Previous Table of Contents Next


Section 11
Backup and Recovery

The IT auditor must understand the difference between backup and recovery issues. Backup issues are focused on what information should be saved, when it should be saved, and how it should be saved. Recovery issues are focused on how to use those backups in the event of a data loss or system interruption.

Controls over backup and recovery should ensure that all designated applications and data continue to be available to the organization even after an event in which the entire system, both hardware and software, has been lost. Backup and recovery are issues that are addressed in completely different ways, which is why many IT auditors deal with them as two independent topics or controls areas.

APPROACHES TO MAKING BACKUPS

There are only three primary alternatives for making backups:

  Full backups. These are made when every item in the system is copied to the backup media. Making a full backup may take minutes or hours and can take up to several hundred tapes.
  Incremental backups. These represent a backup of all files on a system that have changed since the last full or incremental backup was made. To use the incremental backups made each evening, it is necessary to have the most recent full backup and all incremental backups made subsequent to the full backup.
  Differential backups. These represent a backup of all files on a system that have changed since the last full backup. Therefore, to use these backup tapes for a complete restoration, the most recent full backup and only the most recent differential backup is needed.

MEDIA UTILIZED TO MAKE BACKUPS

Backups may be created using any of the following media combinations:

  Disk to diskettes. This would only be used on a system that did not have a tape drive. It is considered to be relatively inefficient because most diskettes have very little capacity in comparison with tapes.
  Disk to tape. This has been, and continues to be, the most common method of making backups. Tapes can hold a lot of information and are considered to be the most cost-efficient medium.
  Disk to disk (optional second step of disk to tape or other media). This is the quickest way to make backups, but requires the IT department to have a lot of available space for the backup files. The disk-to-disk approach permits the online and interactive systems to be reactivated quickly and to have the backups transferred to tape or diskette, making the disk space available once again.

RECOVERY ISSUES

Any time backup issues are discussed, recovery issues should either accompany or precede them. The only business reason to make a backup copy of something is to be able to restore that “something” after it is lost or damaged.

The IT auditor’s historical emphasis has focused on how often backups are made, how the backup media are cared for, how many versions are retained, and other similar items. In many reviews, including some done by this author (a long time ago), little or no emphasis was placed on the use of backups. The IT auditor’s emphasis was on their existence.

Business Contingency Planning, or disaster recovery planning, became more important to the company and to the IT auditor as Automated Application Systems became more integrated with daily business activities. This growing importance led to auditors identifying two critical questions:

1.  Have we done a test recovery to ensure that our backups contain all the information and files needed to restart company systems?
2.  How will we maintain our business activities (production, sales, etc.) and restore the transaction and master data activity that took place after the last backup was taken through the time the automated application systems or data center went down?

While the IT auditor should always keep compensating controls and mitigating circumstances in mind, the wrong answers to these questions should set alarms off for the auditor. And if the automated application systems and system have so little value that their loss has no meaningful impact, why are they even being evaluated?

Companies are increasingly interested in reducing the dependence on end users being able to move backward in time and recreate their work for two reasons: it does not work, and integrated highly complex systems require not only completeness but also proper sequencing of re-entered transactions.

One example of the importance of sequencing is the order fulfillment department of a retail store with a catalog or phone order processing function. As orders are entered into the system, stock availability is determined, that information is provided to the customer, the system allocates the appropriate stock, and shipping plans are made. Without addressing the issue of sequencing, the problems an organization can encounter include differing availabilities, differing allocations, differing customer promised and actual dates, and the potential impossibility of processing the transactions as originally processed with those same transactions as recovered following the problem.

A new approach to backups that attempts to reduce the time lag between backups includes fault-tolerant equipment such as dual write controllers and redundant array of independent disk (RAID) hard disk technology. These techniques and technologies are reducing the dependence of the organization on end users to be able to go backward in time to the last backup, or last usable backup, and restore the lost transactions from the backup used to the point in time when the system or application failed.

The following section is a basic but still comprehensive approach for business continuity planning. An audit program constructed on the same framework is included as Workpaper 11-1.


Previous Table of Contents Next