Backup Procedures and Disaster Recovery Audit Program
Audit Program Overview
Adequate plans should exist for the routine backup of critical
data, programs, documentation, and personnel and for the recovery
of these items after an interruption of processing.
A written plan for resuming information processing activities
in the event of a disaster should be developed and periodically
tested. An arrangement for an alternate site is needed in the
event the computer facility is inoperable or destroyed in a disaster.
Suggested interviewees for ICQ:
A. Operations Manager
B. Director of Information Systems
Control Objective #1 - Backup Procedures
- Review the backup materials. Determine if the backup and recovery
procedures are being followed.
- Interview IS personnel to determine if they have been cross-trained.
Review training records to determine the amount of cross-training
provided.
Control Objective #2 - Off-site Storage Facility
- Take a tour of the off-site storage facility. Determine if
the facility is adequate.
- Compare the log of items stored at the facility with the items
present at the facility. Determine if the log is complete and
up-to-date.
Control Objective #3 - Disaster Recovery Plan
- Obtain and review a copy of the disaster recovery plan and
the alternate site agreement. Determine if they are complete and
current, and if executive management has signed off on the plan.
- Determine who was responsible in developing the plan and if
users and all facets of data processing were adequately involved
in its development.
- Determine if a risk assessment has been prepared and if it
appears reasonable.
- Determine if executive management has approved the funding
for an alternate and testing of the disaster recovery plan. Observe
a test of the plan.
- Review the results of the test of the disaster recovery plan.
Determine if corrective action has been taken on any problems
incurred during the test.
- Visit the alternate processing site. Assess its suitability
and compatibility with the current computer facility.
- Interview users and/or IS personnel to determine if they have
been trained in their responsibilities in the event of an emergency
or disaster. Also determine if they are aware of manual procedures
that are to be used when processing is delayed for an extended
period of time.