Professional Documents
Culture Documents
in their documentation working papers. There are format templates for risk control, audit procedures, questionnaires and checklists. There is a blank workpaper and a report summary that can in used by audit organizations. AuditNet has prepared a monograph for guidance on preparing and developing audit work programs, checklists, questionnaires and matrices. The monograph is available to AuditNet subscribers. For more information go to www.auditnet.org
Control Matrix Area: Backup and Recovery Control # Reporting Unit Process Subprocess Subprocess Owner
BR-1
Domestic
IT General Controls
BR-2
Domestic
IT General Controls
BR-3
Domestic
IT General Controls
Backup & Recovery Support Services Manager Backup & Recovery Support Services Manager
BR-4
Domestic
IT General Controls
Control Objective
Process Risk
Ensure that regular backups of company data are occuring as established policies and procedures require them to be to ensure that complete data is available for restoration purposes if necessary. Ensure that management is regularly monitoring the execution of the backup processes to ensure that the execution is in compliance with updated policies and procedures.
Company data not available for restoration as complete backups of company data did not occur.
Backup of company data is not occuring in accordance with established policies (and not detected due to the lack of management monitoring) and as such necessary company data may not be available in an emergency situation. Backup files are not maintained in a secure, offsite location resulting in stolen, altered, destroyed or lost company data files. Company data not available due to the lack of backup and recovery policies and procedures to provide guidance to ensure that critical company data is backed up regularly.
Ensure that backup files are maintained in a secure, offsite location to ensure that they are available as needed to restore critical company data. Ensure that regular system backup policies and procedures exist to provide guidance to ensure that all critical company data is backed up regularly.
Gap Description
Control
Complete backup of company data occurs regularly with a backup frequency defined for various data types and applications.
Management regularly monitors the backup schedule, error logs/ exception reports generated during the backup of files, and network traffic during the backup process.
Backup files are maintained in a secure offsite location. The facilities are secure, environmentally controlled, and well maintained.
Established policies and procedures exist for systems to be backed up regularly. Documentation exists for the backup schedule of applications and data. The schedule defines the frequency of backups, and the rotation of the tapes. The disaster recovery rating and the business importance of the data determine the frequency.
Significant Control
Comment
Manual
Monitoring
Manual
Control Environment
Manual
Control Activity
Test
Sample Size
W/P Ref.
Determine if the backup schedule is adhered to and that error logs / exception reports are monitored during backup process
Determine that back up files are stored in the secure offsite location.
Review the policies and procedures related to backups to determine they exist and are maintained.
Client Name Internal Control Framework Date Completed: Completed By: Reviewed By: Question Yes No* Comments /Description
To the best of my knowledge, the answers and comments noted above are accu
* For a No answer, cross-reference to either a compensating control or to audit work which has been performed Questionnaire or is to be performed.
Signature of Department
2/18/2014
Date Form Completed
* For a No answer, cross-reference to either a compensating control or to audit work which has been performed Questionnaire or is to be performed.
* For a No answer, cross-reference to either a compensating control or to audit work which has been performed Questionnaire or is to be performed.
* For a No answer, cross-reference to either a compensating control or to audit work which has been performed Questionnaire or is to be performed.
Finding Ref #
Control Testing
Finding