Welcome to Luca!globe
CPA Journal Current Issue!    Navigation Tips!
Main Menu
CPA Journal
Professional Libary
Professional Forums
Member Services

The CPA's Role in Disaster Recovery Planning

By Joel Jacobs and Stanley Weiner

In order to thrive in today's competitive marketplace, CPA firms should expand their practices by adding consulting services that, if not offered, will likely be proposed by competitors, both CPAs and non-CPAs. Any CPA firm that does not closely examine various consulting services as revenue producers is neglecting its practice

Disaster recovery/business continuity consulting is rapidly becoming a meaningful revenue source for many CPA firms. The consulting process output is a written contingency plan designed to minimize the disruption and downtime that would result from an electronic data processing loss or other significant catastrophic event, such as fire, a building collapse, flood, etc. Many firms offer various levels of disaster recovery/business continuity planning consulting services.

The CPA--An Advocate for Disaster Recovery Planning

Persuasive evidence exists which justifies the CPA's role in actively advocating disaster preparedness planning for clients. CPAs have interpreted Statement on Auditing Standards (SAS) No. 60 as justification for bringing specific disaster planning issues into the audit process. SAS 60 provides that the auditor communicate to the audit committee or its equivalent "reportable conditions" and provide recommendations for corrective action. SAS 60 defines a reportable condition as a significant deficiency in the design or functioning of the internal control structure that could adversely affect an organization's ability to record, process, summarize, and report financial data. Reportable conditions should be included in the management letter or other communication provided to the client at the conclusion of each audit engagement. A credible argument can be made that the absence of a comprehensive disaster recovery plan is a reportable condition as defined by SAS 60. The management letter is the ideal forum for advising a client to take corrective action by way of disaster preparedness planning.

Who Needs Disaster Planning?

For large public companies, development of a formal disaster recovery plan is typically required by their boards of directors. For major banks, brokerage firms and other large companies, which rely on intensive data processing environments, adopting and continuing to update a disaster recovery plan is standard operating procedure.

Vendors such as IBM, SunGard, Comdisco, and others engage in disaster recovery consulting for a significant source of their annual revenues. A multisite Fortune 500 company typically will pay anywhere from $40,000 and up for a comprehensive customized disaster recovery/business continuity plan from one of the top tier providers. In addition, many companies pay steep monthly subscription fees for hot-site facilities into which certain departments of the company can move, literally overnight, if required. But what about the vast number of small and mid-sized companies who are the typical clients of most small and regional CPA firms? Is disaster planning essential for them, and, if so, are they willing and able to pay for it?

Industry studies indicate that small and mid-sized companies, with minimal cash reserves and poor cash flow, overwhelmingly do not recover from major losses of data or equipment. Why then, does the vast majority of small and mid-sized companies not have adequate disaster plans, even though their likelihood of failure after a disaster is greater than that of a large multisite company? One reason is, while many owners and corporate officers understand the importance of disaster planning, very few small and mid-sized companies are willing to devote the dollars they believe it will cost to have a consultant create a disaster recovery plan.

Disaster Planning Alternatives

What disaster recovery planning alternatives are available to the small to mid-sized company? There are packaged software programs available that allow a company to create a disaster recovery plan in-house. These programs typically cost between $2,000 and $5,000 and allow the user to fill-in-the-blanks based upon a pre-determined format and template.

One weakness of this approach is the inevitable attempt to fit square pegs into round holes, i.e., attempting to make the needs of the company conform to the packaged plan, rather than vice versa. Without a professional consultant onsite, exception situations are often circumvented, ignored, or overlooked. Unfortunately, any gaps, omissions, and oversights in the plan will be discovered only after a disaster emergency has occurred. Another deficiency, when creating a plan in-house, is the absence of an objective third party to uncover vulnerabilities and inadequacies in current company policies and procedures.

Plan Format

For the CPA firm that wants to offer disaster recovery planning services to clients, the challenge is being able to utilize a comprehensive and customized disaster recovery plan format that is understandable and affordable to the small and mid-sized company. In establishing our disaster recovery plan format we asked the question, "What help would a client need after receiving word that his/her business has just experienced a disaster emergency?" To identify a solution, we examined a 1993 industry study commissioned by Digital Equipment Corporation which determined that "90% of companies that experience a catastrophic loss of data and equipment and do not have a disaster recovery plan are out of business within two years." Close examination of this and similar studies reveals that, even with business interruption insurance, the principal reason for this high rate of business failure following a disaster is the negative cash flow that results from business interruption. New business dries up, accounts receivable collection is delayed, payroll interruption leads to employee abandonment, delays in paying vendors damages credit ratings and goodwill, and immediate extraordinary expenses exhaust existing cash reserves. By eliminating or reducing the cash hemorrhage and its consequences, companies can effectively buy more time for business recovery.

Building the Disaster Recovery Plan

The only effective way to meaningfully reduce losses is to reestablish essential business operations as soon as possible after the disaster. Preparing a disaster recovery plan specifically designed to support immediate business resumption does this. The accompanying chart describes the step-by-step process that a CPA would use to prepare a plan for a client. In general, the CPA consultant must develop efficient interview methods and questionnaires that will formalize and expedite the information gathering process. Knowing in advance what key survival areas to cover streamlines the project. The questions to be asked must, however, be modified based upon an understanding of the client's business.

The disaster recovery plan must document in exact detail the functions, personnel, and equipment that must be re-established after a disaster emergency. It is the functioning of these critical departments, within several hours or a very few days of the disaster, that will preserve cash flow. The CPA consultant must outline a hierarchy that identifies which company departments must be established first. The plan must specify who the key personnel are that perform the vital functions and who staff the mission-critical departments. What equipment, furniture, and other physical needs are essential for vital functions to continue? The CPA must request from the client an inventory of the type and amount of computers, printers, peripherals, copy machines, fax machines, telephones, and any other mission-critical hardware. The process also includes identifying vendors who are capable of providing everything from furniture to telecommunications equipment and computers to office machines on an emergency basis. Be aware that certain personnel or departments are expendable, at least temporarily, while the company returns to normalcy. For example, in most companies, an outside sales force could temporarily operate off premises, perhaps even at home.

The disaster recovery plan must evaluate and document the physical space needed to re-create the office. A local realtor can be enlisted, possibly through a disaster recovery consultant, to regularly review and provide listings of appropriate sites that would be available on a short-term lease if the need arose. Another possible option mentioned earlier is a hot site, a location available by subscription to be used as an alternate site in the event of a disaster emergency. A hot site can begin processing transactions immediately, because the necessary hardware and software are in place, tested, and ready to go. Once the data is gathered and the documentation complete, this portion of the disaster recovery plan will enable the company to be re-created quickly and efficiently in an alternate facility. Key company personnel should be enlisted by the CPA consultant to assist in the gathering of data that comprises the disaster recovery plan. Not only does this reduce the consultant workload, thereby minimizing cost, but it assures acceptance of the disaster recovery plan by those employees who assist in its creation.

The most basic disaster recovery plan is one that is established for a strictly administrative company, i.e., a company with no industrial machinery, no inventory, no vehicles, etc. A disaster recovery plan for a company with machinery, inventory, vehicles, etc. must develop strategies for business continuity that incorporate those components. Among the few alternatives that exist, the most practical is to establish reciprocal agreements with other nearby similar companies. A commercial printing company, for example, can make provisions with another commercial printer to utilize some of their excess capacity in an emergency. A distribution company may be able to arrange for drop shipments to be made to customers directly from the manufacturer. Individual companies and industry groups can be solicited by the CPA consultant to become a member of one of these reciprocal relationship groupings.

The MIS Department and Disaster Recovery

For most modern companies, their life-blood flows through their computer network and systems, making any exposure to major loss unacceptable. One of the essential steps for the CPA consultant to identify when creating a disaster plan are vulnerabilities in the client's data backup and vaulting procedures and to recommend solutions. This allows the CPA to have a positive impact on the client in advance of the possible loss of MIS data. Our own research reveals that most companies back up their data and vault it off-site using what we refer to as the "sometimes" system. Sometimes they back-up; sometimes they don't. Sometimes they take the data tapes offsite; sometimes they don't. In reality, most owners and CEOs do not really know, nor do they have any way of verifying, if data backup and offsite storage is being handled properly. While most MIS managers have the best of intentions, very often, due to stress or excessive workload, they do not strictly adhere to company procedures.

Compounding the problem, in many companies the MIS Director is a key person for whom there is no immediate replacement should he or she become ill, injured, or otherwise unavailable. One simple, yet effective, solution is a standardized system of enforced discipline in which backup and offsite vaulting is verified and signed off in a log book that is regularly reviewed by an owner or officer of the company. By assigning responsibility and sharing accountability between the MIS department and principal executives, an acceptable, effective, and easily implemented solution is achieved.

Another common deficiency, and the single most important aspect of data recovery preparedness, is regular verification of the data on the backup tapes or other media. If backup software or hardware is malfunctioning, or if tapes or other magnetic backup media are corrupted, it will typically not be detected until a data loss emergency mandates a live attempt at restoration; clearly the worst time to discover a problem. The solution is to perform a full test restoration at least once a year; preferably semi-annually.

Other Vulnerabilities and Solutions

The most misunderstood aspect of disaster planning is the erroneous belief that it only involves computers and electronic data processing. Although data processing is the single most important element of recovery, there are many additional issues that must be addressed in order for a disaster recovery plan to be complete. For example, what about hard copy files that cannot be re-created electronically? The CPA consultant drafting a disaster plan for a client must identify these files and documents and offer solutions for their protection. In many companies, legal files cannot be re-created, and if lost, could potentially subject the disaster affected company to massive legal liabilities. Possible solutions include photocopying, microfiche, or document imaging on CD-ROM or optical disk.

Interviews with business disaster victims reveal a common mistake made by most companies. They do not safely store mission-critical items offsite. The simplest way to establish what items should be vaulted offsite for use in a disaster recovery emergency is to ask the question, "If this building were to be destroyed or otherwise inaccessible, what items would be essential to continue functioning?" In preparing a plan, the CPA consultant must assist the client in the identification of mission critical items and recommend utilization of a safe deposit-like offsite storage container which should include duplicates and spares of items such as client lists, employee emergency contact phone numbers and addresses, company letterhead and envelopes, blank checks, copies of insurance policies and contracts, and anything else deemed necessary for post disaster recovery.

Another often overlooked aspect of disaster planning and recovery is the public relations and corporate communications component. It is said that the first casualty of war or disaster is the truth. To suppress rumors and prevent misinformation in the first hours following a catastrophic event, corporate public relations personnel must be prepared in advance to communicate with clients, employees, the community, and the media.

When disaster strikes, clients unsure about the viability of the affected company will begin to seek out an alternate supplier or service provider. Clients may halt payments if it appears that the company may not survive. Similarly, employees must be assured that their jobs and incomes are secure in order to keep them on the job. A critical component of any comprehensive disaster recovery plan, therefore, is a media kit. The CPA consultant should guide the client in the preparation of the components of the kit, which should contain a series of letters, media releases and other communications that can be quickly edited to reflect current circumstances.

Implementation of the Plan

The actual implementation of the disaster recovery plan is based upon a recovery event chart. The role of the CPA is to consult with the client to determine the key recovery events and then arrange them in logical sequence. The recovery event chart should assign accountability for each recovery event. It should also provide for documentation of when each task was assigned and when it was completed. The chart also serves as the reference point for determining an entity's progress toward the resumption of normal operations.

A crisis committee composed of company personnel should be formed under the guidance of the CPA consultant who will assign key functions to specific individuals in the company. In a disaster emergency, crisis committee members would be responsible for specific functions and recovery events. The MIS director, human resources manager, public relations director, and facilities manager should be among the committee members. It is the crisis committee that would meet in the first hours following a disaster to begin implementation and coordination of the disaster recovery plan. In addition, the CPA consultant should utilize the crisis committee to review the plan document and determine the accuracy of the information contained therein.

Updating the Plan

A disaster recovery plan quickly loses value if it is not regularly updated to account for changes in personnel and equipment. A plan created by a CPA or an outside consulting company should be updated every six months during a meeting of the company's crisis committee. It is also necessary to continually reevaluate and update the items stored off-site in the company safe deposit boxes.

Immediate Benefits of a Plan

Although most owners and company officers understand the importance of having a disaster recovery plan, many must be convinced of the existence of immediate benefits of adopting a plan before they are willing to accept the expense. An economic benefit may exist for companies that have business interruption insurance. Depending on the carrier, there is a possibility of a percentage reduction in annual premium for companies that can show evidence of a formal disaster recovery plan. Similar cost savings may be available to companies that have adopted a disaster recovery plan if they elect to reduce their limits of liability or deductibles, thereby reducing business interruption premiums. It is appropriate for the CPA consultant to recommend a professional evaluation of the adequacy of the client's insurance with respect to business interruption coverage.

Another potential benefit of adopting a disaster recovery plan is the use of a plan's existence as a marketing tool. For example, a manufacturing company that is a sole source supplier should announce to its customers that because of its disaster recovery plan, it is prepared to offer an uninterrupted supply of items vital to the operation of their businesses. Service companies should announce adoption of their disaster recovery plans in the context of their ability to provide uninterrupted service to their customers.

One often-overlooked benefit of adopting a disaster recovery plan is the effect it has on employees. Management should make employees aware that it is in the employees' best interest for their company to have a disaster recovery plan, since a rapid business recovery will ensure their continued employment. This knowledge has a positive overall effect on employee morale.

Another potential benefit of having a disaster recovery plan concerns the marketability of the company. If the business is about to be sold, a disaster recovery plan not only adds value to the business, but affords credibility to the management team. Similarly, a company that is in the process of a stock offering or attempting to secure financing is obligated to include a risk section in their offering prospectus. Underwriters and attorneys may recommend adopting a disaster recovery plan to help balance the generally negative information disclosed in the risk section.

Overcoming Plan Preparation

Some of the problems encountered in completing a client's disaster recovery plan relate to the difficulty of gathering the essential information to be detailed in the body of the plan. The CPA consultant must ensure that top level management strongly advocates the program and process. The cooperation and enthusiasm of the next level of personnel is contingent upon upper management's advocacy. It is essential that management assign a project manager to work alongside the CPA consultant to introduce the project to key personnel and to schedule interviews.

In some companies, obtaining detailed systems information from LAN administrators or MIS managers may not be practical. At times, the necessary technical information about data processing or other systems may be available only through contact with the client's vendors or other outside specialists.

Professional Responsibility

The CPA who undertakes a disaster recovery plan assignment is advised to develop an engagement letter to be signed by the client. This letter should include details related to the output of the project, the CPA's role in the tasks to be performed, the client's responsibilities relative to the availability of personnel, responsibility for providing required information, and the fee arrangement. Before engaging in a disaster recovery consulting assignment, CPA practitioners should evaluate their malpractice insurance and, if required, implement changes in coverage relative to providing this type of consulting service.

CPA Preparation and Training

In order to be certain that a client's disaster recovery plan has been properly crafted, CPAs should create the plans themselves, based upon the planning steps and methodologies described. Although certain aspects of a plan may be beyond the expertise of a particular CPA, the CPA with a modest amount of data processing and telecommunications background should be able to undertake an assignment to create a plan for a client after completing a minimal amount of research and training. Such training can be done either through an in-house effort, by referring to literature in the field, or by attending professional seminars sponsored by CPA organizations
or disaster recovery consulting

There are, however, certain aspects within a plan, which may be beyond the expertise of the CPA. When this occurs the CPA should not hesitate to draw upon the expertise of his or her client's providers of technical services or network with outside specialists.

Should a CPA firm be unwilling to dedicate the resources necessary to establish a disaster recovery consulting specialty, it can acquire general knowledge about this field and outsource the project to a firm specializing in disaster recovery planning. There are specialty firms that will work with the CPA to develop a plan utilizing the CPA's knowledge of a client's business needs and operational functions. In such circumstances, the CPA should monitor the entire project.

Joel Jacobs is executive vice president and partner of Signature Business Reliance Group, Inc., a New Jersey based provider of disaster recovery consulting and services. Stanley Weiner, CPA, CFE, is partner-in-charge of management advisory services for the accounting firm of Cornick, Garber & Sandler, LLP.

In Brief

A Consulting Opportunity for Small Clients

A low cost affordable methodology exists to prepare small and mid-size clients to recover from unforseen disaster emergencies, such as fire and flood. The authors provide the details of how to and discuss the benefits to both the CPA consultant and his/her clients. The result of the planning is an enhanced awareness of a company's critical operations, and required improvements in the protection of vital company data.

The CPA consultant should make his/her client aware of the economic benefit of a disaster recovery plan and play a key role in its development. The plan will, if nothing else, provide a client with a blueprint for restoring normal operations in the event of a disaster emergency.

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices

Visit the new cpajournal.com.