Audit Program Licensing Terms

1. You accept that this product is intended for your use, and you will not
duplicate in any form or manner, electronic or otherwise, copies of this product
nor distribute this product to anyone else.

2. You recognize that the product and its content are the sole property of
AuditNet® (the Publisher), and that we have copyrighted the product.

3. You agree that the Publisher is not responsible for any interruption of
service or malfunction that is a consequence of the Internet, a service provider,
personal computer, browser or other software or hardware components. You
accept that there is no guarantee that this product is totally error free. You
further understand and accept that the Publisher intends to provide reliable
information but does not guarantee the accuracy or completeness of any
information, and is not responsible for any results obtained from the use of
such information.

4 This license is effective until terminated, when the license or subscription

period ends without renewal, or when you destroy this product and any related
documentation. The Publisher may terminate your license without notice if you
fail to comply with the conditions set forth in this agreement, and may pursue
any other legal recourse.
COSO - Integrated Internal Control Framework
COSO CONTROL COMPONENT: MONITORING CONTROL ACTIVITIES
COSO PRINCIPLE NO. 16 & 17
COSO CONTROL OBJECTIVE: Information Technology - Data Backup and Backup Media.
COSO ORGANIZATION LEVEL OF RESPONSIBILITY: BUSINESS UNITS AND ACTIVITY LEVEL

Carry out the monitoring activities on internal controls implemented in the organization as per listed below procedures and prepare an evaluation of internal controls and
communicate the deficiencies identified during the evaluation of internal controls. you can prepare an Internal Audit report for communicating the internal control
deficiencies identified.

Objective:
1) All data and critical systems are properly and completely backed-up, tested / restored and retrieved.
2) The organization's business data is effectively protected from loss, damage and/or disclosure.
3) All backed up business data remains in a useable and readily available form.

Objective & I. C.
Auditor Time Date Date Checked
Questionnaire Audit Procedures WP Ref Remarks
Initials Spent Expected Finished By:
Ref.

Discuss with the management to gain an

understanding whether they have documented
policies and procedures which ascertain that all
1.1 the critical systems and business information or
data are appropriately safeguarded against
disasters or failures.

Confirm whether the documented policies and

1.2 procedures are duly approved by the senior
management.

Confirm whether the documented policies and

1.3 procedures are updated .
Objective & I. C.
Auditor Time Date Date Checked
Questionnaire Audit Procedures WP Ref Remarks
Initials Spent Expected Finished By:
Ref.

Examine whether the management regularly

1.4 reviews the backup procedures of the systems
and data files.

Verify how frequent the backup procedures

1.5 review is performed and if it is carried out in
suitable and defined time.

Obtain backup logs and assess for their

1.6 appropriateness and completeness. Further,
examine the frequency of management review.

Confirm if data backup readability is tested

1.7 regularly through restoration or other similar
methods.

Acquire documentation, such as test results, that

confirms the readability testing of backed up data
1.8 and its review for its appropriateness and
completeness.

Interrogate with the management how

consistently they examine that the backup
1.8 procedures are appropriate concerning changing
business requirement.

Validate whether the management reviews the

1.9 backup procedures and assure that the
procedures are precise and updated.

Confirm with the management about the tests

performed to assure that there is no failure
1.10 occurs while performing test of a prescribed
backup in defined time.
Objective & I. C.
Auditor Time Date Date Checked
Questionnaire Audit Procedures WP Ref Remarks
Initials Spent Expected Finished By:
Ref.
Confirm the regularity of the tests performed and
1.11 also examine if there is any failure happens while
carrying out the test of prescribed data backup.

Confirm with the management and document the

procedures that are followed to ensure that the
1.6 data backup practices are appropriate enough to
protect their critical business data and activities.

1. Examine whether any automated data

retention tool is used to manage the backup and
retention scheduling.
1.7
2. Examine the usage of automated data
retention tools and the backup schedules.

Verify if the data backups and data retention

1.8 exercises are planned and scheduled.

Acquire the backup scheduling documentation

1.9 and analyze it for appropriateness.

Discuss with the management about

monthly/quarterly reviews to confirm that all
2.1 business data and system backups are stored in
secure place and are adequately protected from
damage, loss or disclosure.

Examine a sample of the monthly/quarterly

reports to confirm that all business data and
2.2 system backups are stored in secure place and
are adequately protected from damage, loss or
disclosure.

Interrogate with the management and note the

critical elements to protect of corporate business
2.3 data in the event of a major systems failure or
disaster.
Objective & I. C.
Auditor Time Date Date Checked
Questionnaire Audit Procedures WP Ref Remarks
Initials Spent Expected Finished By:
Ref.

Identify all the critical elements of corporate data

2.4 which should be appropriately protected in event
of a major systems failure or disaster.

Examine the backup test results and confirm that

all the critical elements are adequately protected
2.5 and can be restored in the event of a major
systems failure or disaster.

Discuss with the management concerning

established local backup storage facilities that
2.6 support appropriate protection in the event of a
disaster.

Examine the tape storage vault location and

2.7 determine its appropriateness.

Examine if the local backup storage facilities are

2.8 kept in a secure storage location and the backed
up data are in encrypted form.

Meet and discuss with the relevant staff involved

in media handling to determine if they are
2.9 capable in handling and transporting techniques
in order to protect corporate data systems.

Acquire training schedule, training material /

2.10 content and attendees sheet.

Examine whether the training is adequate and all

2.11 concerned staff attends the training.

Discuss with the management and verify the

preventive and detective controls that are used to
2.12 mitigate unauthorized access to or use of backup
media.
Objective & I. C.
Auditor Time Date Date Checked
Questionnaire Audit Procedures WP Ref Remarks
Initials Spent Expected Finished By:
Ref.

Confirm if all the preventive and detective

2.13 controls are functioning properly and are
regularly reviewed and monitored.

Discuss with the management about "file naming

3.1 conventions standard" of the entity and backup
checklists.

Confirm whether the name/label of the backup

3.2 media and data being backed up adheres to the
naming conventions of the company policy.

Discuss with the management concerning

policies and procedures regarding prevailing and
3.3 relevant data retention legislation and regulations
for things such as accounting and financial data.

Confirm if the policies and procedures comply

3.4 with the data retention legislation and regulations
and are updated.

Discuss with the management to gain an

understanding of periodic test procedures to
3.5 confirm that long-term backup media remain in
readable and useable form.

Examine if the long term backup media is in

3.6 readable and useable form and are periodically
tested.

Discuss with the management about the policies

3.7 and procedures in place which control the
discarding of outdated or unwanted media.
Objective & I. C.
Auditor Time Date Date Checked
Questionnaire Audit Procedures WP Ref Remarks
Initials Spent Expected Finished By:
Ref.
Confirm whether the outdated or unwanted
media are examined before discarding to ensure
3.8 that the relevant or important data are not
destroyed.

Discuss with the relevant personnel about

procedures in place to ensure that backup copies
3.9 of critical data are available in the event that if
one copy becomes damaged or useless the other
once could be used.

Confirm if the copies and the original data are

3.10 same and the process of monitoring the periodic
backup is in place.

Confirm that the copies of the original data do not

get affected to the same damage / impairment as
3.11 the original data and ensure that the copies are
kept in safe location.

Examine that the backup media are labeled

3.12 adequately for proper identification.

Examine the labeling on some of the backup files

3.13 and media that are on-site for appropriateness.

End of Document