As an organization you are responsible for the confidentiality, integrity and availability of all documents in your care. Your organization should have formal, routine backup procedures in place to ensure you have access to essential information in the event that your documents, files or even your computer systems are damaged, lost, stolen or otherwise unavailable. The importance of such procedures cannot be overstated, for it is virtually inevitable that at some point in time you will experience an incident that could affect the information in your care: computer system may crash, for example, or your electronic documents could be lost or compromised. It is important that a copy of electronic information is maintained for use if there is loss or damage to the original. Backups can be compressed to save space and encrypted to add security.
Backups should be performed at a frequency that reflects the change in data, usually daily but at a minimum of weekly. A good tool to measure the proper frequency of backups is to analyze how much data could afford to lose. A periodic review of backup media should be performed to ensure that the data has been backed up properly. Verification can be performed by looking at the backup to verify specific pieces of data are there and can be opened. Backup data should be stored in a physically secured location far enough from the original data as to not be affected by the same source that could possibly destroy the original data (i.e. flood, fire, theft). Ideally the backup data should be stored at a location off-site. If backup data cannot be restored than it is of no value and therefore it is best to practice frequent tests to determine you can restore data if a loss occurs.
Jeffery W. Patterson, CPA