Accounting Information Systems
10-52
Solution: This formula in the “Valid? (Y/N)” column will test any six-digit account
number:
=IF(H20=MOD(((C20*5)+(D20*4)+(E20*3)+(F20*2)+G20),7),”Y”,”N”)
“First digit” column: =VALUE(LEFT(B20))
“Second digit” column: =VALUE(LEFT(RIGHT(B20,5)))
“Third digit” column: =VALUE(LEFT(RIGHT(B20,4)))
“Fourth digit” column: =VALUE(LEFT(RIGHT(B20,3)))
“Fifth digit” column: =VALUE(LEFT(RIGHT(B20,2)))
“Check digit” column: =VALUE(RIGHT(B20))
Accounting Information
Systems
10-53
10. 11 For each of the following scenarios, determine whether the company’s current
backup procedures enable it to meet its recovery objectives and explain why:
a. Scenario 1:
• Recovery point objective = 24 hours
• Daily backups at 3:00 am, process takes 2 hours
• Copy of backup tapes picked up daily at 8:00 am for storage off-site
Solution: No. Many companies make two backup copies – one to keep locally and
one to store offsite. If a fire or similar event destroyed the data center on a weekday
b. Scenario 2: Company makes daily incremental backups Monday-Saturday at
7:00 pm each night. Company makes full backup weekly, on Sunday at 1:00 pm.
• Recovery time objective = 2 hours
• Time to do full backup = 3 hours
c. Scenario 3: Company makes daily differential backups Monday-Friday at 8:00
p.m each night. Company makes full backup weekly, on Saturdays, at 8:00 am.
• Recovery time objective = 6 hours
Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and
Availability
10-54
• Time to do differential daily backups = 1 hour on Monday, increasing by 30
minutes each successive day
• Time to restore differential daily backup = 30 minutes for Monday,
increasing by 15 minutes each successive day
Solution: Yes. Even if a disaster happened early Saturday morning (say at 3:00 am)
Accounting Information
Systems
10-55
SUGGESTED ANSWERS TO THE CASES
Case 10-1 Ensuring Systems Availability
The Journal of Accountancy (available at www.aicpa.org) has published a series of articles
that address different aspects of disaster recovery and business continuity planning:
1. Gerber, J. A., and Feldman, E. R. 2002. “Is Your Business Prepared for the Worst?”
Journal of Accountancy (April): 61-64.
Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and
Availability
10-56
1. What does COBIT suggest as possible metrics for evaluating how well an
organization is achieving the objective of DS4? Why do you think that metric is
useful?
Proposed Metric
Why useful
Number of hours lost per user per
month due to unplanned outages
well it is fulfilling its contractual
obligations
which there is no DRP or BCP. This is
a warning sign of potential risks.
• High level measure of availability
reflecting overall success
• Need to subtract any planned downtime
Percent of tests that achieve recovery
objectives
• Evaluates performance of testing the
DRP and BCP (detective measure that
identifies areas in need of
improvement)
Frequency of service interruption of
critical systems
• Another measure of overall
performance. Helps interpret the hours
lost metric – (e.g., did the organization
have just one or two major problems or
many smaller ones?)
Accounting Information
Systems
10-57
2. For each article assigned by your professor, complete the following table,
summarizing what each article said about a specific COBIT control objective (an
article may not address all 10 control objectives in DS4):
Solution: Answers will vary, but should include at least the following:
Gerber, J. A., and Feldman, E. R. 2002. “Is Your Business Prepared for the Worst?”
COBIT
Control
Objective
Points discussed in article
DS4.1
DS4.2
Who should be involved in developing the framework and plan
DS4.3
Discusses how details of the plans will differ depending upon the nature of
the organization’s business operations
DS4.4
Lists who should be involved in developing the framework and plan
DS4.5
Need to do simulations and other tests
DS4.6
Practice the plans and everyone’s roles
DS4.7
Make sure everyone understands the plan
DS4.8
Plans should specify how to recover from the disaster and resume
operations
DS4.9
DS4.10
McCarthy, E. 2004. “The Best–Laid Plans,” Journal of Accountancy (May):
COBIT
Control
Objective
Points discussed in article
DS4.1
DS4.2
DS4.3
How to prioritize what needs to be protected and how to protect
DS4.4
Need to update the plan
DS4.5
How to test plans – specific things to do/consider for scenario tests
DS4.6
Review the test results with employees to identify what worked, what didn’t
DS4.7
DS4.8
DS4.9
Checklist of how to do backups, where to store, etc.
DS4.10
Importance of periodically reviewing the plans and updating
Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and
Availability
10-58
Myers, R. 2006. “Katrina’s Harsh Lessons,” Journal of Accountancy (June):
COBIT
Control
Objective
Points discussed in article
DS4.1
Reviews different types of plans and what each contains
DS4.2
DS4.3
DS4.4
DS4.5
Need to test the plan at least annually
DS4.6
Divide responsibilities across employees and practice
DS4.7
Importance of communications procedures – and specific recommendations
of how to ensure you can do this
DS4.8
Specific steps for how to recover data after floods, fires, etc.
DS4.9
Examples of why you need off-site backup copies
DS4.10
Phelan, S., and Hayes, M. 2003. “Before the Deluge – and After,”
COBIT
Control
Objective
Points discussed in article
DS4.1
Involve senior management in developing the plans
infrastructure
Examples of the benefits of having a plan so can be prepared
DS4.3
Specific examples of the kinds of information assets that need to backup
DS4.4
DS4.5
DS4.6
Communication methods discussed
DS4.7
DS4.8
Detailed side-bar on how to actually recover data/information in various
situations
DS4.9
DS4.10
Accounting Information
Systems
10-59
Case 10-2 Change Controls
Read section AI6 in version 4.1 of COBIT (available at www.isaca.org) and
answer the following questions:
1. What is the purpose of each detailed control objective – why is it
important?
AI6.1 Change Standards and Procedures
Set up formal change management procedures to handle in a standardised manner all requests
(including maintenance and patches) for changes to applications, procedures, processes, system
AI6.2 Impact Assessment, Prioritisation and Authorisation
Assess all requests for change in a structured way to determine the impact on the operational
system and its functionality. Ensure that changes are categorised, prioritised and authorised.
Reason it is important
• Proactive analysis of proposed changes reduces the risk of making changes
that negatively affect system performance and availability.
AI6.3 Emergency Changes
Establish a process for defining, raising, testing, documenting, assessing and authorising
emergency changes that do not follow the established change process.
Reason it is important
• Emergency changes occur in response to problems or incidents. It is often
important to resolve the problem quickly by implementing a change without
Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and
Availability
10-60
Reason it is important
• Employees will not abide by change control procedures if they do not
receive prompt feedback on requests.
AI6.5 Change Closure and Documentation
Whenever changes are implemented, update the associated system and user documentation and
procedures accordingly.
2. How is each of the suggested metrics useful?
Suggested metric
Why useful
Number of disruptions or
data errors caused by
inaccurate specifications or
incomplete impact
assessments
• Overall measure of effectiveness of
change controls in preventing problems
Accounting Information
Systems
10-61
Number of backlogged
change request
• Efficiency measure for DS6.4
Percent of changes
recorded and tracked with
automated tools
• Compliance with change control
processes requires timely feedback on
requests. This metric assesses
efficiency of DS6.4
Number of different
versions of each business
application or
infrastructure being
• Measures compliance with change
control process – higher scores here
suggest lack of standard procedures and
numerous ad hoc changes
Percent of unsuccessful