1

CHAPTER FIVE
AUDIT EVIDENCE AND EDP
AUDIT
5.1. Nature of audit evidence

 The third standard of fieldwork states, “sufficient

competent evidential matter is to be obtained
through inspection, observation, inquiries, and
confirmation to afford reasonable basis for an
opinion regarding the financial statements under
audit.”
 Audit evidence refers to the necessary
information that an auditor gathers in order to
form a credible opinion on the assertions by the
client’s management that are inherent in the
financial statements.
 This evidence will therefore often include
information relating to the completeness, validity
and accuracy of the recorded value of assets,
2 liabilities and equity of the client entity. 05/10/20
Some examples of audit evidence

 In the client acceptance/retention stage,

audit evidence will include information that
will enable the auditor to determine whether
to accept or reject an entity as a client, such
as information relating to the prospective
client’s industry, Board of Directors, etc.
 In the audit planning stage, audit evidence
includes information that will enable the
auditor to determine the audit approach,
such as information relating to the likely
effectiveness of particular internal control
procedures.
3 05/10/202
Cont…
 In the substantive testing stage, audit
evidence includes information as to whether
a particular account balance is complete,
valid and accurate, such as evidence that an
asset actually exists.

4 05/10/20
What makes evidence competent and sufficient?

The persuasiveness of audit evidence is influenced by

two basic factors – its competency and sufficiency. That
means evidence is said to be persuasive if it is
competent as well as sufficient.
 Sufficiency is the measure of the quantity of audit

evidence.
 Sufficiency is the presence of enough factual and

convincing evidence to support the auditor’s findings,

conclusions, and recommendations’.
 Determining the sufficiency of evidence requires
judgment, however, a prudent informed person should
be able to reach the same conclusions as the auditor.
 Appropriate, statistical methods may be used to
establish sufficiency.
 The sufficiency of audit evidence is determined by the

5 auditor’s professional judgment. 05/10/20

Determinants of the sufficiency of audit evidence

1. Competence of audit evidence determines the

quantity of audit evidence required for a specific
situation.
 That is, the more competent the audit evidence
available the less the quantity of evidence is
required to support auditor’s opinion.
2. Materiality also affects the amount of audit evidence
needed to support auditor’s opinion.
 The more material a financial statement amount the

greater the need for evidential matter as its validity.

3. The level of risk involved in audit engagement also
determines the sufficiency of audit evidence.
 As the relative risk associated with a particular

engagement increases the auditor should gather

6more evidences to support their opinion. 05/10/20
Cont…
 Competence- It refers to the degree to which
evidence can be considered believable or
trustworthy.
 If evidence is considered to be competent, it is
persuasive and is helpful for an auditor to form an
opinion.
 The auditors should carefully consider whether
reasons exist to doubt its validity or completeness.
 If so, the auditors should obtain additional
evidence or disclose the situation in the audit
report.
 For example, evidence obtained by counting
inventories is considered more competent than
inventory figure obtained from management.
7 05/10/20
 Cont…
8

 Competent evidence has seven characteristics. These are

1. Relevance: To be relevant, evidence must pertain to the
audit objective that the auditor is testing for. For
example, physical counting relates to test existence, but
it doesn’t relate for testing ownership. Therefore,
physical count is relevant for existence objective but
irrelevant for ownership objective.
2. Independence of provider: evidence obtained from
outside the client’s organization is more competent than
those obtained from within the organization.
• Evidence obtained from communications with banks,
attorneys, customers, etc is more competent than
evidence gathered from inquires of the client’s
managers and/or employees.
05/10/202
0
 Cont…
9

3. Effectiveness of the client’s internal control system:

evidence obtained in a client where internal control is
effective is more competent than those obtained where
internal control is ineffective. For example, if an auditor
believes internal control of a client for purchases is
effective but those for sales is ineffective, evidence
gathered for purchases will be more competent than
evidence gathered for sales.
4. Auditors direct knowledge: Evidence obtained from the
auditors direct knowledge (such as observation, physical
examination, inspection, own computation) is more
competent than those obtained indirectly. For example, if
an auditor calculates gross margin her/him self, this
information will be more competent than if he relied on
calculations made by the finance head of the client.
05/10/20
20
 Cont…
10

5. Qualification of individuals providing the

information: information about the legality
of an act will be more reliable if it is
obtained from an attorney than from any
other individual who has nothing to do with
law. Similarly, confirmation of a bank
balance obtained from the bank is more
competent than that obtained from others.
Confirmation of accounts receivable will be
more reliable if it is obtained from the
customer/s.
05/10/2020
 Cont…
11

 6. Degree of Objectivity: As you might expect objective

evidence is more competent than evidence that requires
subjective judgment. For example consider evidence obtained
using the following procedures:
 More objective evidence:

 Confirmations of accounts receivable and bank balance

 Physical count of cash

 Adding accounts payable and comparing with the general

ledger total etc

 More subjective evidence:

 Observation of inventories for obsolescence

 Inquiries of credit manager on collectability of receivables

 Discussions with the attorney of the client on the likely

outcomes of a lawsuit etc

05/10/2020
 Cont…
12

 Timeliness of evidence: It refers to either the time it is

accumulated or to the period covered by the audit.
 Timeliness has different meaning for balance sheet accounts and
for income statement accounts.
 For balance sheet accounts, evidence is more liable (competent)
if the information is obtained, as much as possible, close to the
balance sheet date. For example, an auditor’s count of cash on
the balance date is more reliable than count before two months.
 On the other hand for income statement accounts, evidence
obtained from the entire year is more reliable than evidence
gathered from some part of the period (year). For example,
sample of sales invoices selected from the entire year provide
more reliable evidence than sample of the same invoices
selected from the first six months of the year.

05/10/202
0
5.2. Types of Audit Evidence

1.Physical evidence- it refers to evidence obtained

from the physical examination of tangible assets.
 Physical evidence is obtained by direct inspection or

observation of
(a) activities of people,

(b) property, or

(c) events.

 Such evidence may be documented in the form of :

 Memorandum summarizing the matters inspected or

observed;
 Photographs;

 Charts;

 Maps; and

 Actual samples.
13 05/10/20
20
Cont…
2. Documentary Evidence: is corroborating evidence
obtained from documents such as invoices, checks, contracts,
minutes of meetings etc. It may be obtained from the client's
files and is available to the auditor on request.
 The documents, forms, journals or reports may originate
within the client organization or may come from an external
source. Example are:
 Letters;

 Contracts;

 Laws;

 Regulations;

 procedures;

 Budget information;

 Accounting records; and

 Management Information on performance.

 Other supporting documents

14 05/10/20
Cont…
 Documentary evidence is classified in to three
categories depending on their source and reliability:
1. Documentary evidence created outside the client

organization and transmitted directly to the auditors.

2. Documentary evidence created outside the client

organization and held by the client.

3. Documentary evidence created and held within the

client organization.
 Documents may be created by the client (internal) or

by an outside party (external). Externally created

documents may be sent to the auditor directly from
third parties or can be obtained from the client.
External documents are more reliable than internal
documents since the client doesn’t have an
opportunity to alter them.
15 05/10/2020
Cont…

3.Testimonial evidence ( inquiry)

 Testimonial evidence is obtained from

others through statements received in

response to inquiries or through interviews.
 Should be collaborated where possible with

additional evidences.
 Testimonial evidence also needs to be

evaluated from the standpoint of whether

the individual may be biased or only have
partial knowledge about the area.

16 05/10/20
20
 Cont…
17

4. Confirmation
 It represent a distinct type of documentary

evidence. It is a direct written response by a

knowledgeable third party to specific requests of
financial information.
 If confirmations are obtained by an auditor

directly from third parties, they are, generally,

considered to have high degree of competency.
 They are, especially, useful in verifying the

existence and accuracy of account balances. This

type of evidence is extensively used in auditing.
05/10/2020
 Cont…
18

 Below is given an example of that require confirmation

and the possible respondents:

Item Possible Knowledgeable

Respondent
Cash in bank ……………………… Bank
Accounts Receivable ……………… Individual
Customers
Inventory stored in public warehouse … Warehouse
Custodian
Bonds payable ………………………… Bond Trustee
Lease Terms ………………………… Lesser
Common shares outstanding ………… Registrar

05/10/2020
 Cont…
19

5. Evidence from analytical procedure: It represents to evidence

obtained by using ratios and comparisons of such ratios with prior
period and/or budgeted ratios, with industry trends, general
economic conditions etc.
 Analytical evidence is the result of analysis and verification.

 Analytical procedures involve evaluations of financial statement

information by a study of relationships among financial and non-

financial data.
 Examples of analytical procedures include comparisons of revenue

and expense amounts for the current year to those of prior periods,
to industry averages, to budgeted levels, and to relevant non
financial data, such as units of production or hour of direct labor.
 Some of the techniques used to produce analytical evidence are

computations, comparisons, and separation of information into

components.

05/10/2020
 Cont…
20

 Auditors may also obtain evidence from specialists such as

geologists, engineers, attorneys, etc for performance of audit in
areas that do require highly specialized knowledge.
 Client representation letters (“rep-letter”) may also be considered as
audit evidence.
 Representation letter is a written representation summarizing the
most important oral representations made during the audit
engagement.
 Most of such representations fall into the following broad categories:
• All accounting records and financial data,
• The financial statements are complete and prepared in conformity
with GAAP,
• All items requiring disclosure (such as loss contingencies; illegal
acts; and related party transaction) has been properly disclosed.

05/10/2020
 5.3. Obtaining and Evaluating Audit
Evidence
21

 An auditor should obtain and evaluate audit evidence

and this evidence should persuade the auditor to help
her/him to form appropriate opinion.
 At this point you may ask one important question, how

does an auditor obtain and evaluate evidence?

A. Substantive tests
 Auditors obtain and evaluate evidence using audit

procedures known as substantive tests.

 Substantive tests represent two general classes of

auditing procedures. Those are:

1. Tests of details of transactions and balances, and

2. Analytical review procedures

05/10/2020
 Cont…
22

B. Audit Procedures for Tests of Transactions and Balances:


 Audit procedures are the activities (acts) performed by the auditor to obtain and evaluate
corroborating information.

 The most widely used such audit procedures are the following:
1.
1. Inspecting: involves scrutiny (detailed) examination of documents and physical resources.
2.
2. Observing: It refers to procedures that involve watching or witnessing the performance of
some activity.
3.
3. Confirming: describes to procedures for obtaining evidence from an independent outside party
in the form of response for an inquiry.
4.
4. Inquiring: refers to is a procedure that involves either oral or written inquiry by an auditor.
5.
5. Retracing: it is audit procedure in which an auditor begins with the source documents created
and proceeds to search for evidence through the recording process.
6.
6. Recalculating: is a procedure that involves the re – performance of calculations and
reconciliations made by the client.
7.
7. Vouching: involves the inspection of documents in support of transactions or financial
statements to determine their validity and propriety.
8.
8. Counting: is a procedure mostly commonly used in two cases. 1) for counting of tangible assets
such as cash; and 2) accounting for pre – numbering in all pre – numbered documents.
9.
9. Scanning: is a rapid review or eye – balling of documents, records, schedules etc to detect any
unusual item or event that may require further investigation.

05/10/2020
 Cont…
23

 "Is there any relationship between audit

evidence and audit procedures?" Yes;
you can see the relationships in the
following table:

05/10/2020
 Cont…
24

Type of evidence Audit procedure Illustrative application of audit procedure

Physical Inspecting Inspecting new warehouse

counting Counting cash

Confirmation Confirming Confirming bank balance with bank

Documentary Inspecting Inspecting bank statement

Retracing Tracing sales invoice to customer ledger

Vouching Vouching entries in check register to paid checks

Written representations Inquiring Asking management for representation

Letter

Mathematical Recalculating Re-computing accrued interest payable

Visual Observing Observing store room security

Scanning Scanning repairs expense for large expenditure

Oral Inquiring Asking store room supervisor about obsolete inventory

Analytical Analytical review Comparing sales with sales budget

05/10/2020
5.4. Audit Sampling

 Audit sampling is defined as the application of audit

procedures to less than 100% of the population.
 to enable the auditor to evaluate audit evidence about

some characteristic of the items selected.

 in order to form or assist in forming a conclusion concerning

the population.
 There are two types of sampling statistical and non-

statistical.
 Statistical sampling involves the use of mathematically

constructed conclusions regarding the population.

 Non-statistical sampling is not statistically based and results

should not be estimated over the population.

 When using either statistical or non-statistical sampling

methods, the auditor should design and select an audit

sample, perform audit procedures and evaluate sample
results to obtain sufficient, reliable, relevant and useful
25audit evidence. 05/10/20
5.4.1. Design of the Sample

The size and structure of an audit sample is

determined by considering the specific audit
objectives, the nature of the population and
the sampling and selection methods.
 Audit objectives- The auditor should
consider the specific audit objectives to be
achieved and the audit procedures, which are
most likely to achieve those objectives.
 In addition, when audit sampling is
appropriate, consideration should be given to
the nature of the audit evidence sought and
possible error conditions.
 Sampling Unit- The sampling unit will
26 depend on the purpose of the sample. 05/10/202
Cont…
 Population- The population is the entire set
of data from which the auditor wishes to
sample in order to reach a conclusion on the
population.
 Stratification: to assist in the efficient and
effective design of the sample, stratification
may be appropriate.
 Sample size- When determining sample
size, the auditor should consider the
sampling risk the amount of the error that
would be acceptable and the extent to which
errors are expected.
27 05/10/202
0
Cont…
 Sampling risk- arises from the possibility that
the auditor’s conclusion may be different from
the conclusion that would be reached if the
entire population were subjected to the same
audit procedure.
 Sample size is affected by the level of sampling

risk that the auditor is willing of accept.

 Sampling risk should also be considered in

relation to the audit risk and its components,

inherent risk, control risk, and detection risk.
 Tolerable error- is the maximum error in the

population that auditors are willing to accept

and still conclude that the audit objective has
28been achieved. 05/10/20
Cont…
 Expected error- If the auditor expects
errors to be present in the population, use a
larger sample.
 Smaller sample sizes are justified when the
population is expected to be error free.
 When determining the expected error in a
population, the auditor should consider such
matters as error levels identified in previous
audits, changes in the organization’s
procedures and evidence available from an
evaluation of the system of internal control
and results from analytical review
procedures.
29 05/10/20
20
5.4.2. Selection of the Sample

Statistical Sampling Methods

 Random sampling- ensures that all combinations of
sampling units in the population have an equal chance of
selection.
 Systematic Sampling- involves selecting sampling units

using a fixed interval between selections, the first interval

having a random start.
 Non-Statistical Sampling Methods

 Haphazard sampling- in which the auditor selects the

sample without following a structured technique, however

avoiding any conscious bias or predictability.
 Judgmental sampling- in which the auditor places a bias on

the sample.
 A judgmental sample is not statistically based and results

should not be extrapolated over the population as the

30sample is unlikely to be representative of the population.
05/10/202
Cont…
 Audit sampling generally involves the
following steps:
 Determine the objective of the test;
 Determine the sample size;
 Perform the sampling plan;
 Evaluate the results;
 Document the sampling procedure.

31 05/10/2020
 5.5. Audit and EDP
32

 Most organizations use Electronic Data Processing

(EDP), at least to some extent, in processing financial
and accounting information.

 EDP auditing is the process of collecting and

evaluating evidence to determine whether a
computer system safeguards assets, maintains data
integrity, achieves organizational goal effectively, and
consumes resources efficiently.

 Thus, EDP auditing supports the attainment of

traditional audit objectives: attest objectives (those of
the external auditors) that have asset safeguarding
05/10/2020
and data integrity as their focus, management
Cont…

 The approach to auditing in an EDP environment is

described as follows:
 Auditing around the computer, and

 Auditing through the computer

 Auditing around the computer: Computers are useful for

processing of information in determining the nature, extent

and timing of the substantive testing.
 But in auditing around the computer, the auditor performs

the audit in the same manner as the manual system, and

therefore, this approach is sometimes referred to as “black
box” approach.
 Auditing through the computer

 Under this approach the auditor considers the effects of

special EDP controls on the nature, timing and extent of his

substantive approach.
 The computer is used to perform compliance and
33substantive tests. 05/10/20
5.5.1. Characteristics of an EDP environment

 Organizational structure:
 When an organization uses EDP its organization structure is

affected in the following ways:

1. The number of persons involved in processing information is
lower than the number of persons involved in a manual
system.
2. In an EDP environment few persons are involved in the design
and development of the system and therefore knowledge
about the interrelationship between the input, processing
ways, and output is concentrated on these limited individuals.
 Hence it is likely that due to their knowledge about the

strength and weaknesses of the system, may manipulate the

programs.
3. Data files are stored centrally in many EDP installations.
 This may result in unauthorized use of the data.

 To prevent unauthorized access to the data various controls

are developed.
34 05/10/202
Cont…
 Nature of Processing
 Absence of input documents: In an EDP
system it is usual to enter transactions
directly to the computer without any source
documents.
 Lack of visible transaction trial.
 Lack of visible output.
 Difference in nature of output.
 Ease of access to data and computer
programs.

35 05/10/20
5.5.2. Internal control in an EDP Environment

 The objective of internal control in an EDP

environment is the same as the objective of internal
control in a manual system.
 But the specific methods and procedures followed to
the internal control objectives are different.
 In addition to the usual control, the EDP environment
requires special controls to assure that the data
processed through the EDP system is authorized,
accurate and complete.
 Such special controls are referred to as EDP controls
and are performed by computer programs and
additional manual controls.
 The auditor studies their controls and evaluates their
efficiency to determine his substantives procedures.

36 05/10/2020
Cont…
 EDP controls are divided into two categories:
 General EDP controls and
 Application EDP controls
 General EDP controls are internal control
procedures that relate to all or most of the
EDP applications and not to any particular
application.
 Application controls are control procedures
related to individual EDP application such as
payroll preparations, purchase accounting.

37 05/10/202
0
Cont…
 General EDP Controls
 General EDP controls can be classified into
those relating to:
 The organizational structure of the EDP
functions,
 adequate documentation and authorization
of computer programs,
 access controls, and
 hardware controls procedural controls for
safeguarding of program and data files, and
 procedural controls for identification,
documentation and correction of errors.
38 05/10/202
Application controls

 Three stages are involved in all EDP applications. These are

input, processing and output.
 Appropriate controls should be established for each of these

stages. i.e. there should be input controls, processing

controls, and output controls.
 Input controls: are concerned with authorization,

completeness & accuracy of data input to the EDP system.

 The objectives of input controls are to ensure that:

1.Transactions are properly authorized before being processed

by the computer.
2.Transactions are converted into machine-readable form and
recorded in the computer data files accurately.
3. Transactions are not lost, added, duplicated or improperly
changed.
4. Incorrect transactions are rejected, corrected and, if
necessary resubmitted on a timely basis.
39 05/10/2020
Cont…
 Processing controls
 The main concern of processing controls is

to ensure the accuracy and competences of

processing.
 Therefore, the objectives of processing

controls are:
1.To ensure transactions are properly
processed by the computer.
2. To ensure that transactions are not lost,
added, duplicated or improperly changed.
3.To ensure that processing errors are
identified and corrected on timely basis.
40 05/10/20
Cont…
 Output controls
 The effectiveness of input controls and
processing controls determines the quality of
the output, since the accuracy and
completeness of out put are dependent on
the accuracy and completeness of input data
and processing.
 The main objectives of output controls are:
 to ensure that results of processing are accurate.
 to ensure that access to output is restricted to
authorized personnel
 to ensure that output is provided to appropriate
authorized personnel on a timely basis.
41 05/10/20
5.5.3. Applicability of GAAS in EDP audit

 All of the GAAS apply to an audit of financial

statements regardless of whether the data processing
used by the client.
 The first general standard states that the examination
is to be made by individuals with adequate technical
training and proficiency as an auditor.
 This means that the auditor must have sufficient
expertise to understand and evaluate the system’s
essential accounting controls features.
 The extent of the knowledge depends on the
complexity of the EDP system.
 The first standard of fieldwork states that the work is
to be adequately planned assistants, if any are to be
adequately supervised.
42 05/10/20
Cont…
 In planning the audit for clients who use
computer processing the following should be
considered:
 The extent to which the computer is used in each

significant accounting application.

 The complexity of the client’s computer
operations.
 The organizational structure of the computer

processing activities.
 The availability of data in hard copy and
computer readable form.
 The use of computer-assisted audit techniques to

increase the efficiency of performing audit

43techniques. 05/10/202
0
Cont…
 The second standard of fieldwork states that
a sufficient understanding of the internal
controls structure is to be obtained to plan
the audit and to determine the nature,
timing and extent of test to be performed.
 This standard is equally applicable under
both the Manual and the EDP system.
 The auditor should obtain sufficient
knowledge of the EDP system to
understand.

44 05/10/20
20
Cont…
 The accounting records, supporting documents,
machine readable information, and specific accounts
in the financial statements involved in the EDP
processing and reporting of the significant classes of
transactions.
 How the computer is used to process data from the
initiation of the transactions to its final inclusion in the
financial statements.
 The types of potential misstatement that could occur.
 In general in auditing clients with EDP system, the
auditor’s understanding of the internal control should
be documented in the working papers.
 The extent of the documentation will vary directly
with the size and complexity of the structure.

45 05/10/20
5.5.4. Disaster Recovery Planning
 A disaster Recovery planning project cannot be completed in
a week or even a month.
 In many ways, a DRP is never completed-the plan must be

tested and updated at least once per year, if not more

frequently.
 A plan that does not keep pace with the changes in

your organization is a disaster in itself, providing a

false sense of security.
 The primary objectives of a DRP are to guide an organization

in the event of a disaster and to effectively reestablish critical

business operations within the shortest possible period of
time & with a minimal loss of data.
 The goals of the planning project are to assess current and

anticipated vulnerabilities, define the requirements of the

business and IT communities, design and implement risk
mitigation procedures, and provide the organization with a
plan that will enable it to react quickly and efficiently at the
46 time of disaster. 05/10/20
In DRP:
 Senior management must understand the level
of effort needed to research, define, construct,
and test the plan.
 Mgt must commit to support the planning effort
and ensure its success both on a short-term and
an ongoing basis.
 A project team must be selected that
incorporates an adequate balance between IT
and business community members to ensure
that the resulting plan will cover the
requirements of both the IT and business
communities.
 The recovery requirements of the business and IT
communities must be defined and agreed upon.
47 05/10/202
Cont….
 Solution to fit the requirements of the business and the IT
communities, including risk identification, analysis, and
mitigation, must be designed.
 The final plan, which incorporates those solutions, must be

easy to understand (by people, unfamiliar with the systems

and under stress), put into practice, and easy to maintain.
 The final plan needs to be integrated with any other

existing plans-including other DR plans, Emergency

management plans, Evacuation plans, etc.
 A process needs to be developed to keep the plan up to

date, representing the true business and computing

environments at all times.
 DRP is a highly complex and time-consuming activity and

requires a firm commitment from management to expend

the man-hours and funds necessary to achieve success.

48 05/10/202
Disaster recovery planning project steps:

 Each plan should be tailored to the

individual organization-what works for one
organization will not necessarily work for
another.
Step I-project initiation
 The objectives of the disaster recovery

planning project initiation are to gain an

understanding of the existing and planned
future IT environment of the organization,
define the scope of the project, develop the
project schedule, and identify risks to the
project.
49 05/10/202
Step II- Assessment of Disaster Risk

 This should include, but not be limited to, an assessment of

geographical location, building composition, computing
environment/physical plant security, installed security devices
(including automated fire extinguishers and automated shut-
down devices), computing environment/physical plant access
control systems and software, personnel practices, operating
practices, and backup practices.
 This is a good time to perform an IT Assessment, practices

and procedures Audit, and Single points of Failure Analysis.

Step III- Business Impact Analysis
 An analysis of all key business units that are supported by the

IT community should be undertaken to identify which systems

and functions are truly critical to the continuation of business,
and to determine the length of time that those units can
survive without the critical systems in operation.
 This analysis is essential to making decisions about how to

implement disaster recovery.

50 05/10/20
Step IV-Definition of Requirements

 This will be one of the most difficult and time-consuming

parts of the project.
 All requirements of and relating to, the plan must be defined

and detailed.
 These will include, but not be limited to, the recovery

requirements of the business and IT communities, the

requirements generated by the business impact analysis,
and the requirements generated by the assessment of
disaster risk and the mitigation of disaster risk.
Step V- Project Planning
 It is important here to distinguish between the project plan

and the disaster recovery plan.

 The project plan in this case will define the project that is

being executed and as one of its objectives will develop the

Disaster Recovery Plan.
 An additional objective of this project is to mitigate as much

disaster risk as possible.

51 05/10/20
Step VI-Project Execution

 The project should proceed according to standard practice as of

project Management.
 During the project the identified methods of mitigating risk will be

executed and the Disaster Recovery plan will be constructed and

tested.
Step VII – Business Continuity Plan (BCP) Integration
 The DR plan needs to integrate back into the organization’s

overall Business Continuity efforts.

 For an organization that has run the DR effort as part of an

overall BC effort, this has likely already been done.

 However, for an organization that builds their DRP first and then

creates a BCP from that foundation it is important to align the

two.
Step VIII – Ongoing Maintenance and Integration
 Part of the plan will include the ongoing maintenance and testing

efforts required to keep the plan up to date, as well as processes

to identify and mitigate future risks as they are encountered.

52 05/10/20