Previous | Table of Contents | Next |
The IT auditor must understand the difference between backup and recovery issues. Backup issues are focused on what information should be saved, when it should be saved, and how it should be saved. Recovery issues are focused on how to use those backups in the event of a data loss or system interruption.
Controls over backup and recovery should ensure that all designated applications and data continue to be available to the organization even after an event in which the entire system, both hardware and software, has been lost. Backup and recovery are issues that are addressed in completely different ways, which is why many IT auditors deal with them as two independent topics or controls areas.
There are only three primary alternatives for making backups:
Backups may be created using any of the following media combinations:
Any time backup issues are discussed, recovery issues should either accompany or precede them. The only business reason to make a backup copy of something is to be able to restore that something after it is lost or damaged.
The IT auditors historical emphasis has focused on how often backups are made, how the backup media are cared for, how many versions are retained, and other similar items. In many reviews, including some done by this author (a long time ago), little or no emphasis was placed on the use of backups. The IT auditors emphasis was on their existence.
Business Contingency Planning, or disaster recovery planning, became more important to the company and to the IT auditor as Automated Application Systems became more integrated with daily business activities. This growing importance led to auditors identifying two critical questions:
While the IT auditor should always keep compensating controls and mitigating circumstances in mind, the wrong answers to these questions should set alarms off for the auditor. And if the automated application systems and system have so little value that their loss has no meaningful impact, why are they even being evaluated?
Companies are increasingly interested in reducing the dependence on end users being able to move backward in time and recreate their work for two reasons: it does not work, and integrated highly complex systems require not only completeness but also proper sequencing of re-entered transactions.
One example of the importance of sequencing is the order fulfillment department of a retail store with a catalog or phone order processing function. As orders are entered into the system, stock availability is determined, that information is provided to the customer, the system allocates the appropriate stock, and shipping plans are made. Without addressing the issue of sequencing, the problems an organization can encounter include differing availabilities, differing allocations, differing customer promised and actual dates, and the potential impossibility of processing the transactions as originally processed with those same transactions as recovered following the problem.
A new approach to backups that attempts to reduce the time lag between backups includes fault-tolerant equipment such as dual write controllers and redundant array of independent disk (RAID) hard disk technology. These techniques and technologies are reducing the dependence of the organization on end users to be able to go backward in time to the last backup, or last usable backup, and restore the lost transactions from the backup used to the point in time when the system or application failed.
The following section is a basic but still comprehensive approach for business continuity planning. An audit program constructed on the same framework is included as Workpaper 11-1.
Previous | Table of Contents | Next |