IT Disaster Recovery 14



  • Furthermore, management’s plans that could potentially affect financial reporting in future periods are not controls. For example, a company’s business continuity or contingency planning has no effect on the company’s current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company’s business continuity or contingency planning is not part of internal control over financial reporting’
    March 9, 2004, Auditing Standard 2
    Data backup and off-site storage is enough for Sarbanes Oxley. It is not enough for business, but it is out of the SOX project scope



  • What about Section 406 ©(2)? ‘full, fair, accurate, timely, and understandable disclosure in the periodic reports required to be filed by the issuer;’
    How can you provide assurance in this area unless the fundamental systems providing the transactional data can be restored completely, every time, and in a timely basis. Backups alone won’t do that.



  • What about Section 406 ©(2)? ‘full, fair, accurate, timely, and understandable disclosure in the periodic reports required to be filed by the issuer;’
    How can you provide assurance in this area unless the fundamental systems providing the transactional data can be restored completely, every time, and in a timely basis. Backups alone won’t do that.
    I absolutely agree with you. You need all these BCPs, DRPs and other plans. But you must be happy they are out of the scope of SOX. PCAOB has decided about that. You don’t need to document and test for SOX and the external auditors, only for your company.



  • Whilst the need to have business continuity process and disaster recovery arrangements in place is a good information security practice, it is not a requirement of the legislation. The legislation can be argued to include the need to take and protect back-ups for financial systems, but does not extend to disaster recovery and business continuity.
    SOX is not concerned if the company goes under, as long as we report it correctly’



  • SOX is not concerned if the company goes under, as long as we report it correctly’
    Exactly. 8O
    SOX is about:

    1. Tightening regulation of independent auditors
    2. Making company officers more accountable for their conduct
      It is not about how well they manage. If they do everything wrong but they admit it and disclose it there is no SOX problem :lol:


  • When I spoke with a Deloitte Auditor about this he commented that while BCP is not officially part of SOX it is good practice, and they recommed it for all but their ‘smallest clients’ (presumably due to the economic impact to the client of making it a requirement).

    All auditors make this recommendation in the hope of being hired to make it happen.
    In all seriousness though, SOX requires companies to be able to restore their financial reporting whereas BCP generally is about getting companies up and running again. SOX doesn’t care if companies get up and running again so long as they can accurately present their accounts to the point of failure 😢



  • Under the rules of SOX DR is OUT OF SCOPE.
    Computer operations - backup restore / monitoring but DR is out because it addresses business continuity. The auditors will / should ask if you have a DR plan and that is is updated or executed annually but that should be as far as it goes. Hope it helps



  • Hi Folks,
    I strongly feel that a BCP/DRP form an overall part of an organization GCC. Though SOX nowhere specifically list BCP/DCP as a requirement, I have seen Big 4 firms specifically pointing out not having a BCP as a problem area.
    It is better that company’s have a proper BCP / DRP in place. In the long run this helps since SOX compliance is not a one time requirement but is something which is ongoing.
    Regards
    big4guy



  • Are we required to review physical and environmental controls of the disaster recovery site?



  • Yes Sonali, we are …



  • BCP is NOT in scope for SoX
    DRP is NOT in scope for SoX.
    Backup of critical data that support the financial statements IS.
    So don’t waste your time on BCP and DRP.
    Read PCAOB AS2. It specifically mentions that it is not in scope.
    cheers
    tristanatbui.com
    NO BCP and DRP 8O
    What if something happens to the facility, and the servers Blow offffff. Maybe the manufacturing facility is elsewhere, but without the Information systems wont the business suffer? Wont the non availability of a BCP impair the business and have a financial impact?
    Guess SOX talks abt financial imapcts :lol:
    Even cobit covers it( of course its a guideline)
    better have a BCP and DRP guys



  • I agree with the comments from ‘Yoda404’…
    BCP is NOT in scope for SoX
    DRP is NOT in scope for SoX.
    Backup of critical data that support the financial statements IS.
    So don’t waste your time on BCP and DRP.
    Read PCAOB AS2. It specifically mentions that it is not in scope.
    cheers
    tristanatbui
    So, given the other areas for documentation and testing, a Company that chooses to test DRP is doing so voluntarily since it is specifically EXCLUDED from the testing requirement that is established by the PCAOB.
    Respectfully,
    milan



  • I agree with the comments from ‘Yoda404’…
    BCP is NOT in scope for SoX
    DRP is NOT in scope for SoX.
    Backup of critical data that support the financial statements IS.
    So don’t waste your time on BCP and DRP.
    Read PCAOB AS2. It specifically mentions that it is not in scope.
    cheers
    tristanatbui
    So, given the other areas for documentation and testing, a Company that chooses to test DRP is doing so voluntarily since it is specifically EXCLUDED from the testing requirement that is established by the PCAOB.
    Respectfully,
    milan
    Hi,
    It is not so voluntarily as you said, Milan. Nowadays almost all of the auditor’s companies require installation of DR plan into company structure. A lot of arguments have already been upper mentioned. You’re right that DRP and BCP as instruments are out of scope, but the aim of both is in scope. I mean that management is responsible for recording data reported over finacial control. Therefore I think that BCP and especially DRP is in scope for SOX in their objective, not in their form.
    Thanks for all comments



  • The problem with that would be how someone test something which is included in objective but included in form (in design and effectiveness).
    Calvin



  • this is purely my point of view( and quite logical i guess)
    While it is ideal to have a BCP( which ensures that i continue making the money) and DRP( which ideally is a kickstart for BCP), as long as iam able to showcase my capability to ACCOUNT everything to reflect a TRUE and FAIR picture of my financial state, the absence of BCP and/ or DRP should not be an issue under SOX. After all SOX needs me to report on the INTERNAL CONTROLS over Financial REPORTING( rite?). As long as i report things properly( be it a profit or loss), the SOX requirement is fulfilled.
    Having said that, periodic backup practices need to be in place to ensure re-construction of the financials till the date of disaster.
    Effectively, a good backup and restoration practise( and of course documentation for the same) should suffice.
    Agree??
    All said and done, its the best practice to have the BCP and DRP in place, though SOX does not require that. After all SOX came way after the concepts of BCP and DRP came. We need a business to report for 😄



  • I agree with Calvin … Business Continuity and DR Plans are absolutely essential and they might even need to be shared with SOX external auditors.
    However, SOX audits aren’t supposed to test every IT control out there, as BC/DR plans should be more thoroughly assessed in general IT control type audits. SOX 404 focuses on management’s controls of automated financial systems and as Milan notes BC/DR plans would be outside the scope of controls testing, (even though they might still need to be covered with the SOX auditors verbally and/or documentation shared)


Log in to reply