Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
10. 10 The ABC Company runs two shifts, from 8:00 AM to Midnight. Backups and system
maintenance are performed between midnight and 8:00 AM. For each of the following
scenarios, determine whether the company’s current backup procedures enable it to meet
its recovery objectives and explain why:
a. Scenario 1:
Recovery point objective = 24 hours
Daily backups at 3:00 am, process takes 2 hours
Copy of backup tapes picked up daily at 8:00 am for storage off-site
Solution: No. Many companies make two backup copies – one to keep locally and
one to store offsite. If a fire or similar event destroyed the data center on a weekday
before 8:00 a.m., both copies of the most recent daily backup tapes would be
b. Scenario 2: Company makes daily incremental backups Monday-Friday at 3:00
am each night. Company makes full backup weekly, on Saturdays at 1:00 pm.
Recovery time objective = 2 hours
Time to do full backup = 3 hours
Time to restore from full backup = 1 hour
Time to make incremental daily backup = 1 hour
Time to restore each incremental daily backup = 30 minutes
Solution: No. If a disaster happened any time after Wednesday, it would take more
than 2 hours to completely restore all backups:
c. Scenario 3: Company makes daily differential backups Monday-Friday at 3:00
a.m. each night. Company makes full backup weekly, on Saturdays, at 1:00 pm.
Recovery time objective = 6 hours
Solution: Yes. Even if a disaster happened early Saturday morning (say at 3:00 am)
the company would not have yet done a full backup, but would have completed its
final differential backup Friday night. Therefore, full restoration would take:
If a disaster happened earlier in the week, the company would take even less time to
restore. For example, if a fire destroyed the data center Wednesday morning, the
company would have to restore the previous Saturday’s full backup plus Tuesday
night’s differential backup:
10.11 Answer all of the following multiple-choice questions:
1) A fire destroys an organization’s data center, which is housed in a separate location
from headquarters. Which of the following documents would contain instructions on
how to respond to that problem?
a. DRP
b. BCP
2) A company makes full backups every Friday night and partial backups on Mondays,
Tuesdays, Wednesdays, and Thursdays. Which of the following is true?
a. On Wednesday, it would take less time to do an incremental backup than a
differential backup, but it would take more time to restore the system from
incremental backups than from differential backups
b. On Wednesday, it would take less time to do an incremental backup than a
differential backup, and it would also take less time to restore the system
from incremental backups than from differential backups
c. On Wednesday, it would take more time to do an incremental backup than a
differential backup, but it would take less time to restore the system from
incremental backups than from differential backups
d. On Wednesday, it would take more time to do an incremental backup than a
differential backup, and it would also take more time to restore the system
from incremental backups than from differential backups
3) Which of the following statements is true?
a. If a company needs to keep a copy of tax-related data about the costs of its
manufacturing facility indefinitely, it should archive that information.
b. Archives should be encrypted, but backups should not be encrypted.
c. The way to recover after a hard drive fails is to restore the most recent
archive of the database.
d. Best practice for backup and recovery is to have two copies of an archive, one
on-site and the other off-site.
e. None of the statements above are true.
4) Fault tolerance procedures/devices/controls contribute to achieving the system
reliability objective referred to as _____________.
a. Confidentiality
b. Privacy
c. Processing Integrity
d. Availability
e. Security
5) An organization leases a building that is prewired for both telephone and Internet
access. It also signs a contract with Dell in which Dell promises to deliver 30 servers and
25 desktop machines, all configured with the latest version of Windows, within 24 hours
of being asked to do so. The organization has adopted the approach to disaster recovery
and business continuity that is referred to as a
a. Hot site
b. Cold site
c. Real-time mirroring
6) Which of the following disaster recovery options is most appropriate when the
values for both RTO and RPO are 2 days or longer?
a. Hot site
b. Cold site
c. Real-time mirroring
7) The amount of data that an organization is willing to risk losing in the event of
a disaster is used to calculate its
a. RPO
b. RTO
8) Which of the following approaches to the issue of availability produces the smallest
RTO and RPO?
a. Hot site
b. Cold site
c. Real time mirroring
d. All of the above result in the same RTO and RPO
SUGGESTED ANSWERS TO THE CASES
Case 10-1 Ensuring Systems Availability
The Journal of Accountancy (available at www.aicpa.org) has published a series of articles
that address different aspects of disaster recovery and business continuity planning:
1. Gerber, J. A., and Feldman, E. R. 2002. “Is Your Business Prepared for the Worst?”
Journal of Accountancy (April): 61-64.
2. McCarthy, E. 2004. “The Best-Laid Plans,” Journal of Accountancy (May): 46-54.
3. Myers, R. 2006. “Katrina’s Harsh Lessons,” Journal of Accountancy (June): 54-63.
4. Phelan, S., and Hayes, M. 2003. “Before the Deluge – and After,” Journal of
Accountancy (April): 57-66.
5. Drew, J., and Tysiac, K. 2013. “Preparing for Disaster,” Journal of Accountancy (May):
26-31.
Required:
a. Read one or more of these articles that your professor assigns. For each article
assigned by your professor, complete the following table, summarizing what each
article said about a specific COBIT 5 management practice (a particular article may
not address all the listed management practices):
b. What point(s) did the article(s) raise that were surprising to you? Why?
COBIT 5 CONTROL OBJECTIVE POINTS DISCUSSED IN ARTICLE
1. Define the business continuity policy,
objectives, and scope.
2. Choose a cost-effective continuity strategy
that will ensure timely and effective recovery
from a disaster.
3. Document the procedures for disaster
recovery and resumption of business
operations.
4. Test the DRP and BCP.
5. Periodically review the DRP and BCP.
Update as required.
6. Train employees on DRP and BCP
procedures.
7. Establish and document backup procedures.
8. Conduct a post resumption review and assess
the adequacy of the DRP and BCP.
Gerber, J. A., and Feldman, E. R. 2002. “Is Your Business Prepared for the Worst?”
COBIT 5
CONTROL
OBJECTIVE
POINTS DISCUSSED IN ARTICLE
continuity
policy,
objectives, and
scope.
strategy.
BCP.
5. Periodic
review and
update of
plans.
7. Document
backup
procedures.
post-resumptio
n review.
McCarthy, E. 2004. “The Best-Laid Plans,” Journal of Accountancy (May):
COBIT 5
CONTROL
OBJECTIVE Points discussed in article
business
continuity
policy,
objectives, and
scope.
2. Choose a
cost effective
strategy.
3. Document
the DRP and
BCP.
7. Document
backup
procedures.
post-resumptio
n review.
Myers, R. 2006. “Katrina’s Harsh Lessons,” Journal of Accountancy (June):
COBIT 5
Control
Objective Points discussed in article
policy,
objectives, and
scope.
2. Choose a
cost effective
strategy.
the DRP and
BCP.
DRP and BCP.
7. Document
backup
procedures.
n review.
Phelan, S., and Hayes, M. 2003. “Before the Deluge – and After,”
COBIT 5
CONTROL
OBJECTIVE Points discussed in article
policy,
objectives,
and scope.
4. Test the
DRP and BCP.
review and
update of
plans.
6. Training
post-resumpti
on review.
Drew, J. and Tysica, K. 2013. “Preparing for Disaster,”
COBIT 5
Control
Objective Points discussed in article
cost effective
strategy.
the DRP and
BCP.
5. Periodic
review and
update of
plans.
6. Training
7. Document
backup
procedures.
8. Conduct
post-resumptio
n review.
Solution to part b: many actual responses are possible. Two of the most likely
topics are
Need for multiple backup communications plans because primary alternative
Details about how it is possible to recover data that appears to have been
Case 10-2 Debugging Errors in Spreadsheets
Obtain a copy of the article “How to debug Excel spreadsheets” by Rayman Meservy and
Marshall Romney published in the Journal of Accountancy (November 2015), pp. 46-52
from either your school library or from the website www.aicpa.org. The spreadsheet
referenced in the article is available for download from the course website. Download the
spreadsheet and follow along with the steps in the article. Write a report that answers the
following questions (these are not completely answered in the article). Include screenshots
to support your answers. Hint: the questions below are listed in the sequence in which you
will encounter them when working through the steps described in the article.
1. How do you know when the “Trace Precedents” rule has located the cell that contains the
source of a chain of errors?
2. Which cells are affected by the error in cell AL4?
3. Explain the nature of the circular reference in the original formula in cell AB6.
4. When you used the “Error Checking” tool, which cells did Excel find? For which of those
cells did Excel suggest the correct solution? For which cells did you decide to ignore Excel’s
error message? Why?
5. In the section “Other Error-Checking Tips” the article points out that the formula for
dropping the lowest score ignores blanks. Instead of doing the nonpermanent solution
described in the article, create a permanent solution that will successfully handle any
future missing quizzes or assignments (i.e., fix the formula so that it will correctly drop a
blank cell instead of the lowest non-blank cell).
6. Write a data validation rule that would prevent the kind of error that exists in cell U53,
so that you do not have to rely on manually identifying such an error and manually
correcting it.
7. The final paragraph of the section “Other Error-Checking Tips” asks whether there
remain any other cells that have values amid a column of formulas. Did you find any?
8. The final section of the article asks you to examine the formulas to see if they are correct.
Did you find any logic errors? Explain.
Solution:
1. When clicking on “Trace Precedents” does not change the red arrow line, you know you have
2. Cells BB4, AL60, AL62, AL63, and AL64 are all directly affected by the error in AL4. In turn,
3. The formula tries to identify the smallest number in a range that includes itself (i.e., the
4. The “errors” in column BC can be ignored because they are not really errors. The problem is
5. One possible solution involves the countblank function, which looks for blank cells. If it finds
two or more in a row, then you don’t drop any scores. If it finds one, you would then only drop
the lowest numeric score. If it finds zero, then you drop the two lowest scores. Here is how the
resulting formula in column AC (total points) would look:
6. If all the input cells for the quizzes had a data validation rule that said it had to be whole
7. Depending upon whether the student corrected the problem in cell BB42, that cell may still be
8. The total points possible (cell AC58) shows 200, after dropping the two lowest scores.
