Evaluate Backup And Recovery Controls
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate Backup And Recovery Controls
An auditor reviewing backup controls finds that full backups are performed weekly but no incremental or differential backups are performed between full backups. The primary risk of this configuration is:
Full backups take longer to restore than differential backups.
A system failure between full backups could result in up to one week of data loss, potentially exceeding the organization's RPO.
The backup software may become incompatible with the operating system.
Full backups consume too much storage space compared to incrementals.
Explanation
Without daily incrementals or differentials, any failure between Sunday and the following Saturday could result in up to six days of lost data - a potentially unacceptable RPO for most organizations. Answer D is correct. Storage consumption (A) and restore time (C) are operational concerns. Software compatibility (B) is unrelated.
During a backup controls review, an auditor discovers that the organization performs nightly backup jobs but never monitors the job completion logs. Which control is missing?
A business continuity plan addressing recovery procedures.
Encryption of backup data before transmission.
A policy requiring daily backups.
A monitoring control that reviews backup job results and escalates failures for prompt remediation.
Explanation
Unmonitored backup jobs may fail silently - backups that appear scheduled but actually fail create a false sense of security. Monitoring completion logs and escalating failures is an essential detective control. Answer C is correct. A daily backup policy likely exists (A). Encryption (B) addresses confidentiality. A BCP (D) is a separate planning document.
A financial services firm has an RPO of 15 minutes for its trading system. Which backup configuration would best meet this requirement?
Daily differential backups to an offsite tape facility.
Hourly incremental backups to a disk-based backup system.
Weekly full backups with a hot standby server.
Continuous data protection (CDP) that captures every write operation to a secondary system in real time or near real time.
Explanation
CDP replicates every write operation continuously, achieving near-zero RPO - appropriate for a 15-minute RPO requirement. Answer A is correct. Hourly incrementals (B) can lose up to 60 minutes of data. Daily differentials (C) could lose a full day. Weekly full backups (D) could lose a week.
Which of the following most directly evaluates whether recovery time objectives (RTOs) are achievable?
Reviewing the disaster recovery plan documentation for defined RTO targets.
Confirming that backup media is stored at an offsite facility.
Conducting a timed recovery exercise that measures how long it actually takes to restore systems from backup.
Verifying that the backup schedule aligns with the stated RPO.
Explanation
Only a timed recovery test can confirm whether systems can actually be restored within the RTO - documentation and offsite storage confirm preparedness but do not prove execution capability. Answer D is correct. Plan review (A) and offsite storage (B) are preparedness checks. RPO alignment (C) addresses data loss, not downtime duration.
An organization's disaster recovery plan designates a warm site for system recovery. During an audit, the auditor finds the warm site has not been tested in three years and the hardware at the warm site is significantly outdated compared to production. The most significant risk is:
The warm site provider may increase fees if the site is not used regularly.
The warm site's network connection may be slower than production.
Employees may not know the location of the warm site.
In a real disaster, recovery may fail or significantly exceed the RTO because untested, outdated hardware may be incompatible with current production configurations.
Explanation
Untested, outdated disaster recovery infrastructure is a critical risk - hardware incompatibilities and untested procedures can result in recovery failures or delays well beyond the RTO. Answer C is correct. Provider fees (A), employee awareness (B), and network speed (D) are minor concerns compared to the risk of recovery failure.
A company's backup policy states that all backups must be encrypted. An auditor tests this control by requesting evidence of encryption for a sample of backup files. The auditor finds that 30% of backup files are unencrypted. This finding should be classified as:
An acceptable deviation - occasional unencrypted backups are normal.
A control deficiency - the backup encryption control is not operating effectively, and unencrypted backups expose sensitive data to potential loss or theft.
An informational finding - encryption of backups is not required by law.
A configuration issue - the IT team should update the backup software settings.
Explanation
A 30% failure rate in an encryption control means a significant portion of backup media is unencrypted - a material control deficiency exposing sensitive data if media is lost or stolen. Answer A is correct. A 30% deviation is not acceptable (B). Many regulations and policies do require backup encryption (C). The root cause may be a configuration issue, but the finding is a control deficiency (D).
A company implements immutable backups using object storage with write-once, read-many (WORM) technology. The primary control objective of immutable backups is:
Preventing backup data from being modified or deleted by ransomware or malicious insiders during the retention period.
Improving backup speed by writing data only once.
Ensuring backups are automatically verified after each write operation.
Compressing backup data to reduce storage costs.
Explanation
Immutable backups cannot be altered or deleted once written - even by administrators or ransomware - making them a critical control for ransomware resilience and insider threat protection. Answer B is correct. WORM is not primarily a performance technology (A). Immutability does not equal verification (C). Compression is a separate feature (D).
Which of the following is the most significant deficiency in an organization's backup controls if the organization processes financial transactions 24 hours a day, 7 days a week?
Backups are performed only on weekday nights, leaving weekend transactions unprotected and potentially creating multi-day data loss exposure.
The backup storage capacity exceeds current requirements.
Backup job notifications are sent to a distribution list rather than individual staff members.
The backup software interface is not user-friendly for IT staff.
Explanation
A 24/7 transaction processor needs continuous or near-continuous backup protection. Weeknight-only backups leave significant gaps on weekends when transactions are still occurring. Answer A is correct. Interface usability (B), notification distribution (C), and storage capacity (D) are operational concerns that do not represent a significant control deficiency for 24/7 operations.
A company's recovery controls documentation specifies that the IT disaster recovery team should be notified of a disaster within 30 minutes and begin recovery activities within 1 hour. During a recovery test, the team is not notified for 2 hours. This finding indicates:
An acceptable deviation since recovery still began within 3 hours.
A gap in the disaster notification and escalation process that could delay recovery and jeopardize the RTO.
The notification timeframes in the plan are too aggressive and should be extended.
A training issue that can be resolved with a brief reminder email to the team.
Explanation
A 2-hour notification delay - four times the planned 30-minute target - could push recovery well beyond the RTO. This is a process gap requiring remediation through better communication procedures, automated alerting, or escalation protocols. Answer B is correct. The plan timeframes should not be relaxed without business justification (A). A multi-hour delay is not acceptable (C). Training alone may not address systemic escalation failures (D).
An organization's backup policy requires that critical system backups be tested quarterly. An auditor finds that tests were performed in Q1 but not in Q2 or Q3. The most appropriate audit finding is:
No finding is necessary since Q1 testing was documented.
The policy is too stringent; annual testing would be sufficient.
A control deficiency - the required backup restoration testing was not performed as specified in policy, creating unknown recovery capability gaps for six months.
A minor deviation that should be noted but requires no corrective action.
Explanation
Missing two of four required quarterly test cycles means the organization went six months without verifying recovery capability - a material policy non-compliance and control deficiency. Answer D is correct. Policy requirements exist for good reason and should not be relaxed (A). A single passing test does not fulfill ongoing requirements (B). Six months of missed testing is not minor (C).