You are an information systems auditor in a firm of external auditors that has just been appointed to undertake the audit of Second Sunstate, a mediumsized bank located in Orlando, Florida. As part of your efforts to gain familiarity with Second Sunstate's computer systems, you are currently investigating backup and recovery controls. In particular, you are seeking information on off-site storage of backup.

When you question the information systems manager about backup procedures, he informs you that the operations staff makes a full backup of files each day on magnetic tape. The backup is commenced around 11:00 PM during a quiet period of operations. Operators store the backup in the tape library, which is a locked room close to the computer room. The library is managed by a part-time clerk, who also works part-time for the bank's loans department. Each day the clerk collects the backup and takes it to another bank located several miles away. This bank in turn brings its backup each day to Second Sunstate for safe storage in the file library. They give their backup to an operator who places it in the file library.

When you ask if you can see the file library, the information systems manager gives you a key and says to "help yourself." Upon entering the file library room, you discover it is in a very untidy state. A large number of tapes have been stacked on the floor. When you look at these tapes, they appear to contain backup files created on various days over the past two weeks. In addition, the other bank's backup tapes are intermingled with Second Sunstate's backup tapes. There are also a large number of unlabeled tapes in tape racks and on the floor.

On a desk, you also notice a folder which seems to be a record of all tapes held by Second Sunstate and their location. Upon inspecting entries in the folder, you find that many are incomplete. Moreover, no entries seem to have been made in the past few days.

Subsequently you interview the clerk responsible for the file library and express concerns about your findings. He shrugs at your concerns and complains that he is overworked. He says he has had to work large amounts of overtime in the loans department and that he does not have time to attend to his file library functions each day. He has informed the loans manager about the problem, but nothing has been done. In any event, he points out that the backup tapes have never had to be used to his knowledge, so he considers his file librarian duties to be a lower priority than his loans duties.

Required. In light of your findings so far, what exposures does Second Sunstate face? What recommendations, if any, would you give to your partner in terms of how the current audit of Second Sunstate should be altered to take into account your findings?