Backup Procedures and Disaster Recovery Audit Program

Audit Program Overview

Adequate plans should exist for the routine backup of critical data, programs, documentation, and personnel and for the recovery of these items after an interruption of processing.

A written plan for resuming information processing activities in the event of a disaster should be developed and periodically tested. An arrangement for an alternate site is needed in the event the computer facility is inoperable or destroyed in a disaster.

Suggested interviewees for ICQ:

Control Objective #1 - Backup Procedures

  1. Review the backup materials. Determine if the backup and recovery procedures are being followed.

  2. Interview IS personnel to determine if they have been cross-trained. Review training records to determine the amount of cross-training provided.

Control Objective #2 - Off-site Storage Facility

  1. Take a tour of the off-site storage facility. Determine if the facility is adequate.

  2. Compare the log of items stored at the facility with the items present at the facility. Determine if the log is complete and up-to-date.

Control Objective #3 - Disaster Recovery Plan

  1. Obtain and review a copy of the disaster recovery plan and the alternate site agreement. Determine if they are complete and current, and if executive management has signed off on the plan.

  2. Determine who was responsible in developing the plan and if users and all facets of data processing were adequately involved in its development.
  3. Determine if a risk assessment has been prepared and if it appears reasonable.

  4. Determine if executive management has approved the funding for an alternate and testing of the disaster recovery plan. Observe a test of the plan.

  5. Review the results of the test of the disaster recovery plan. Determine if corrective action has been taken on any problems incurred during the test.

  6. Visit the alternate processing site. Assess its suitability and compatibility with the current computer facility.

  7. Interview users and/or IS personnel to determine if they have been trained in their responsibilities in the event of an emergency or disaster. Also determine if they are aware of manual procedures that are to be used when processing is delayed for an extended period of time.