Auditing provides an objective examination of how your organization performs controls and if the results are consistent with the control objectives. As data backups and related activities are mission-critical, they should be periodically reviewed to ensure that your organization is following backup policies, performing backup procedures consistently and carefully documenting results.
Regardless of the type of data backup audit -- first person (internal audit), second person (external audit by a contracted organization) or third person (fully independent external audit) -- preparation and documentation are two essential components. In addition, make sure the audit firm is familiar with issues associated with data backup and archiving, storage facilities and security, and is prepared to use that expertise.
Importance of the data backup audit
Backup activities are critical, and your organization must perform them accurately and consistently. Failure to perform backups properly -- even with automated backup systems and applications -- can result in lost, stolen or corrupted data and databases. Periodic data backup audits ensure that the backup program is performing as it should and identify and correct any anomalies.
Most important elements for an audit
Preparation and documentation are the two most important items as you start the IT data backup audit process. Both electronic and hard copy documentation are essential as evidence, so be sure those items have been identified and readied for the audit.
Identify and prepare a team that will deal with the auditors. Team members must understand what is going to happen during the audit, so they can respond to auditor questions accurately. Support from senior IT leadership is key, as the auditors may wish to interview multiple members of the senior IT team. The ability to demonstrate backup systems and how they operate is also important as auditors may wish to see how your organization performs backups.
Best practices for backup audit preparation
While the following checklist of preaudit activities may not all be in place before the backup audit, be prepared to respond to the audit report that you plan to address the findings in accordance with the report's recommendations.
- Provide current copies of all data backup, archiving and related documentation, including backup plans, backup policies and procedures, recent assessments, roles and responsibilities of backup teams, results of backup tests, previous backup problems and how they were resolved, backup training materials, backup schedules, reports on backup performance, evidence of previous management reviews and audits, and evidence of continuous improvement activities.
- Show evidence that the backup program is part of a comprehensive IT disaster recovery (DR) program.
- Show proof that you have scheduled and conducted data backup and recovery tests, backup assessments, backup plan updates, and updates to policies and procedures.
- Provide evidence that demonstrates senior management support for the data backup program, including a senior management sponsor, a budget and staff dedicated to data backups.
- Provide proof that data backup and recovery activities are embedded in your organization as a strategic activity for the business.
Are the auditors prepared?
As data backup and recovery are daily IT functions, check to see if the auditors are familiar with issues associated with data backup and recovery, and if they have previously performed data backup audits.
If you are doing a first-party audit, it may be beneficial to provide background materials on data backup activities to your auditors so they can prepare accordingly. For external audits, ask if the prospective audit firm understands data backup and recovery activities.
Reviewing the backup audit report
Once the audit report has been completed and delivered to the organization, review the findings and recommendations. Note any proposed time frames for delivering responses to the auditor. Brief senior IT management on the report as soon as possible, and be prepared to address any serious performance or operational issues identified in the report. The IT audit team should prepare a response to the audit report as soon as possible, with proposed actions and dates to address the recommendations.
With proper preparation, an understanding of the audit process, and lots of evidence supporting your data backup and recovery activities, your audit experience should be informative and enlightening, helping you to manage the most effective data backup and recovery program.