A service organization provides a real-time transaction processing platform. The service level agreement (SLA) guarantees a Recovery Point Objective (RPO) of 15 minutes. The auditor discovers that the organization performs full backups nightly at midnight and ships tapes to offsite storage daily. No other backup mechanisms are in place. What is the auditor's conclusion?

Answer options:

The control is effective because full backups capture all data.

The control is effective provided the tapes are encrypted.

The control is deficient because tape storage is obsolete.

The control is deficient because the backup frequency cannot support the RPO.

How to approach this question

Compare the RPO (maximum acceptable data loss) with the backup frequency. 15 minutes vs. 24 hours.

Full Answer

D.The control is deficient because the backup frequency cannot support the RPO.✓ Correct

RPO (Recovery Point Objective) defines the maximum age of files that must be recovered from backup storage for normal operations to resume. A 24-hour backup cycle supports an RPO of 24 hours, not 15 minutes. Real-time replication or transaction log backups would be needed.

Common mistakes

Confusing RPO (data loss) with RTO (time to restore).

Question 02 All questions Question 04

Practice the full CPA ISC Practice Exam

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...Hard Q02During a walkthrough of a client's change management process, the auditor notes that developers h...Hard Q04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...Hard Q05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard Q06An auditor is evaluating the design of a disaster recovery plan (DRP). The organization uses a 'd...Hard

View all 82 questions →