Business continuity plan, disaster recovery plan and SOX...? 510

  • Direct Mention
    Sections 302, 404 and 409 inform us about business continuity (Safeguarding assets, backup and recovery, timely and accurate reporting, availability of information).
    This is all about business continuity in SOX.
    Indirect Mention
    Vital Records, accurate RTOs and RPOs, Controls, Reliability
    Any comments?

  • The subject of business continuity is intriguing and, from a SOx perspective, contradictory.
    We are supposed to ensure that adequate controls exist to detect fraud and highlight significant errors (if not prevent them) that impact on the financial reports. The discussions on what constitutes a control centered on COSO in the USA and, ultimately, Turnbull in the UK. What is significant is the fact that COSO was adopted as a suitable framework with the exception that SOx would not concern itself with the business processes (Turnbull doesn’t anyway). Clearly, if a business recovery plan is to be effective and, at the same time, fulfil the SOx criteria it must be concerned with all of the processes and not just finance. Ergo, is a business continuity plan within the scope of SOx?
    Enter a grey area, if the factory burns down but all of the relevant financial data etc. is safe and processable, does the fact that you cannot produce anything cause a financial impact that is captured by SOx? So, proceeding laterally, does SOx require a company to be adequately insured? If so. would the fact that a company insures itself against fraud and indemnifies its executives against error be a sufficient control?
    Most insurance companies and some brokers (in the UK at least) will offer a ‘Disaster Planning’ service designed as a checklist to ensure the business is covered. It is in their interests to minimise their loss of profits exposure. But the compilation of a detailed and comprehensive plan, together with the testing of such a plan is a long and costly process. In my experience, the only companies having such a tried and tested plan are regulated utility providers who have to ensure a continuity of supply and, consequently have to account for it. If we decide that such a plan is in the scope of the act we heap another responsibility, and expense, on the shoulders of executives who would rather be making money for their investors than spending it on what they perceive as the unneccessary.
    So, what does the poor old consultant do? The answer is, as usual, the best he can. Whether he is roght or wrong will depend on the whim of the auditor. Unfortunately the consultant is unlikely to be around to argue his case, he will have progressed to his next project.

  • Popeye, I agree with you. It is a grey area. Many many times, we have a great business continuity effort in documents and very few things in the real world. We have ‘cold’ or ‘warm’ sites (tranlation: untested) and hot papers.

  • I am working on a SOX project now for a large healthcare company. Management has decided against including a disaster recovery plan in the scope of their SOX initiative. They have backup procedures and off-site storage, but no disaster recovery plan. In talking to others on SOX projects, it appears that this is the norm. Forgive my naivete, but it seems to me that having disaster recovery procedures in place would be important for SOX compliance. Can anyone fill me in on what I’m missing?? Thanks.

  • Yeah, I had read that. I guess I’ll just accept that disaster recovery isn’t in scope re SOX, even if it doesn’t seem logical to me. Thanks. 🙂

Log in to reply