978-0134474021 Chapter 10 Solutions Manual Part 6

Unlock access to all the studying documents.

View Full Document

10. 10 The ABC Company runs two shifts, from 8:00 AM to Midnight. Backups and system

maintenance are performed between midnight and 8:00 AM. For each of the following

scenarios, determine whether the company’s current backup procedures enable it to meet

its recovery objectives and explain why:

a. Scenario 1:

Recovery point objective = 24 hours

Daily backups at 3:00 am, process takes 2 hours

Copy of backup tapes picked up daily at 8:00 am for storage off-site

Solution: No. Many companies make two backup copies – one to keep locally and

one to store offsite. If a fire or similar event destroyed the data center on a weekday

before 8:00 a.m., both copies of the most recent daily backup tapes would be

b. Scenario 2: Company makes daily incremental backups Monday-Friday at 3:00

am each night. Company makes full backup weekly, on Saturdays at 1:00 pm.

Recovery time objective = 2 hours

Time to do full backup = 3 hours

Time to restore from full backup = 1 hour

Time to make incremental daily backup = 1 hour

Time to restore each incremental daily backup = 30 minutes

Solution: No. If a disaster happened any time after Wednesday, it would take more

than 2 hours to completely restore all backups:

c. Scenario 3: Company makes daily differential backups Monday-Friday at 3:00

a.m. each night. Company makes full backup weekly, on Saturdays, at 1:00 pm.

Recovery time objective = 6 hours

Solution: Yes. Even if a disaster happened early Saturday morning (say at 3:00 am)

the company would not have yet done a full backup, but would have completed its

final differential backup Friday night. Therefore, full restoration would take:

If a disaster happened earlier in the week, the company would take even less time to

restore. For example, if a fire destroyed the data center Wednesday morning, the

company would have to restore the previous Saturday’s full backup plus Tuesday

night’s differential backup:

10.11 Answer all of the following multiple-choice questions:

1) A fire destroys an organization’s data center, which is housed in a separate location

from headquarters. Which of the following documents would contain instructions on

how to respond to that problem?

a. DRP

b. BCP

2) A company makes full backups every Friday night and partial backups on Mondays,

Tuesdays, Wednesdays, and Thursdays. Which of the following is true?

a. On Wednesday, it would take less time to do an incremental backup than a

differential backup, but it would take more time to restore the system from

incremental backups than from differential backups

b. On Wednesday, it would take less time to do an incremental backup than a

differential backup, and it would also take less time to restore the system

from incremental backups than from differential backups

c. On Wednesday, it would take more time to do an incremental backup than a

differential backup, but it would take less time to restore the system from

incremental backups than from differential backups

d. On Wednesday, it would take more time to do an incremental backup than a

differential backup, and it would also take more time to restore the system

from incremental backups than from differential backups

3) Which of the following statements is true?

a. If a company needs to keep a copy of tax-related data about the costs of its

manufacturing facility indefinitely, it should archive that information.

b. Archives should be encrypted, but backups should not be encrypted.

c. The way to recover after a hard drive fails is to restore the most recent

archive of the database.

d. Best practice for backup and recovery is to have two copies of an archive, one

on-site and the other off-site.

e. None of the statements above are true.

4) Fault tolerance procedures/devices/controls contribute to achieving the system

reliability objective referred to as _____________.

a. Confidentiality

b. Privacy

c. Processing Integrity

d. Availability

e. Security

5) An organization leases a building that is prewired for both telephone and Internet

access. It also signs a contract with Dell in which Dell promises to deliver 30 servers and

25 desktop machines, all configured with the latest version of Windows, within 24 hours

of being asked to do so. The organization has adopted the approach to disaster recovery

and business continuity that is referred to as a

a. Hot site

b. Cold site

c. Real-time mirroring

6) Which of the following disaster recovery options is most appropriate when the

values for both RTO and RPO are 2 days or longer?

a. Hot site

b. Cold site

c. Real-time mirroring

7) The amount of data that an organization is willing to risk losing in the event of

a disaster is used to calculate its

a. RPO

b. RTO

8) Which of the following approaches to the issue of availability produces the smallest

RTO and RPO?

a. Hot site

b. Cold site

c. Real time mirroring

d. All of the above result in the same RTO and RPO

SUGGESTED ANSWERS TO THE CASES

Case 10-1 Ensuring Systems Availability

The Journal of Accountancy (available at www.aicpa.org) has published a series of articles

that address different aspects of disaster recovery and business continuity planning:

1. Gerber, J. A., and Feldman, E. R. 2002. “Is Your Business Prepared for the Worst?”

Journal of Accountancy (April): 61-64.

2. McCarthy, E. 2004. “The Best-Laid Plans,” Journal of Accountancy (May): 46-54.

3. Myers, R. 2006. “Katrina’s Harsh Lessons,” Journal of Accountancy (June): 54-63.

4. Phelan, S., and Hayes, M. 2003. “Before the Deluge – and After,” Journal of

Accountancy (April): 57-66.

5. Drew, J., and Tysiac, K. 2013. “Preparing for Disaster,” Journal of Accountancy (May):

26-31.

Required:

a. Read one or more of these articles that your professor assigns. For each article

assigned by your professor, complete the following table, summarizing what each

article said about a specific COBIT 5 management practice (a particular article may

not address all the listed management practices):

b. What point(s) did the article(s) raise that were surprising to you? Why?

COBIT 5 CONTROL OBJECTIVE POINTS DISCUSSED IN ARTICLE

1. Define the business continuity policy,

objectives, and scope.

2. Choose a cost-effective continuity strategy

that will ensure timely and effective recovery

from a disaster.

3. Document the procedures for disaster

recovery and resumption of business

operations.

4. Test the DRP and BCP.

5. Periodically review the DRP and BCP.

Update as required.

6. Train employees on DRP and BCP

procedures.

7. Establish and document backup procedures.

8. Conduct a post resumption review and assess

the adequacy of the DRP and BCP.

Gerber, J. A., and Feldman, E. R. 2002. “Is Your Business Prepared for the Worst?”

COBIT 5

CONTROL

OBJECTIVE

POINTS DISCUSSED IN ARTICLE

continuity

policy,

objectives, and

scope.

strategy.

BCP.

5. Periodic

review and

update of

plans.

7. Document

backup

procedures.

post-resumptio

n review.

McCarthy, E. 2004. “The Best-Laid Plans,” Journal of Accountancy (May):

COBIT 5

CONTROL

OBJECTIVE Points discussed in article

business

continuity

policy,

objectives, and

scope.

2. Choose a

cost effective

strategy.

3. Document

the DRP and

BCP.

7. Document

backup

procedures.

post-resumptio

n review.

Myers, R. 2006. “Katrina’s Harsh Lessons,” Journal of Accountancy (June):

COBIT 5

Control

Objective Points discussed in article

policy,

objectives, and

scope.

2. Choose a

cost effective

strategy.

the DRP and

BCP.

DRP and BCP.

7. Document

backup

procedures.

n review.

Phelan, S., and Hayes, M. 2003. “Before the Deluge – and After,”

COBIT 5

CONTROL

OBJECTIVE Points discussed in article

policy,

objectives,

and scope.

4. Test the

DRP and BCP.

review and

update of

plans.

6. Training

post-resumpti

on review.

Drew, J. and Tysica, K. 2013. “Preparing for Disaster,”

COBIT 5

Control

Objective Points discussed in article

cost effective

strategy.

the DRP and

BCP.

5. Periodic

review and

update of

plans.

6. Training

7. Document

backup

procedures.

8. Conduct

post-resumptio

n review.

Solution to part b: many actual responses are possible. Two of the most likely

topics are

Need for multiple backup communications plans because primary alternative

Details about how it is possible to recover data that appears to have been

Case 10-2 Debugging Errors in Spreadsheets

Obtain a copy of the article “How to debug Excel spreadsheets” by Rayman Meservy and

Marshall Romney published in the Journal of Accountancy (November 2015), pp. 46-52

from either your school library or from the website www.aicpa.org. The spreadsheet

referenced in the article is available for download from the course website. Download the

spreadsheet and follow along with the steps in the article. Write a report that answers the

following questions (these are not completely answered in the article). Include screenshots

to support your answers. Hint: the questions below are listed in the sequence in which you

will encounter them when working through the steps described in the article.

1. How do you know when the “Trace Precedents” rule has located the cell that contains the

source of a chain of errors?

2. Which cells are affected by the error in cell AL4?

3. Explain the nature of the circular reference in the original formula in cell AB6.

4. When you used the “Error Checking” tool, which cells did Excel find? For which of those

cells did Excel suggest the correct solution? For which cells did you decide to ignore Excel’s

error message? Why?

5. In the section “Other Error-Checking Tips” the article points out that the formula for

dropping the lowest score ignores blanks. Instead of doing the nonpermanent solution

described in the article, create a permanent solution that will successfully handle any

future missing quizzes or assignments (i.e., fix the formula so that it will correctly drop a

blank cell instead of the lowest non-blank cell).

6. Write a data validation rule that would prevent the kind of error that exists in cell U53,

so that you do not have to rely on manually identifying such an error and manually

correcting it.

7. The final paragraph of the section “Other Error-Checking Tips” asks whether there

remain any other cells that have values amid a column of formulas. Did you find any?

8. The final section of the article asks you to examine the formulas to see if they are correct.

Did you find any logic errors? Explain.

Solution:

1. When clicking on “Trace Precedents” does not change the red arrow line, you know you have

2. Cells BB4, AL60, AL62, AL63, and AL64 are all directly affected by the error in AL4. In turn,

3. The formula tries to identify the smallest number in a range that includes itself (i.e., the

4. The “errors” in column BC can be ignored because they are not really errors. The problem is

5. One possible solution involves the countblank function, which looks for blank cells. If it finds

two or more in a row, then you don’t drop any scores. If it finds one, you would then only drop

the lowest numeric score. If it finds zero, then you drop the two lowest scores. Here is how the

resulting formula in column AC (total points) would look:

6. If all the input cells for the quizzes had a data validation rule that said it had to be whole

7. Depending upon whether the student corrected the problem in cell BB42, that cell may still be

8. The total points possible (cell AC58) shows 200, after dropping the two lowest scores.