Auditing the Business Continuity Plan (BCP)

Cassian Jae, Center Director, hosted an AuditCast with Seth Davis and Ben Getz to find out the answers to some of the most frequently asked questions from their popular webinar, Auditing the Business Continuity Plan. Seth Davis is vice president of internal audit services at RLI Corporation and Ben Getz is senior auditor at RLI Corporation.

Highlights from the AuditCast

Based on the line of questions we received, it appears that so​​me see business continuity and disaster recovery as one and the same. What is the difference between a business continuity plan and a disaster recovery plan?

The business continuity plan typically covers the overall corporate recovery efforts including business processes, restoring administrative functions while the disaster recover plan typically focuses on IT systems recovery only. Some groups use the terms interchangeably though to both mean the overall corporate recovery efforts.

When it comes to disaster recovery, what is your opinion on running an actual day of business using the disaster recovery environment?

We believe that more processing done from disaster recover to reflect actual day-to-day operations is beneficial to understand whether systems are recovered properly and have the needed server horsepower to withstand actual processing. Ultimately, though, more testing means more people and resources needed, so there should be a cost-benefit analysis done to determine how much testing is enough to address most of the concerns with the least effort.

Business functions have different priorities, for example, finance vs. sales. How do the competing priorities impact the criteria used in the assessment of the business impact to ensure consistency across the company?

Ideally, there should be a corporate governance group where some​​ of those differing priorities can be reviewed and ordered correctly. Ultimately the tone for what should be prioritized has to come from management, so any areas of conflicting priority need to be brought up and decided on by someone other than simply each unit’s manager who has governance authority. The priorities decided on by this governance group should be shared with IT management so they know the recovery priorities from a systems perspective.

Are there any opportunities to use data analysis to audit a business continuity plan?

Our internal audit department utilizes data analytics in many audits; however, we have not come up with a good use of data analytics for our business continuity plan so far. Perhaps it would be beneficial for a review of RPO/RTO’s between the business units and IT, depending on the number of systems/applications/processes that your organization supports. If smaller, data analytics probably aren’t necessary.

Lastly, what are some of the most common deficiencies you’ve encountered as yo​u audit business continuity plans?

Common deficiencies we see on our business unit audits are:

  • Inconsistency between IT and business unit expectations for RTO/RPO
  • lack of documented processes for alternative procedures
  • business unit personnel unaware of their responsibilities as core personnel following a disaster

About the Experts

Seth Davis is vice president of internal audit services at RLI Corporation, and Ben Getz is senior auditor at RLI Corporation.


Not an IIA member? Explore the wide range of career support tools and resources The IIA offers its members globally.

Already a Member of The IIA? Add the Center to your membership today.