💾Backup and Recovery
🧭 Planning:
Reviewed backup configurations, schedules, and recovery procedures for critical systems (file servers, databases, and virtual machines) as part of an ITGC audit for operational resilience and compliance.
🎯 Objectives:
-
Confirm regular backups are configured, executed, and logged
-
Validate that backup data is protected and stored securely
-
Assess whether periodic recovery testing is performed
-
Evaluate alignment with recovery time objectives (RTO) and recovery point objectives (RPO)
📌 Procedures:
-
Reviewed backup policies and daily execution logs
-
Verified existence of offsite or cloud backups
-
Assessed documentation and evidence of restoration tests
-
Compared RTO/RPO targets with current backup configurations
📑 Working Papers:
-
WP-ITGC-BR001: Backup & recovery control assessment
-
Backup schedules, recovery logs, policy documents
📊 Findings:
-
❗ Backup failures occurred 3 times without prompt resolution
-
❗ Restoration tests had not been conducted in the past 12 months
-
⚠️ No documentation for offsite backup verification
-
⚠️ Backup policy lacked defined RTO and RPO for critical systems
🧰 Tools Used:
Backup software logs (Veeam, Acronis), policy documents, restoration test results, Excel
✅ Recommendations:
-
Conduct and document recovery testing at least annually
-
Monitor and remediate backup failures within defined SLA
-
Implement offsite/cloud backup verification procedures
-
Define and align RTO/RPO with business continuity requirements
-
Ensure encryption and restricted access for all backup media
