Cartoon of stressed man in messy office with failing computer saved by a superhero backup drive breaking through window.

The Control You Think You Have Might Not Hold Up

June 30, 2026

The Control You Think You Have Might Not Hold Up

You're doing what responsible firms do.

You have backups.
You have security tools.
You have processes in place.

On paper, everything looks fine.

But here's the gap most firms don't see:

The difference between a control that exists…
and a control that has been proven to work under pressure.

That's where problems show up.

Where the Breakdown Usually Happens

Firms don't ignore risk. They assume controls are working.

What we see in many CPA environments is consistent:

  • Backups are running, but no full restore has been tested
  • Microsoft 365 email or SharePoint isn't included in backup scope
  • Permissions are set, but haven't been validated after a restore
  • Success reports are trusted, but never verified

It all looks stable.

Until you try to use it.

What Firms Assume vs Reality

This is where the disconnect becomes clear.

Assumption | Reality
Backups = protected | Scope gaps are common
Restore = fast | Often hours, not minutes
Permissions persist | Frequently break after restore
"Successful" alerts = reliable | Doesn't prove usability

Most firms aren't wrong.

They just haven't tested the system the way it actually fails.

A Real Scenario Most Firms Recognize

March deadline week.

Your team is deep in UltraTax.
A key return file becomes corrupted.

You go to restore.

What should take 20 minutes stretches into half a day.

Then longer.

Because:

  • The working tax directory wasn't included in the backup
  • Related client documents from SharePoint weren't covered
  • Permissions had to be rebuilt before anyone could access the files

Now your team is recreating work under pressure.

Clients are waiting.

And the issue isn't technical.

It's whether the firm can deliver.

What We Typically Find

Across CPA firms, the patterns are consistent:

  • Backup jobs missing pieces of the environment (email, SharePoint, client portals)
  • Local-only backups without an offsite or immutable copy
  • Restore times far longer than leadership expects
  • Permissions breaking during recovery
  • No audit trail for sensitive file access

This shows up often enough that it should be assumed—not treated as an exception.

What a Successful Restore Actually Looks Like

This is where firms need clarity.

A restore is only successful if it meets specific criteria.

Pass / Fail Criteria

✅ All files restore completely — nothing missing
✅ Restore completes within a defined time window
✅ Permissions remain intact — no manual fixes needed
✅ End users can log in and continue working immediately

❌ Missing data or folders = failure
❌ Restore takes more than 2 hours for a critical system = unacceptable
❌ Permissions require rebuilding = operational risk
❌ No documented process = not a real control

If you can't clearly mark a restore as pass, it's not something you can rely on.

Recovery Benchmarks That Matter

Strong firms don't guess recovery time.

They define it.

  • Critical systems (tax software, shared drives): under 60 minutes
  • File-level restore (single return or folder): under 15 minutes
  • Full environment recovery: under 4 hours

These aren't IT targets.

They're operational expectations.

Anything slower directly impacts deadlines and client trust.

How to Test a Backup (15-Min Version)

You don't need a full audit to get clarity.

Do this with one system:

  1. Pick a critical system
    • UltraTax data, shared drive, or client document storage
  2. Restore it to a separate location
    • Never test in the live environment
  3. Verify:
    • File completeness
    • Timestamps
    • User access
  4. Measure total recovery time
  5. Mark the result:
    • Pass or fail

That one test gives you a real answer.

What to Fix First

When gaps show up, don't try to fix everything.

Prioritize this way:

  1. Backup coverage gaps
    Missing systems create the highest risk
  2. Restore time issues
    Slow recovery breaks operations
  3. Permission integrity problems
    Data without access doesn't help
  4. Audit logging gaps
    No visibility means no accountability

This is how you reduce risk quickly without overcomplicating it.

What Happens When a Test Fails

This is where most firms get stuck.

They identify a gap—but don't act with urgency.

When a test fails:

  • Expand backup scope immediately if data is missing
  • Re-run the test within 48 hours
  • Document the failure and the fix
  • Escalate if recovery time exceeds your defined thresholds

A failed test is not a problem.

An unaddressed failure is.

How Often This Should Be Tested

Testing once doesn't change much.

Consistency does.

  • Monthly: file-level restore
  • Quarterly: full system restore
  • Annually: full environment simulation

That cadence turns this into a real control.

The External Lens: What Auditors and Clients Expect

When an external party evaluates your firm, they aren't asking if controls exist.

They're looking for proof.

They expect to see:

  • Documented restore tests
  • Defined recovery time targets
  • Evidence of repeatability
  • Clear ownership

This level of validation aligns with the expectations firms are held to during audits and data security reviews.

What Documentation Should Actually Look Like

Most firms intend to document.

Very few make it usable.

Here's the minimum:

System: UltraTax shared drive
Last test: [date]
Result: Pass / Fail
Recovery time: [minutes]
Issues: [list]
Owner: [name]
Next test: [date]

If you can't pull this up quickly, the control isn't defensible.

Who Owns This

This only works if someone owns it.

Not a department. A person.

  • IT provider supports the system
  • Internal owner validates the result
  • Partner holds accountability

Without clear ownership, this doesn't get done consistently.

What to Do Next Week

Keep this simple and real:

  1. Choose one critical system
  2. Schedule 30 minutes
  3. Assign a single owner
  4. Run a restore test
  5. Record:
    • Time to recovery
    • Pass/fail result
    • Any gaps
  6. Fix the first issue immediately

That's enough to move from assumption to control.

Closing Thought

You've already built something your clients rely on.

This isn't about adding more tools.

It's about proving what you already have will hold when it matters.

That's what actually protects the firm.

CTA

Schedule your 10 minute discovery call to validate whether your current controls actually hold up under scrutiny. We'll test one point together so you can see where you stand before this turns into a bigger problem. 911 IT

Schedule your 10-minute discovery call

 

Recent Articles

Cartoon dentist panics as his dental office freezes over with icicles and visitors look shocked through the window.

The Hidden Risk Inside Your Practice That No One Is Talking About

 Stressed office worker presses emergency button as computer smokes and explodes with files flying around.

The Recovery Problem Most CPA Firms Think They’ve Solved

 Stressed man at cluttered desk surprised by a superhero external hard drive emerging from a safe with a USB plug.

The Backup Problem Most CPA Firms Only Discover When It’s Too Late