The CPA's Role in Disaster Recovery Planning
Jacobs, Joel, Weiner, Stanley, The CPA Journal
In order to thrive in today's competitive marketplace, CPA firms should expand their practices by adding consulting services that, if not offered, will likely be proposed by competitors, both CPAs and non-CPAs. Any CPA firm that does not closely examine various consulting services as revenue producers is neglecting its practice development.
Disaster recovery/business continuity consulting is rapidly becoming a meaningful revenue source for many CPA firms. The consulting process output is a written contingency plan designed to minimize the disruption and downtime that would result from an electronic data processing loss or other significant catastrophic event, such as fire, a building collapse, flood, etc. Many firms offer various levels of disaster recovery/business continuity planning consulting services.
The CPA-An Advocate for Disaster Recovery Planning
Persuasive evidence exists which justifies the CPA's role in actively advocating disaster preparedness planning for clients. CPAs have interpreted Statement on Auditing Standards (SAS) No. 60 as justification for bringing specific disaster planning issues into the audit process. SAS 60 provides that the auditor communicate to the audit committee or its equivalent "reportable conditions" and provide recommendations for corrective action. SAS 60 defines a reportable condition as a significant deficiency in the design or functioning of the internal control structure that could adversely affect an organization's ability to record, process, summarize, and report financial data. Reportable conditions should be included in the management letter or other communication provided to the client at the conclusion of each audit engagement. A credible argument can be made that the absence of a comprehensive disaster recovery plan is a reportable condi tion as defined by SAS 60. The management letter is the ideal forum for advising a client to take corrective action by way of disaster preparedness planning.
Who Needs Disaster Planning?
For large public companies, development of a formal disaster recovery plan is typically required by their boards of directors. For major banks, brokerage firms and other large companies, which rely on intensive data processing environments, adopting and continuing to update a disaster recovery plan is standard operating procedure.
Vendors such as IBM, SunGard, Comdisco, and others engage in disaster recovery consulting for a significant source of their annual revenues. A multisite Fortune 500 company typically will pay anywhere from $40,000 and up for a comprehensive customized disaster recovery/business continuity plan from one of the top tier providers. In addition, many companies pay steep monthly subscription fees for hot-site facilities into which certain departments of the company can move, literally overnight, if required. But what about the vast number of small and mid-sized companies who are the typical clients of most small and regional CPA firms? Is disaster planning essential for them, and, if so, are they willing and able to pay for it?
Industry studies indicate that small and mid-sized companies, with minimal cash reserves and poor cash flow, overwhelmingly do not recover from major losses of data or equipment. Why then, does the vast majority of small and mid-sized companies not have adequate disaster plans, even though their likelihood of failure after a disaster is greater than that of a large multisite company? One reason is, while many owners and corporate officers understand the importance of disaster planning, very few small and mid-sized companies are willing to devote the dollars they believe it will cost to have a consultant create a disaster recovery plan.
Disaster Planning Alternatives
What disaster recovery planning alternatives are available to the small to mid-sized company? There are packaged software programs available that allow a company to create a disaster recovery plan in-house. …