Chapter 15IT Controls Part I: Sarbanes-Oxley and IT Governance

TRUE/FALSE
1. Corporate management (including the CEO) must certify monthly and annually their organizations
internal controls over financial reporting.
ANS: F
2. Both the SEC and the PCAOB requires management to use the COBIT framework for assessing
internal control adequacy.
ANS: F
3. Both the SEC and the PCAOB requires management to use the COSO framework for assessing
internal control adequacy.
ANS: F
4. A qualified opinion on managements assessment of internal controls over the financial reporting
system necessitates a qualified opinion on the financial statements?
ANS: F
5. The same internal control objectives apply to manual and computer-based information systems.
ANS: T
6. To fulfill the segregation of duties control objective, computer processing functions (like authorization
of credit and billing) are separated.
ANS: F
7. To ensure sound internal control, program coding and program processing should be separated.
ANS: T
8. Some systems professionals have unrestricted access to the organization's programs and data.
ANS: T
9. Application controls apply to a wide range of exposures that threaten the integrity of all programs
processed within the computer environment.
ANS: F
10. The Database Administrator should be separated from systems development.
ANS: T
11. A disaster recovery plan is a comprehensive statement of all actions to be taken after a disaster.

ANS: T
12. IT auditing is a small part of most external and internal audits.
ANS: F
13. Assurance services is an emerging field that goes beyond the auditors traditional attestation function.
ANS: T
14. An IT auditor expresses an opinion on the fairness of the financial statements.
ANS: F
15. External auditing is an independent appraisal function established within an organization to examine
and evaluate its activities as a service to the organization.
ANS: F
16. External auditors can cooperate with and use evidence gathered by internal audit departments that are
organizationally independent and that report to the Audit Committee of the Board of Directors.
ANS: T
17. Tests of controls determine whether the database contents fairly reflect the organization's transactions.
ANS: F
18. Audit risk is the probability that the auditor will render an unqualified opinion on financial statements
that are materially misstated.
ANS: T
19. A strong internal control system will reduce the amount of substantive testing that must be performed.
ANS: T
20. Substantive testing techniques provide information about the accuracy and completeness of an
application's processes.
ANS: F
MULTIPLE CHOICE
1. Which of the following is NOT an implication of section 302 of the Sarbanes-Oxley Act?
a. Auditors must determine, whether changes in internal control has, or is likely to,
materially affect internal control over financial reporting.
b. Auditors must interview management regarding significant changes in the design or
operation of internal control that occurred since the last audit.
c. Corporate management (including the CEO) must certify monthly and annually their
organizations internal controls over financial reporting.
d. Management must disclose any material changes in the companys internal controls that
have occurred during the most recent fiscal quarter.

ANS: C
2. Which of the following is NOT a requirement in managements report on the effectiveness of internal
controls over financial reporting?
a. A statement of managements responsibility for establishing and maintaining adequate
internal control user satisfaction.
b. A statement that the organizations internal auditors has issued an attestation report on
managements assessment of the companies internal controls.
c. A statement identifying the framework used by management to conduct their assessment
of internal controls.
d. An explicit written conclusion as to the effectiveness of internal control over financial
reporting.
ANS: B
3. In a computer-based information system, which of the following duties needs to be separated?
a. program coding from program operations
b. program operations from program maintenance
c. program maintenance from program coding
d. all of the above duties should be separated
ANS: D
4. Supervision in a computerized environment is more complex than in a manual environment for all of
the following reasons except
a. rapid turnover of systems professionals complicates management's task of assessing the
competence and honesty of prospective employees
b. many systems professionals have direct and unrestricted access to the organization's
programs and data
c. rapid changes in technology make staffing the systems environment challenging
d. systems professionals and their supervisors work at the same physical location
ANS: D
5. Adequate backups will protect against all of the following except
a. natural disasters such as fires
b. unauthorized access
c. data corruption caused by program errors
d. system crashes
ANS: B
6. Which is the most critical segregation of duties in the centralized computer services function?
a. systems development from data processing
b. data operations from data librarian
c. data preparation from data control
d. data control from data librarian
ANS: A
7. Systems development is separated from data processing activities because failure to do so
a. weakens database access security
b. allows programmers access to make unauthorized changes to applications during
execution
c. results in inadequate documentation

d. results in master files being inadvertently erased

ANS: B
8. Which organizational structure is most likely to result in good documentation procedures?
a. separate systems development from systems maintenance
b. separate systems analysis from application programming
c. separate systems development from data processing
d. separate database administrator from data processing
ANS: A
9. All of the following are control risks associated with the distributed data processing structure except
a. lack of separation of duties
b. system incompatibilities
c. system interdependency
d. lack of documentation standards
ANS: C
10. Which of the following is not an essential feature of a disaster recovery plan?
a. off-site storage of backups
b. computer services function
c. second site backup
d. critical applications identified
ANS: B
11. A second site backup agreement between two or more firms with compatible computer facilities to
assist each other with data processing needs in an emergency is called
a. internally provided backup
b. recovery operations center
c. empty shell
d. mutual aid pact
ANS: D
12. The major disadvantage of an empty shell solution as a second site backup is
a. the host site may be unwilling to disrupt its processing needs to process the critical
applications of the disaster stricken company
b. intense competition for shell resources during a widespread disaster
c. maintenance of excess hardware capacity
d. the control of the shell site is an administrative drain on the company
ANS: B
13. An advantage of a recovery operations center is that
a. this is an inexpensive solution
b. the initial recovery period is very quick
c. the company has sole control over the administration of the center
d. none of the above are advantages of the recovery operations center
ANS: B
14. For most companies, which of the following is the least critical application for disaster recovery
purposes?

a.
b.
c.
d.

month-end adjustments
accounts receivable
accounts payable
order entry/billing

ANS: A
15. The least important item to store off-site in case of an emergency is
a. backups of systems software
b. backups of application software
c. documentation and blank forms
d. results of the latest test of the disaster recovery program
ANS: D
16. Some companies separate systems analysis from programming/program maintenance. All of the
following are control weaknesses that may occur with this organizational structure except
a. systems documentation is inadequate because of pressures to begin coding a new program
before documenting the current program
b. illegal lines of code are hidden among legitimate code and a fraud is covered up for a long
period of time
c. a new systems analyst has difficulty in understanding the logic of the program
d. inadequate systems documentation is prepared because this provides a sense of job
security to the programmer
ANS: C
17. All of the following are recommended features of a fire protection system for a computer center except
a. clearly marked exits
b. an elaborate water sprinkler system
c. manual fire extinguishers in strategic locations
d. automatic and manual alarms in strategic locations
ANS: B
18. Which concept is not an integral part of an audit?
a. evaluating internal controls
b. preparing financial statements
c. expressing an opinion
d. analyzing financial data
ANS: B
19. Which statement is not true?
a. Auditors must maintain independence.
b. IT auditors attest to the integrity of the computer system.
c. IT auditing is independent of the general financial audit.
d. IT auditing can be performed by both external and internal auditors.
ANS: C
20. Typically, internal auditors perform all of the following tasks except
a. IT audits
b. evaluation of operational efficiency
c. review of compliance with legal obligations
d. internal auditors perform all of the above tasks

ANS: D
21. The fundamental difference between internal and external auditing is that
a. internal auditors represent the interests of management and external auditors represent
outsiders
b. internal auditors perform IT audits and external auditors perform financial statement audits
c. internal auditors focus on financial statement audits and external auditors focus on
operational audits and financial statement audits
d. external auditors assist internal auditors but internal auditors cannot assist external
auditors
ANS: A
22. Internal auditors assist external auditors with financial audits to
a. reduce audit fees
b. ensure independence
c. represent the interests of management
d. the statement is not true; internal auditors are not permitted to assist external auditors with
financial audits
ANS: A
23. Which statement is not correct?
a. Auditors gather evidence using tests of controls and substantive tests.
b. The most important element in determining the level of materiality is the mathematical
formula.
c. Auditors express an opinion in their audit report.
d. Auditors compare evidence to established criteria.
ANS: B
24. All of the following are steps in an IT audit except
a. substantive testing
b. tests of controls
c. post-audit testing
d. audit planning
ANS: C
25. When planning the audit, information is gathered by all of the following methods except
a. completing questionnaires
b. interviewing management
c. observing activities
d. confirming accounts receivable
ANS: D
26. Substantive tests include
a. examining the safety deposit box for stock certificates
b. reviewing systems documentation
c. completing questionnaires
d. observation
ANS: A

27. Tests of controls include

a. confirming accounts receivable
b. counting inventory
c. completing questionnaires
d. counting cash
ANS: C
28. All of the following are components of audit risk except
a. control risk
b. legal risk
c. detection risk
d. inherent risk
ANS: B
29. Control risk is
a. the probability that the auditor will render an unqualified opinion on financial statements
that are materially misstated
b. associated with the unique characteristics of the business or industry of the client
c. the likelihood that the control structure is flawed because controls are either absent or
inadequate to prevent or detect errors in the accounts
d. the risk that auditors are willing to take that errors not detected or prevented by the control
structure will also not be detected by the auditor
ANS: C
30. All of the following tests of controls will provide evidence about the physical security of the computer
center except
a. review of fire marshal records
b. review of the test of the backup power supply
c. verification of the second site backup location
d. observation of procedures surrounding visitor access to the computer center
ANS: C
31. All of the following tests of controls will provide evidence about the adequacy of the disaster recovery
plan except
a. inspection of the second site backup
b. analysis of the fire detection system at the primary site
c. review of the critical applications list
d. composition of the disaster recovery team
ANS: B
32. Which of the following is true?
a. In the CBIS environment, auditors gather evidence relating only to the contents of
databases, not the reliability of the computer system.
b. Conducting an audit is a systematic and logical process that applies to all forms of
information systems.
c. Substantive tests establish whether internal controls are functioning properly.
d. IT auditors prepare the audit report if the system is computerized.
ANS: B
33. Inherent risk

a.
b.
c.
d.

exists because all control structures are flawed in some ways.

is the likelihood that material misstatements exist in the financial statements of the firm.
is associated with the unique characteristics of the business or industry of the client.
is the likelihood that the auditor will not find material misstatements.

ANS: C
34. Attestation services require all of the following except
a. written assertions and a practitioners written report
b. the engagement is designed to conduct risk assessment of the clients systems to verify
their degree of SOX compliance
c. the formal establishment of measurements criteria
d. the engagement is limited to examination, review, and application of agreed-upon
procedures
ANS: B
35. The financial statement of an organization reflects a set of management assertions about the financial
health of the business. All of the following described types of assertions except
a. that all of the assets and equities on the balance sheet exist
b. that all employees are properly trained to carry out their assigned duties
c. that all transactions on the income statement actually occurred
d. that all allocated amounts such as depreciation are calculated on a systematic and rational
basis
ANS: B
SHORT ANSWER
1. Which of the following statements is true?
a. Both the SEC and the PCAOB requires the use of the COSO framework
b.Both the SEC and the PCAOB requires the COBIT framework
c. The SEC recommends COBIT and the PCAOB recommends COSO
d.Any framework can be used that encompass all of COSOs general themes
ANS:
Both c and d above are true.
2. COSO identifies two broad groupings of information system controls. What are they?
ANS:
general; application
3. The Sarbanes-Oxley Act contains many sections. Which sections are the focus of this chapter?
ANS:
The chapter concentrate on internal control and audit responsibilities pursuant to Sections 302 and 404.
4. What control framework is recommended by the PCAOB?
ANS:
The PCAOBs Auditing Standard No. 2 endorses the use of COSO as the framework for control
assessment.

5. What are the objectives of application controls?

ANS:
The objectives of application controls are to ensure the validity, completeness, and accuracy financial
transactions.
6. Define general controls.
ANS:
General controls apply to all systems. They are not application specific. General controls include
controls over IT governance, the IT infrastructure, security and access to operating systems and
databases, application acquisition and development, and program changes.
7. Discuss the key features of Section 302 of the Sarbanes-Oxley Act.
ANS:
Section 302 requires that corporate management (including the CEO) certify quarterly and annually
their organizations internal controls over financial reporting. The certifying officers are required to:
a.
have designed internal controls
b. they must disclose any material changes in the companys internal controls
that have occurred during the most recent fiscal quarter.
8. What the three primary CBIS functions that must be separated?
ANS:
Programming should be separated from computer operations
Programming maintenance should be separated from new systems development.
End users should be separate from systems design.
9. List three pairs of system functions that should be separated in the centralized computer services
organization. Describe a risk exposure if the functions are not separated.
Functions to Separate

Risk Exposure

__________________________

__________________________

__________________________

__________________________

__________________________

__________________________

ANS:
separate systems development from data processing operations (unauthorized changes to application
programs during execution),
separate database administrator from systems development (unauthorized access to database files),
separate new systems development from systems maintenance (writing fraudulent code and keeping it
concealed during maintenance),
separate data library from computer operations (loss of files or erasing current files)
10. For disaster recovery purposes, what criteria are used to identify an application or data as critical?
ANS:
Critical application and files are those that impact the short-run survival of the firm. Critical items
impact cash flows, legal obligations, and customer relations.

11. Describe the components of a disaster recovery plan.

ANS:
Every disaster recovery plan should:
designate a second site backup
identify critical applications
prepare backup and off-site storage procedures
create a disaster recovery team
test the disaster recovery plan
12. What is a mirrored data center?
ANS:
Duplicating programs and data onto a computer at a separate location. Mirroring is performed for
backup purposes.
13. Why is supervisory control more elaborate in the CBIS environment than in the manual environment?
ANS:
The required skills of systems professionals lead to high rates of turnover. Systems professionals work
in areas that permit direct and unrestricted access to the organizations programs and data. Management
is unable to adequately observe employees in the CBIS environment.
14. What are some control implications of the distributed data processing model?
ANS:
Control issues of the DDP model include incompatibility of hardware and software purchased without
coordination, redundancy of work with different units duplicating effort, incompatible duties because
of consolidation in small units, difficulty acquiring qualified personnel, and lack of standards.
15. What is program fraud?
ANS:
Program fraud involves making unauthorized changes to parts of a program for the purpose of
committing an illegal act.
16. The distributed data processing approach carries some control implications of which accountants
should be aware. Discuss two.
ANS:
Incompatibility of hardware and software, selected by users working independently, can result in
system incompatibility that can affect communication.
When individuals in different parts of the organization do their own thing, there can be significant
redundancy between units.
When user areas handle their own computer services functions, there may be a tendency to consolidate
incompatible activities.
Small units may lack the ability to evaluate systems professionals and to provide adequate
opportunities and may therefore have difficulty acquiring qualified professionals.
As the number of units handling systems tasks, there is an increasing chance that the systems will lack
standards.
17. __________________________ are intentional mistakes while __________________________ are
unintentional mistakes.

ANS:
Irregularities, Errors
18. Explain the relationship between internal controls and substantive testing.
ANS:
The stronger the internal controls, the less substantive testing must be performed.
19. Discuss the interrelationship of tests of controls, audit objectives, exposures, and existing controls.
ANS:
During the risk analysis phase of the audit, the auditor develops an understanding of the exposures that
threaten the firm and about the existing controls. Based on that understanding, the auditor develops
audit objectives. From the audit objectives the auditor designs and performs tests of controls.
20. Distinguish between errors and irregularities. Which do you think concern the auditors the most?
ANS:
Errors are unintentional mistakes; while irregularities are intentional misrepresentations to perpetrate a
fraud or mislead the users of financial statements. Errors are a concern if they are numerous or sizable
enough to cause the financial statements to be materially misstated. Processes which involve human
actions will contain some amount of human error. Computer processes should only contain errors if the
programs are erroneous, or if systems operating procedures are not being closely and competently
followed. Errors are typically much easier to uncover than misrepresentations, thus auditors typically
are more concerned whether they have uncovered any and all irregularities.
21. Describe two tests that an auditor would perform to ensure that the disaster recovery plan is adequate.
ANS:
review second site backup plan, critical application list, and off-site backups of critical libraries,
applications and data files; ensure that backup supplies, source documents and documentation are
located off-site; review which employees are members of disaster recovery team
22. Distinguish between inherent risk and control risk. How do internal controls and detection risk fit in?
ANS:
Inherent risk is associated with the unique characteristics of the business or industry of the client.
Firms in declining industries are considered to have more inherent risk than firms in stable or thriving
industries. Control risk is the likelihood that the control structure is flawed because internal controls
are either absent or inadequate to prevent or detect errors in the accounts. Internal controls may be
present in firms with inherent risk, yet the financial statements may be materially misstated due to
circumstances outside the control of the firm, such as a customer with unpaid bills on the verge of
bankruptcy. Detection risk is the risk that auditors are willing to accept that errors are not detected or
prevented by the control structure. Typically, detection risk will be lower for firms with higher inherent
risk and control risk.
23. Contrast internal and external auditing.
ANS:

Internal auditing is an independent appraisal function established within an organization to examine

and evaluate its activities as a service to the organization. External auditing is often called
"independent auditing" because it is done by certified public accountants who are independent of the
organization being audited. This independence is necessary since the external auditors represent the
interests of third-party stakeholders such as shareholders, creditors, and government agencies.
24. What are the components of audit risk?
ANS:
Inherent risk is associated with the unique characteristics of the business itself; control risk is the
likelihood that the control structure is flawed because controls are absent or inadequate; and detection
risk is the risk that auditors are willing to take that errors will not be detected by the audit.
25. How do the tests of controls affect substantive tests?
ANS:
Tests of controls are used by the auditor to measure the strength of the internal control structure. The
stronger the internal controls, the lower the control risk, and the less substantive testing the auditor
must do.
26. What is an auditor looking for when testing computer center controls?
ANS:
When testing computer center controls, the auditor is trying to determine that the physical security
controls are adequate to protect the organization from physical exposures, that insurance coverage on
equipment is adequate, that operator documentation is adequate to deal with operations and failures,
and that the disaster recovery plan is adequate and feasible.
27. Define and contrast attestation services and assurance services.
ANS:
Attest services are engagements in which a practitioner is engaged to issue, or does issue, a written
communication that expresses a conclusion about the reliability of a written assertion that is the
responsibility of another party, e.g., the financial statements prepared by an organization.
Assurance services are professional services that are designed to improve the quality of information,
both financial and non-financial, used by decision makers. The domain of assurance services is
intentionally unbounded.
ESSAY
1. Discuss the key features of Section 404 of the Sarbanes-Oxley Act
ANS:
Section 404 requires the management of public companies to assess the effectiveness of their
organizations internal controls over financial reporting and provide an annual report addressing the
following points: 1) A statement of managements responsibility for establishing and maintaining
adequate internal control. 2) An assessment of the effectiveness of the companys internal controls
over financial reporting. 3) A statement that the organizations external auditors has issued an
attestation report on managements assessment of the companies internal controls. 4) An explicit
written conclusion as to the effectiveness of internal control over financial reporting. 6) A statement
identifying the framework used by management to conduct their assessment of internal controls.

2. Section 404 requires management to make a statement identifying the control framework used to
conduct their assessment of internal controls. Discuss the options in selecting a control framework.
ANS:
The SEC has made specific reference to the Committee of the Sponsoring Organizations of the
Treadway Commission (COSO) as a recommended control framework. Furthermore, the PCAOBs
Auditing Standard No. 2 endorses the use of COSO as the framework for control assessment. Although
other suitable frameworks have been published, according to Standard No. 2, any framework used
should encompass all of COSOs general themes.
3. Explain how general controls impact transaction integrity and the financial reporting process.
ANS:
Consider an organization with poor database security controls. In such a situation, even data processed
by systems with adequate built in application controls may be at risk. An individual who can
circumvent database security, may then change, steal, or corrupt stored transaction data. Thus, general
controls are needed to support the functioning of application controls, and both are needed to ensure
accurate financial reporting.
4. Prior to SOX, external auditors were required to be familiar with the client organizations internal
controls, but not test them. Explain.
ANS:
Auditors had the option of not relying on internal controls in the conduct of an audit and therefore did
not need to test them. Instead auditors could focus primarily of substantive tests. Under SOX,
management is required to make specific assertions regarding the effectiveness of internal controls. To
attest to the validity of these assertions, auditors are required to test the controls.
5. Does a qualified opinion on managements assessment of internal controls over the financial reporting
system necessitate a qualified opinion on the financial statements? Explain.
ANS:
No. Auditors are permitted to simultaneously render a qualified opinion on managements assessment
of internal controls and an unqualified opinion on the financial statements. In other words, it is
technically possible for auditors to find internal controls over financial reporting to be weak, but
conclude through substantive tests that the weaknesses did not cause the financial statements to be
materially misrepresented.
6. The PCAOBs standard No. 2 specifically requires auditors to understand transaction flows in
designing their test of controls. What steps does this entail?
ANS:
This involves:
1. Selecting the financial accounts that have material implications for financial reporting. 2. Identify
the application controls related to those accounts. As previously noted, the 3. Identify the general that
support the application controls.
The sum of these controls, both application and general, constitute the relevant internal controls over
financial reporting that need to be reviewed.
7. What fraud detection responsibilities (if any) are imposed on auditors by SOX.
ANS:

Standard No. 2 places new responsibility on auditors to detect fraudulent activity. The standard
emphasizes the importance of controls designed to prevent or detect fraud that could lead to material
misstatement of the financial statements. Management is responsible for implementing such controls
and auditors are expressly required to test them.
8. Describe how a Corporate Computer Services Function can overcome some of the problems associated
with distributed data processing.
ANS:
The Corporate Computer Services Function may provide the following technical advice and expertise
to distributed data processing units:
central testing of commercial software and hardware;
installation of new software;
trouble-shooting hardware and software problems;
technical training;
firm-wide standard setting for the systems area; and
performance evaluation of systems professionals.
9. Discuss the advantages and disadvantages of the second site backup options.
ANS:
Second site backups include mutual aid pacts, empty shell, recovery operations center, and internally
provided backups.
Mutual Aid Pacts
Advantages
Inexpensive
Disadvantages
May encounter reluctance to share facilities during an emergency
Empty Shell
Advantages
Disadvantages

Inexpensive
Extended time lag between disaster and initial recovery
May encounter competition among users for shell resources

Recovery Operations Center

Advantages
Rapid initial recovery
Disadvantages
Expensive
Internally Provided Backups
Advantages
Controlled by the firm
Compatibility of hardware and software
Rapid initial recovery
Disadvantages
Expense of maintaining excess capacity year round
10. Internal control in a computerized environment can be divided into two broad categories. What are
they? Explain each.
ANS:
Internal controls can be divided into two broad categories. General controls apply to all or most of a
system to minimize exposures that threaten the integrity of the applications being processed. These
include operating system controls, data management controls, organizational structure controls, system
development controls, system maintenance controls, computer center security, Internet and Intranet
controls, EDI controls, and PC controls. Application controls focus on exposures related to specific
parts of the system: payroll, accounts receivable, etc.

11. Auditors examine the physical environment of the computer center as part of their audit. Many
characteristics of computer centers are of interest to auditors. What are they? Discuss.
ANS:
The characteristics of computer centers that are of interest of auditors include: physical location
because it affects the risk of disasterit should be away from man-made and natural hazards;
construction of the computer center should be sound; access to the computer center should be
controlled; air-conditioning should be adequate given the heat generated by electronic equipment and
the failure that can result from over-heating; fire suppression systems are critical; and adequate power
supply is needed to ensure service.
12. Explain why certain duties that are deemed incompatible in a manual system may be combined in a
CBIS environment? Give an example.
ANS:
In a CBIS environment it would be inefficient and contrary to the objectives of automation to separate
such tasks and processing and recoding a transaction among several different application programs
merely to emulate a manual control model. Further, the reason for separating tasks is to control against
the negative behavior of humans; in a CBIS the computer performs the tasks not humans.
13. Compare and contrast the following disaster recovery options: mutual aid pact, empty shell, recovery
operations center, and internally provided backup. Rank them from most risky to least risky, as well as
most costly to least costly.
ANS:
A mutual aid pact requires two or more organizations to agree and trust one another to aid each other
with their data processing needs in the event of a disaster. This method is the lowest cost, but also
somewhat risky for two reasons. First, the host company must be trusted to scale back its own
processing in order to process the transactions of the disaster-stricken company. Second, the two or
more firms must not be affected by the same disaster or the plan fails. The next lowest cost method is
internally provided backup. With this method, organizations with multiple data processing centers may
invest in internal excess capacity and support themselves in the case of disaster in one data processing
center. This method is not as risky as the mutual aid pact because reliance on another organization is
not a factor. In terms of cost, the next highest method is the empty shell where two or more
organizations buy or lease space for a data processing center. The space is made ready for computer
installation; however, no computer equipment is installed. This method requires lease or mortgage
payments, as well as payment for air conditioning and raised floors. The risk of this method is that the
hardware, software, and technicians may be difficult, if not impossible, to have available in the case of
a natural disaster. Further, if multiple members' systems crash simultaneously, an allocation problem
exists. The method with lowest risk and also the highest cost is the recovery operations center. This
method takes the empty shell concept one step further - the computer equipment is actually purchased
and software may even be installed. Assuming that this site is far enough away from the disasterstricken area not to be affected by the disaster, this method can be a very good safeguard.
14. What is a disaster recovery plan? What are the key features?
ANS:
A disaster recovery plan is a comprehensive statement of all actions to be taken before, during, and
after a disaster, along with documented, tested procedures that will ensure the continuity of operations.
The essential features are: providing second site backup, identifying critical applications, backup and
off-site storage procedures, creating a disaster recovery team, and testing the disaster recovery plan.