RMM and sometimes it will not. The procedures the CITP would need to perform in a financial audit is
            directly associated with the level of risk assessed at the RMM. The higher the RMM, the more in-depth,
            or stronger, the procedures to test DRP need to be.

            For B&I, the scope is likely to be management’s desire to ensure that the BCP/DRP is reliable, because
            the entity relies upon IT to some significant degree. In this case, the CITP would have a more in-depth set
            of procedures in order to gain adequate assurance that the BCP/DRP would work effectively when called
            upon.

            Some of the steps or items that a thorough BCP/DRP would cover include the following:

              Written plan
              Predefined ranked list of applications in the order of optimal restoration
              Recovery team, with identified roles and responsibilities
              Backup facility, including building, power, desks, and so on
              Backup of
               –  Infrastructure/platform
               –  O/S
               –  Computers and workstations
               –  Copy of all applications
              A reliable, relatively current backup of data
              A backup of technical and operational manuals
              Backup of supplies (checks, invoices, paper, printer cartridges, media, and so on)
              Formal, structured test of the full plan
              Regular test of the plan (at least once per fiscal year)

            The recovery team aspect should include the specific steps by specific personnel in recovery operations.
            Who starts the process? Where do they meet as a team initially, or where does each one report? What
            role does each member play in restoring operations?

            Some types of backup provisions cover multiple steps. A “hot site” is a building with power on and a
            computer (main server or mainframe) running that an entity can contract for backup services. A hot site
            would provide for the building, power, desks, and so on; the infrastructure; O/S; and at least some of the
            computers, especially the servers.

            A mutual aid pact is one where another entity uses the same mainframe, or server, and O/S. An example
            would be a retail chain where each location has its own systems and some excess capacity. In the
            mutual aid pact, each party agrees to have excess capacity on its server and allow the other party to use
            its system for BCP/DRP needs. Naturally, the agreement works both ways. Like the hot site, it provides
            multiple aspects of DRP needs.


            A “cold site” provides only a building with power. When an entity employs a cold site, it still needs to find a
            way to provide for the infrastructure, O/S, and computers.

            The CITP would need to reconcile the risks associated with disasters and major business interruptions
            and determine whether the plan properly mitigates the risks and assessed level of risk. The higher the
            risk of downtime, the greater the scope and reliability of the BCP/DRP needs to be.




            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-19