IT Disaster Recovery 14

  • This post is deleted!

  • This post is deleted!

  • This post is deleted!

  • This post is deleted!

  • This post is deleted!

  • In a way, disaster recovery is related to SOX but don’t spend too much time on it. The more imprtant issues are
    SOD and Process.

  • Just make sure you have enough backup’s stored…:
    one or two every day…and one every week…(store them in a save place outside your company-building .)

  • DR is considered to be one of the general IT Controls.
    An example: If data is backed up at mid-night and sent off site and a disaster occurs at noon, data entered between midnight and noon may not be reflected within the records of the company. A solid control environment would be able to identify the gaps and provide remediation to restore the data to its proper state. We should be using a
    scenario like this for testing.
    For test results it is both the recovery of key systems and the actual on-going operations of the entity in the recovery site. Since most entities only conduct Disaster Recovery tests once a year the test results, like year end processes can be done to coincide with the yearly test.

  • I believe that section 404 deals more specifically with the need to establish redundant IT controls over your financial reporting systems…and the last post was correct in stating that there needs to be some systems inplace that accomplishes a complete capture of all financial records in ‘real-time’ in the event of a disaster.
    In the past, Disaster recovery was classified into 3 categoies, cold, warm, and hot. With regards to Sarb-Ox, you will need to have a ‘hot’ site that will immediately continue to capture, process, and report on all financial transactions at a moment’s notice.

  • DR is an important aspect of having controls in place.
    You should ensure that you have back ups scheduled and that these are actually tested periodically.
    You should also have documented plans in place that define what is and what is not in scope for DR.
    Make sure that your DR plans contain sufficient information for anyone with the necessary skill set to being a box and related apps back on line. You cannot afford to rely upon your existing staff with all the ‘business knowledge’ to perform in a DR situation. It might well be that the very people you rely on today are unavailable in a real DR situation.
    Document, document, document…
    Hope this helps

  • Just testing is not going to be enough . You have to successfully recover the data. The courts have already established that not recovering data is being treated as if ‘you’re hiding something’.
    I’ve posted this view in the past, backing up in a traditional to tape environemnt is going to get IT in big trouble.
    However, SOX doesn’t define what storage media is allowed. As Senator Sarbanes indicates ‘that’s for the courts to decide’ SOX states the penalties for not being able to produce data as:
    Title VIII: Corporate and Criminal Fraud Accountability Act of 2002.
    It is a felony to ‘knowingly’ destroy or create documents to ‘impede, obstruct or influence’ any existing or contemplated federal investigation.
    Auditors are required to maintain ‘all audit or review work papers’ for five years.
    Title IX: White Collar Crime Penalty Enhancements
    Maximum penalty for mail and wire fraud increased from 5 to 10 years.
    Creates a crime for tampering with a record or otherwise impeding any official proceeding.
    Section 1102: Tampering With a Record or Otherwise Impeding an Official Proceeding
    Makes it a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object’s integrity or availability for use in an official proceeding or to otherwise obstruct, influence or impede any official proceeding is liable for up to 20 years in prison and a fine.

  • There is a difference between business continuty planning and disaster recovery.
    To simplify (maybe oversimplify) BCP means you can recover the data. DRP means you can recover your facilities.
    BCP therefore is definitely something you should include and test. However our external auditors have indicated that DRP is operational and therefore out.

  • There is a difference between business continuty planning and disaster recovery.
    To simplify (maybe oversimplify) BCP means you can recover the data. DRP means you can recover your facilities.
    BCP therefore is definitely something you should include and test. However our external auditors have indicated that DRP is operational and therefore out.
    I see BCP as the business being capable to continue to operate whilst we in I.T. get things back on line post a disaster or in fact being capable to continue to operate whilst maybe even a system is temporariliy down.
    We aim to get the business working with paper based manual systems as their core BCP in case we have a major disaster and all I.T. capability is lost for a while.

  • BCP is NOT in scope for SoX
    DRP is NOT in scope for SoX.
    Backup of critical data that support the financial statements IS.
    So don’t waste your time on BCP and DRP.
    Read PCAOB AS2. It specifically mentions that it is not in scope.

  • I disagree.
    E and Y just nailed one client for not having in place a DR plan. Now while a DR plan is not within the scope of 404 the vagueness of the individual control is up for discussion. In this case it was determined that since the client did not have a DR plan in place and has not performed a formal recovery of data, then in the event that the systems crash or financial data is deleted they have no proof or control set in place to recover that data.
    In this case the remediation was put in place for the client to perform a random backup and restore of data to an alternate location and submit the logs of the restored data. It was then compared to the orginal data. After that was completed a DR plan was submitted and a planned DR test for 2nd quarter 2005 was submitted as part of the overall remediation for this control.
    Even with this completed the client still received a deficiency rating on the control.

  • I just talked to our independent auditor yesterday. He said that it depends on your auditing firm. For instance, Deloitte doesn’t consider it in scope, but PWC does. Check with your auditor for a definitive answer. I think PCAOB Accounting Standard 2 is clear but I guess most things are subject to interpretation.
    Here is a link to AS2:
    Appendix C section 5 addresses Business Continuity Planning
    ‘Furthermore, management’s plans that could potentially affect financial reporting in future periods are not controls. For example, a company’s business continuity or contingency planning has no effect on the company’s current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company’s business continuity on contingency planning is not part of internal control over financial reporting.’
    That is all, so I could see determining that testing backups occasionally is with scope, but BCP is not.

  • Section 404 (Management Assessment of Internal Controls)
    Requires companies to establish an infrastructure to protect and preserve records and data from destruction, loss, unauthorized alteration, or other misuse. This infrastructure must ensure there is no room for unauthorized alteration of records vital to maintaining the integrity of the business processes.
    If you have a disaster (or a disaster’) and you lose some critical data and you have not done all the necessary things to protect these assets, you have a big problem.
    George Lekatis

  • I have always taken this to mean that in the event of a disaster you need to be able to restore the financial data - therefore DRP is in scope. Depending on how you define DRP :roll:
    There is no requirement to get the business up and running again so long as you can rebuild thefinancials. Therefore BCP is not in scope.

  • We should test the business continuity process prior to the fiscal year close…

  • Disaster Recovery (DR) is the restoration of infrastructure and data. Business Continuity Planning (BCP) builds on (and is dependent on) the DR efforts to allow the business to continue key operations. This is very oversimplified. There are things like the Recovery Point Objective (RPO) that states how much data can be lost from the point of failure, and coordination of disparate systems to ensure a consistent view of the data.
    All of these things imply internal controls. How else will you be able to attest that the controls are effective and durable? If the application systems support business processes that are deemed material to financial reporting then I personally would want to make certain that everything could be recovered.
    When I spoke with a Deloitte Auditor about this he commented that while BCP is not officially part of SOX it is good practice, and they recommed it for all but their ‘smallest clients’ (presumably due to the economic impact to the client of making it a requirement).
    Anyway, just another perspective. So far this looks like an interesting forum.

Log in to reply