Businesses and government entities have always been concerned about disaster recovery
or continuity planning. However, the events of September 11, 2001, and Hurricane Katrina
made everyone even more aware of the necessity of preparing for disaster. Auditors
can help. Continuity planning is an internal control devised to ensure that operations,
including IT functions, can continue in the event of a natural or man-made disaster,
including terrorism and acts of nature. IT—especially Internet technologies—is vulnerable
to man-made attacks, such as viruses and worms. An online retailer, for example, can not
afford to compromise system availability. The absence of a continuity plan is a reportable
condition under Statement on Auditing Standards No. 60,Communication of Internal
Control Related Matters Noted in an Audit.