Regular backups include timely backups, whatever would be considered timely to the entity; for some,
            that might be once a week, but for other entities it might be every day, and for some, every hour.

            Data backups can also be created manually or automatically. The latter is considered to be more reliable.
            Some tools have built-in backup capability, including Oracle Recovery Manager (RMAN) and SQL Server
            Management Studio (SSMS). Using software, data backups can be created with specific criteria and at
            specified times. This operation is fairly easy to test or observe.

            Data backup could be to a physical media such as tape, DVDs, or hard disk, or online to a remote server
            or media. A growing number of service providers offer data storage (for example, cloud services), which
            has the advantage of easier access and reduced costs, especially regarding transporting physical media.


            Retrieval of data backups from the cloud is simple and fast.
            The type of media could affect the reliability of the backup or recovery process; CDs, DVDs, and tape are
            subject to transport risk and ease of loss, and tape is subject to being corrupted or erased by strong
            magnetic objects. But with online servers, the constant mirroring and available shares of cloud backup
            servers make them vulnerable to ransomware, which corrupts the data and renders the backups useless.

            The data backup procedures should minimize risk or recovery by using multiple backups, and if budget
            permits, multiple types of media. The grandfather-father-son method illustrates this risk minimizing
            process as follows:

            1.  The entity backs up data every day on one set of media or to one digital source (“son”).
            2.  At the end of week, a backup is made to a second set of media or to a second digital source (“father”).
            3.  At the end of the month, a backup is made to a third set of media, or third digital source
               (“grandfather”).

            This process reduces the risk that if a restoration fails, the entity is stuck with some kind of manual
            restoration that is high risk.

            To ensure successful completion of backups, the entity should have policies and procedures detailing the
            monitoring of backup jobs. This documentation may include criteria defining when a failed backup is
            merely rerun at the next scheduled internal, versus when further investigation is required. Management
            may assign individuals or groups to review backups and exceptions and monitor the schedule.

            The data should be stored at a reasonable distance from the entity’s operations and should be
            appropriately secured from unauthorized access. Distance is necessary in the case of a natural disaster
            such as a tornado, hurricane, or flood, so that the disaster does not destroy the operational data,
            operational computers, and the data backups simultaneously.

            The entity needs to test the recovery of data at least once a year. That test should be robust enough to
            provide assurance that data can be effectively recovered if a disaster or other event causes loss of
            operational data. The test should be adequately documented to provide assurance to the auditors that it
            was restored properly. For simpler systems and lower risks, that evidence could be a screenshot
            converted into hardcopy or softcopy document.




            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-21