define his or her role in the process

Internal Auditor, Dec, 2001 by Michael Barrier

THE DISASTER AND CHAOS THAT AMERICA WITNESSED DURING and after the terrorist attacks on Sept. 11 are a grim, yet poignant, reminder of the importance of effective disaster recovery plans. Internal auditors can play a critical role in the development process of those plans, especially in organizations where they are seen as consultants with a broad knowledge of operations. The auditor who understands how processes interrelate is likely to be valued as someone who can help keep a company afloat in a crisis. "Internal auditing needs to understand what is really important to the industry, the company, and, in some cases, the particular office to make sensible recommendations for disaster recovery solutions that can be implemented," says Graeme Jannaway, a Toronto-based consultant specializing in business-continuity planning and a certified information-systems auditor. "Priorities can differ greatly, even within the same industry."

THE AUDITOR'S ROLE

Jannaway advises, however, that internal auditing's participation in creating a disaster recovery program must be limited. "Internal auditors really shouldn't be asked to write business-continuity plans, because then they'll be auditing themselves," he explains. "Auditors might assist with the risk analysis, because they're well-qualified for this type of task. And they may be asked to comment on the work that's being done. But once management starts creating new controls -- writing the actual plans to mitigate those risks -- the auditors should step aside."

Tom Burr, a Morgan Stanley managing director and company audit director, agrees. "We had a seat at the table and evaluated the overall approach and the preferred practices," he says. "But internal auditing is not a line function; it is a staff function. Our role is to provide advice and counsel to the people who have line responsibility."

Myles Crane is the chief audit executive for Comdisco Inc., a Rosemont, Ill.-based firm that -- with IBM Corp. and SunGard Data Systems -- is one of the three leading providers of disaster recovery services in the United States. Crane says auditors should play the part of advisers. "The auditor's role is one of a process consultant, a business controls consultant. Under most circumstances, the internal auditor would not be responsible for actually doing the plan's design."

However, others argue that there are both pluses and minuses to auditor involvement in the actual disaster recovery planning process. "Internal auditors get to see the organization across all the functional boundaries, so they have a good perspective of the business," explains Martin C. Johnson, a senior manager with Deloitte & Touche's Enterprise Risk Services practice in Chicago. "If there isn't a way the organization can use them, it's missing a valuable resource on the design side. If I'm the one designing the plan, I won't see my flaws. I would rather include internal auditing on the design -- to some extent -- and make sure I have an independent review somehow."

That was essentially the approach taken by Don Lee in the early 1990s when he was director of internal auditing for the Port Authority of New York and New Jersey, the operator of the World Trade Center as well as the New York area's airports, bridges, and tunnels. Lee, who witnessed the 1993 bombing of the World Trade Center, says his 80-person internal audit department didn't draw up other department's plans, but it did consult with them and make suggestions.

Offering such consultation raises few concerns about conflicting interests when a large audit department rotates its people through different parts of the organization, as was the case at the Port Authority when Lee was there. "The people who were involved in helping set up a process were not likely to be the same ones who were going to be auditing it at some future point," he says.

SETTING PRIORITIES

Whether internal auditing consults on or designs a business continuity plan, auditors should be aware of their organization's priorities. For Morgan Stanley, which had 2,700 employees in one of the World Trade Center towers and another 1,000 employees elsewhere in the Trade Center complex on Sept. 11 (see "Lessons Learned," this page), it was not only the 1993 bombing but Y2K that set the stage for much of its business continuity planning. "At the time of Y2K, a ton of work was done in terms of really thinking through the facilities and the processes and determining which were critical applications and where we could have workarounds," Burr says.

There were widespread fears that the advent of 2000 would lead to devastating computer crashes -- a very different kind of disaster, but potentially as threatening to a company's survival as terrorist attacks. "There was a huge effort focused on putting together documented plans," Burr says. "We had three categories of processes: those that were mission critical, those that were important but that we could do without for a period of time, and those we could do without for a longer period."