IT Disaster Recovery 14



  • There is a difference between business continuty planning and disaster recovery.
    To simplify (maybe oversimplify) BCP means you can recover the data. DRP means you can recover your facilities.
    BCP therefore is definitely something you should include and test. However our external auditors have indicated that DRP is operational and therefore out.



  • There is a difference between business continuty planning and disaster recovery.
    To simplify (maybe oversimplify) BCP means you can recover the data. DRP means you can recover your facilities.
    BCP therefore is definitely something you should include and test. However our external auditors have indicated that DRP is operational and therefore out.
    I see BCP as the business being capable to continue to operate whilst we in I.T. get things back on line post a disaster or in fact being capable to continue to operate whilst maybe even a system is temporariliy down.
    We aim to get the business working with paper based manual systems as their core BCP in case we have a major disaster and all I.T. capability is lost for a while.
    Cheers



  • BCP is NOT in scope for SoX
    DRP is NOT in scope for SoX.
    Backup of critical data that support the financial statements IS.
    So don’t waste your time on BCP and DRP.
    Read PCAOB AS2. It specifically mentions that it is not in scope.
    cheers
    tristanatbui.com



  • I disagree.
    E and Y just nailed one client for not having in place a DR plan. Now while a DR plan is not within the scope of 404 the vagueness of the individual control is up for discussion. In this case it was determined that since the client did not have a DR plan in place and has not performed a formal recovery of data, then in the event that the systems crash or financial data is deleted they have no proof or control set in place to recover that data.
    In this case the remediation was put in place for the client to perform a random backup and restore of data to an alternate location and submit the logs of the restored data. It was then compared to the orginal data. After that was completed a DR plan was submitted and a planned DR test for 2nd quarter 2005 was submitted as part of the overall remediation for this control.
    Even with this completed the client still received a deficiency rating on the control.



  • I just talked to our independent auditor yesterday. He said that it depends on your auditing firm. For instance, Deloitte doesn’t consider it in scope, but PWC does. Check with your auditor for a definitive answer. I think PCAOB Accounting Standard 2 is clear but I guess most things are subject to interpretation.
    Here is a link to AS2:
    pcaobus.org/Rules_of_the_Board/Documents/Rules_of_the_Board/Auditing_Standard_2.pdf
    Appendix C section 5 addresses Business Continuity Planning
    ‘Furthermore, management’s plans that could potentially affect financial reporting in future periods are not controls. For example, a company’s business continuity or contingency planning has no effect on the company’s current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company’s business continuity on contingency planning is not part of internal control over financial reporting.’
    That is all, so I could see determining that testing backups occasionally is with scope, but BCP is not.



  • Section 404 (Management Assessment of Internal Controls)
    Requires companies to establish an infrastructure to protect and preserve records and data from destruction, loss, unauthorized alteration, or other misuse. This infrastructure must ensure there is no room for unauthorized alteration of records vital to maintaining the integrity of the business processes.
    If you have a disaster (or a disaster’) and you lose some critical data and you have not done all the necessary things to protect these assets, you have a big problem.
    George Lekatis
    lekatis_at_lekatis.com



  • I have always taken this to mean that in the event of a disaster you need to be able to restore the financial data - therefore DRP is in scope. Depending on how you define DRP :roll:
    There is no requirement to get the business up and running again so long as you can rebuild thefinancials. Therefore BCP is not in scope.



  • We should test the business continuity process prior to the fiscal year close…



  • Disaster Recovery (DR) is the restoration of infrastructure and data. Business Continuity Planning (BCP) builds on (and is dependent on) the DR efforts to allow the business to continue key operations. This is very oversimplified. There are things like the Recovery Point Objective (RPO) that states how much data can be lost from the point of failure, and coordination of disparate systems to ensure a consistent view of the data.
    All of these things imply internal controls. How else will you be able to attest that the controls are effective and durable? If the application systems support business processes that are deemed material to financial reporting then I personally would want to make certain that everything could be recovered.
    When I spoke with a Deloitte Auditor about this he commented that while BCP is not officially part of SOX it is good practice, and they recommed it for all but their ‘smallest clients’ (presumably due to the economic impact to the client of making it a requirement).
    Anyway, just another perspective. So far this looks like an interesting forum.
    Chip



  • Furthermore, management’s plans that could potentially affect financial reporting in future periods are not controls. For example, a company’s business continuity or contingency planning has no effect on the company’s current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company’s business continuity or contingency planning is not part of internal control over financial reporting’
    March 9, 2004, Auditing Standard 2
    Data backup and off-site storage is enough for Sarbanes Oxley. It is not enough for business, but it is out of the SOX project scope



  • What about Section 406 ©(2)? ‘full, fair, accurate, timely, and understandable disclosure in the periodic reports required to be filed by the issuer;’
    How can you provide assurance in this area unless the fundamental systems providing the transactional data can be restored completely, every time, and in a timely basis. Backups alone won’t do that.



  • What about Section 406 ©(2)? ‘full, fair, accurate, timely, and understandable disclosure in the periodic reports required to be filed by the issuer;’
    How can you provide assurance in this area unless the fundamental systems providing the transactional data can be restored completely, every time, and in a timely basis. Backups alone won’t do that.
    I absolutely agree with you. You need all these BCPs, DRPs and other plans. But you must be happy they are out of the scope of SOX. PCAOB has decided about that. You don’t need to document and test for SOX and the external auditors, only for your company.



  • Whilst the need to have business continuity process and disaster recovery arrangements in place is a good information security practice, it is not a requirement of the legislation. The legislation can be argued to include the need to take and protect back-ups for financial systems, but does not extend to disaster recovery and business continuity.
    SOX is not concerned if the company goes under, as long as we report it correctly’



  • SOX is not concerned if the company goes under, as long as we report it correctly’
    Exactly. 8O
    SOX is about:

    1. Tightening regulation of independent auditors
    2. Making company officers more accountable for their conduct
      It is not about how well they manage. If they do everything wrong but they admit it and disclose it there is no SOX problem :lol:


  • When I spoke with a Deloitte Auditor about this he commented that while BCP is not officially part of SOX it is good practice, and they recommed it for all but their ‘smallest clients’ (presumably due to the economic impact to the client of making it a requirement).

    All auditors make this recommendation in the hope of being hired to make it happen.
    In all seriousness though, SOX requires companies to be able to restore their financial reporting whereas BCP generally is about getting companies up and running again. SOX doesn’t care if companies get up and running again so long as they can accurately present their accounts to the point of failure 😢



  • Under the rules of SOX DR is OUT OF SCOPE.
    Computer operations - backup restore / monitoring but DR is out because it addresses business continuity. The auditors will / should ask if you have a DR plan and that is is updated or executed annually but that should be as far as it goes. Hope it helps



  • Hi Folks,
    I strongly feel that a BCP/DRP form an overall part of an organization GCC. Though SOX nowhere specifically list BCP/DCP as a requirement, I have seen Big 4 firms specifically pointing out not having a BCP as a problem area.
    It is better that company’s have a proper BCP / DRP in place. In the long run this helps since SOX compliance is not a one time requirement but is something which is ongoing.
    Regards
    big4guy



  • Are we required to review physical and environmental controls of the disaster recovery site?



  • Yes Sonali, we are …



  • BCP is NOT in scope for SoX
    DRP is NOT in scope for SoX.
    Backup of critical data that support the financial statements IS.
    So don’t waste your time on BCP and DRP.
    Read PCAOB AS2. It specifically mentions that it is not in scope.
    cheers
    tristanatbui.com
    NO BCP and DRP 8O
    What if something happens to the facility, and the servers Blow offffff. Maybe the manufacturing facility is elsewhere, but without the Information systems wont the business suffer? Wont the non availability of a BCP impair the business and have a financial impact?
    Guess SOX talks abt financial imapcts :lol:
    Even cobit covers it( of course its a guideline)
    better have a BCP and DRP guys


Log in to reply