Backup and SOX 1523

  • Hi all,
    We are carrying out a SOX wallkthrough with our external audit consultants and the issue of backups seems to be unclear. What our consultants are saying is that if we don’t have our SAP system on site, then backup is out of scope. Since we have our SAP system outsourced and as such it’s out of site, our audit consultants have therefore decided to leave backup controls out of scope.
    I however, have a different view in the sense that our e-mail backups and other documents (that may not be involved with storing information directly related to financial reporting) should be backed up and kept out of site periodically. I’ll be glad if members clarified this for me.
    Thanks in advance.

  • Whether systems arte operated by you or outsourced, applicable controls are still your responsibility and still in scope. If outsourced, then you should have minimum service-level agreements, authority to audit the providers controls. Outsourcing of any activity does not relieve any company of the responsibility to ensure that proper controls are maintained.

  • Hi – I agree with kymike’s good comments on this, as your company is still the ‘owner of the data’ whether backups are done locally by an in-house IT staff or they are done at an out-sourced location. You still might be able to get some help from folks at the IT services site to assist with any documentation or controls needs for this requirement.
    In fact, since you have to rely on others for this critical need, to me it’s all the more important to ensure you have sufficient retention periods, rotational schedules, off-premises storage, security against unauthorized access, etc. As one of my former managers once shared, ‘Anyone can take a backup, but recovery may be a different story’ 😉
    Most likely all will be well with the process and it’s important to ensure backups will be available and properly secured.

  • Hi,
    A related news event that might help to clarify the importance of proper back-up and ability to retrieve archived e-mail:
    Morgan Stanley Sued for Repeated E-Mail Production Failures
    Firm Agrees to Pay USD15 Million Penalty and Undertake Reforms in Settlement
    Washington, D.C., May 10, 2006 - The Securities and Exchange Commission today filed a civil injunctive action against Morgan Stanley and Co. Incorporated for failing to produce tens of thousands of e-mails during the Commission’s IPO and Research Analyst investigations from Dec. 11, 2000, through at least July 2005.
    The Commission alleges in its complaint that Morgan Stanley did not diligently search for back-up tapes containing responsive e-mails until 2005. Morgan Stanley also failed to produce responsive e-mails because it over-wrote back-up tapes…

Log in to reply