IT Disaster Recovery 14



  • Under the rules of SOX DR is OUT OF SCOPE.
    Computer operations - backup restore / monitoring but DR is out because it addresses business continuity. The auditors will / should ask if you have a DR plan and that is is updated or executed annually but that should be as far as it goes. Hope it helps



  • Hi Folks,
    I strongly feel that a BCP/DRP form an overall part of an organization GCC. Though SOX nowhere specifically list BCP/DCP as a requirement, I have seen Big 4 firms specifically pointing out not having a BCP as a problem area.
    It is better that company’s have a proper BCP / DRP in place. In the long run this helps since SOX compliance is not a one time requirement but is something which is ongoing.
    Regards
    big4guy



  • Are we required to review physical and environmental controls of the disaster recovery site?



  • Yes Sonali, we are …



  • BCP is NOT in scope for SoX
    DRP is NOT in scope for SoX.
    Backup of critical data that support the financial statements IS.
    So don’t waste your time on BCP and DRP.
    Read PCAOB AS2. It specifically mentions that it is not in scope.
    cheers
    tristanatbui.com
    NO BCP and DRP 8O
    What if something happens to the facility, and the servers Blow offffff. Maybe the manufacturing facility is elsewhere, but without the Information systems wont the business suffer? Wont the non availability of a BCP impair the business and have a financial impact?
    Guess SOX talks abt financial imapcts :lol:
    Even cobit covers it( of course its a guideline)
    better have a BCP and DRP guys



  • I agree with the comments from ‘Yoda404’…
    BCP is NOT in scope for SoX
    DRP is NOT in scope for SoX.
    Backup of critical data that support the financial statements IS.
    So don’t waste your time on BCP and DRP.
    Read PCAOB AS2. It specifically mentions that it is not in scope.
    cheers
    tristanatbui
    So, given the other areas for documentation and testing, a Company that chooses to test DRP is doing so voluntarily since it is specifically EXCLUDED from the testing requirement that is established by the PCAOB.
    Respectfully,
    milan



  • I agree with the comments from ‘Yoda404’…
    BCP is NOT in scope for SoX
    DRP is NOT in scope for SoX.
    Backup of critical data that support the financial statements IS.
    So don’t waste your time on BCP and DRP.
    Read PCAOB AS2. It specifically mentions that it is not in scope.
    cheers
    tristanatbui
    So, given the other areas for documentation and testing, a Company that chooses to test DRP is doing so voluntarily since it is specifically EXCLUDED from the testing requirement that is established by the PCAOB.
    Respectfully,
    milan
    Hi,
    It is not so voluntarily as you said, Milan. Nowadays almost all of the auditor’s companies require installation of DR plan into company structure. A lot of arguments have already been upper mentioned. You’re right that DRP and BCP as instruments are out of scope, but the aim of both is in scope. I mean that management is responsible for recording data reported over finacial control. Therefore I think that BCP and especially DRP is in scope for SOX in their objective, not in their form.
    Thanks for all comments



  • The problem with that would be how someone test something which is included in objective but included in form (in design and effectiveness).
    Calvin



  • this is purely my point of view( and quite logical i guess)
    While it is ideal to have a BCP( which ensures that i continue making the money) and DRP( which ideally is a kickstart for BCP), as long as iam able to showcase my capability to ACCOUNT everything to reflect a TRUE and FAIR picture of my financial state, the absence of BCP and/ or DRP should not be an issue under SOX. After all SOX needs me to report on the INTERNAL CONTROLS over Financial REPORTING( rite?). As long as i report things properly( be it a profit or loss), the SOX requirement is fulfilled.
    Having said that, periodic backup practices need to be in place to ensure re-construction of the financials till the date of disaster.
    Effectively, a good backup and restoration practise( and of course documentation for the same) should suffice.
    Agree??
    All said and done, its the best practice to have the BCP and DRP in place, though SOX does not require that. After all SOX came way after the concepts of BCP and DRP came. We need a business to report for 😄



  • I agree with Calvin … Business Continuity and DR Plans are absolutely essential and they might even need to be shared with SOX external auditors.
    However, SOX audits aren’t supposed to test every IT control out there, as BC/DR plans should be more thoroughly assessed in general IT control type audits. SOX 404 focuses on management’s controls of automated financial systems and as Milan notes BC/DR plans would be outside the scope of controls testing, (even though they might still need to be covered with the SOX auditors verbally and/or documentation shared)


Log in to reply