Literary Warrant for Functional Requirement #2d
This requirement derives from the law, customs, standards and
professional best practices accepted by society and codified in the literature of different professions concerned with records and
recordkeeping. The warrant is as follows:
Citation 36 CFR PART 1234 -- Electronic Records Management. Subpart C -- Standards for
the Creation, Use, Preservation, and Disposition of Electronic Records
Pages 1234.26
Extract Agencies shall implement and maintain an effective records security program that incorporates the
following: (b) Provides for backup and recovery of records to protect against information loss.
Citation The Institute of Internal Auditors Research Foundation;Systems Auditability and Control, Module
7, End-user and Dept. Computing, 1991.
Pages 7-4
Extract Specific management and audit questions related to EUC [END USER COMPUTING] include the
following:...Have adequate back-up plans been established to ensure the ability to continue operations or
to re-create data?
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
10, Contingency Planning, 1991
Pages 10-41
Extract Contingency planning requires careful and detailed development of back-up procedures and
disaster recovery procedures. Equally important, a contingency plan must be continually maintained,
updated, and tested. When a contingency plan is developed, the contingency planning team should
consider processing alternatives, including manual processing, vendor supply agreements, redundant
facilities, reciprocal agreements, contingency facilities, and service bureaus.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-12
Extract Temporary processing interruptions are risks for all application systems. Unless adequate recovery
and restart procedures are in place to facilitate continued processing, an organization may lose a
significant amount of transaction data or processing capability.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-35
Extract INTRODUCTION The activities associated with computer resource management include the
following: * Disaster recovery planning
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-54
Extract If there are critical on-line applications, organization management must determine if the users can
employ alternative manual procedures until processing can be restored.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-67,68
Extract The disaster recovery plans should be reviewed to determine if the following conditions are met: *
The equipment configuration at the back-up site is still compatible and allows the organization to
process critical applications without requiring additional software or a data conversion effort.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-109
Extract To assess the adequacy of disaster recovery and contingency planning, the auditor should perform
the following steps: * If possible, observe or participate in tests of recovery procedures
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-68
Extract A variety of techniques may be used to verify the existence of adequate controls in the
telecommunications environment. These include the following: * Verifying network integrity and
monitoring procedures, such as incident reporting and response time measurement * Reviewing the
adequacy of network back-up and recovery through examination of back-up procedures and
redundancies in the network.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-90,91,92
Extract RISKS AND CONTROLS The risks associated with EDI applications include the following:
Controls to mitigate these risks include the following: * Adequate back-up and contingency planning to
ensure continuity of operations
Citation American Institute of Certified Public Accountants; Management Advisory Services Practice Aids:
Technical Consulting Practice A ID 11; "Conversion to a Microcomputer-Based Accounting System,
1989
Pages 13
Extract BACKUP RECOVERY SYSTEMS An effective disk- or tape-based backup and recovery system
is essential to avo ID a potentially catastrophic loss of data. The client needs to regularly back up
programs and data files, maintaining copies of all files at a secure off-site location for use in case the
on-site files and backup copies are destroyed.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 86
Extract Because EDI involves the operation of a separate computer system-- and sometimes separate
hardware--there are additional requirements for computer operations controls. These requirements
include developing restart and recovery procedures for EDI processing and backup procedures for
programs and, more importantly, for transaction and master files. Additionally, a disaster recovery plan
must be prioritized and its procedures updated to include the complete EDI processing code.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 95
Extract Part of the security measures which must be put in place for all data are those relating to backup
and recovery. Where an on-line transaction does not properly complete or where a systems problem
subsequently develops, there should be a roll back and roll forward process which minimizes any lost
data. The users of the system must also be made aware of any lost transactions. Many of the controls in
this area belong in the data base management system and the application system. However, there are
also procedural controls which must be in place to ensure that the correct files are used for recovery and
that there are backup files available in the event that live data must be re-created.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 244
Extract Contingency planning deals with a prolonged downtime at the primary processing facility. An
important part of contingency planning are the backup procedures which should be in place on a regular
basis within the computer operations facility. The backup files are then used for recovery procedures
where the backed up data is restored to the appropriate files and libraries so that processing can resume
at a particular point in time.
Citation Miller GAAS Guide. 1994.
Pages 7.10
Extract It is management's responsibility to establish and maintain an adequate internal control structure
that accurately reflects transactions and events in its financial statements.
Citation Bradgate, R. Evidential Issues of EDI. In: EDI & the Law. 1989.
Pages 22-23
Extract A party seeking to rely on computer output in civil or criminal proceedings must be in a position
... to testify to the working of the system and the likely effect of any malfunction or breakdown ...