WARRANT

Literary Warrant for Functional Requirement #2d

This requirement derives from the law, customs, standards and professional best practices accepted by society and codified in the literature of different professions concerned with records and recordkeeping. The warrant is as follows:

Citation 36 CFR PART 1234 -- Electronic Records Management. Subpart C -- Standards for the Creation, Use, Preservation, and Disposition of Electronic Records
Pages 1234.26
Extract Agencies shall implement and maintain an effective records security program that incorporates the following: (b) Provides for backup and recovery of records to protect against information loss.

Citation The Institute of Internal Auditors Research Foundation;Systems Auditability and Control, Module 7, End-user and Dept. Computing, 1991.
Pages 7-4
Extract Specific management and audit questions related to EUC [END USER COMPUTING] include the following:...Have adequate back-up plans been established to ensure the ability to continue operations or to re-create data?

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 10, Contingency Planning, 1991
Pages 10-41
Extract Contingency planning requires careful and detailed development of back-up procedures and disaster recovery procedures. Equally important, a contingency plan must be continually maintained, updated, and tested. When a contingency plan is developed, the contingency planning team should consider processing alternatives, including manual processing, vendor supply agreements, redundant facilities, reciprocal agreements, contingency facilities, and service bureaus.

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 6, Business Systems, 1991
Pages 6-12
Extract Temporary processing interruptions are risks for all application systems. Unless adequate recovery and restart procedures are in place to facilitate continued processing, an organization may lose a significant amount of transaction data or processing capability.

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 4, Managing Computer Resources, 1991
Pages 4-35
Extract INTRODUCTION The activities associated with computer resource management include the following: * Disaster recovery planning

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 4, Managing Computer Resources, 1991
Pages 4-54
Extract If there are critical on-line applications, organization management must determine if the users can employ alternative manual procedures until processing can be restored.

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 4, Managing Computer Resources, 1991
Pages 4-67,68
Extract The disaster recovery plans should be reviewed to determine if the following conditions are met: * The equipment configuration at the back-up site is still compatible and allows the organization to process critical applications without requiring additional software or a data conversion effort.

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 4, Managing Computer Resources, 1991
Pages 4-109
Extract To assess the adequacy of disaster recovery and contingency planning, the auditor should perform the following steps: * If possible, observe or participate in tests of recovery procedures

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 8, Telecommunications, 1991
Pages 8-68
Extract A variety of techniques may be used to verify the existence of adequate controls in the telecommunications environment. These include the following: * Verifying network integrity and monitoring procedures, such as incident reporting and response time measurement * Reviewing the adequacy of network back-up and recovery through examination of back-up procedures and redundancies in the network.

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 8, Telecommunications, 1991
Pages 8-90,91,92
Extract RISKS AND CONTROLS The risks associated with EDI applications include the following: Controls to mitigate these risks include the following: * Adequate back-up and contingency planning to ensure continuity of operations

Citation American Institute of Certified Public Accountants; Management Advisory Services Practice Aids: Technical Consulting Practice A ID 11; "Conversion to a Microcomputer-Based Accounting System, 1989
Pages 13
Extract BACKUP RECOVERY SYSTEMS An effective disk- or tape-based backup and recovery system is essential to avo ID a potentially catastrophic loss of data. The client needs to regularly back up programs and data files, maintaining copies of all files at a secure off-site location for use in case the on-site files and backup copies are destroyed.

Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts: Artech House 1993)
Pages 86
Extract Because EDI involves the operation of a separate computer system-- and sometimes separate hardware--there are additional requirements for computer operations controls. These requirements include developing restart and recovery procedures for EDI processing and backup procedures for programs and, more importantly, for transaction and master files. Additionally, a disaster recovery plan must be prioritized and its procedures updated to include the complete EDI processing code.

Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.: The Institute of Internal Auditors 1991)
Pages 95
Extract Part of the security measures which must be put in place for all data are those relating to backup and recovery. Where an on-line transaction does not properly complete or where a systems problem subsequently develops, there should be a roll back and roll forward process which minimizes any lost data. The users of the system must also be made aware of any lost transactions. Many of the controls in this area belong in the data base management system and the application system. However, there are also procedural controls which must be in place to ensure that the correct files are used for recovery and that there are backup files available in the event that live data must be re-created.

Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.: The Institute of Internal Auditors 1991)
Pages 244
Extract Contingency planning deals with a prolonged downtime at the primary processing facility. An important part of contingency planning are the backup procedures which should be in place on a regular basis within the computer operations facility. The backup files are then used for recovery procedures where the backed up data is restored to the appropriate files and libraries so that processing can resume at a particular point in time.

Citation Miller GAAS Guide. 1994.
Pages 7.10
Extract It is management's responsibility to establish and maintain an adequate internal control structure that accurately reflects transactions and events in its financial statements.

Citation Bradgate, R. Evidential Issues of EDI. In: EDI & the Law. 1989.
Pages 22-23
Extract A party seeking to rely on computer output in civil or criminal proceedings must be in a position ... to testify to the working of the system and the likely effect of any malfunction or breakdown ...