Chapter 15—IT Controls Part I: Sarbanes-Oxley and IT Governance
TRU!"#$S
1. Corporate management management (including (including the the CEO) must certify monthly and annually annually their organization’s organization’s internal controls over financial reporting. AN! " #. $oth the the EC and the %CAO$ %CAO$ re&uires re&uires managemen managementt to use the CO$' CO$' frameor frameor* * for assessing assessing internal control ade&uacy. AN! " +. $oth the the EC and the %CAO$ %CAO$ re&uires re&uires managemen managementt to use the COO COO frameor* frameor* for assessi assessing ng internal control ade&uacy. AN! " ,. A &ualified opinion opinion on management’s management’s assessment of internal controls over over the financial financial reporting reporting system necessitates a &ualified opinion on the financial statementsAN! " . he same internal control o/0ectives o/0ectives apply apply to manual and computer/ased information systems. AN! 2. o fulfill the segregation segregation of duties duties control o/0ective3 computer computer processing processing functions functions (li*e authorization of credit and /illing) are separated. AN! " 4. o ensure sound internal internal control3 control3 program coding and and program processing should /e separated. separated. AN! 5. ome systems professionals have unrestricted unrestricted access to the organization6s organization6s programs and data. AN! 7. Application controls apply apply to a ide range range of e8posures e8posures that threaten the integrity of all programs programs processed ithin the the computer environment. environment. AN! " 19. he :ata/ase :ata/ase Adminis Administrato tratorr should /e separated separated from systems systems developmen development. t. AN! 11. A disaster recovery plan is a comprehensive comprehensive statement statement of all actions actions to /e ta*en ta*en after a disaster. disaster.
AN! 1#. ' auditing is a small part of most e8ternal and internal audits. AN! " 1+. Assurance services is an emerging field that goes /eyond the auditor’s traditional attestation function. AN! 1,. An ' auditor e8presses an opinion on the fairness of the financial statements. AN! " 1. E8ternal auditing is an independent appraisal function esta/lished ithin an organization to e8amine and evaluate its activities as a service to the organization. AN! " 12. E8ternal auditors can cooperate ith and use evidence gathered /y internal audit departments that are organizationally independent and that report to the Audit Committee of the $oard of :irectors. AN! 14. ests of controls determine hether the data/ase contents fairly reflect the organization6s transactions. AN! " 15. Audit ris* is the pro/a/ility that the auditor ill render an un&ualified opinion on financial statements that are materially misstated. AN! 17. A strong internal control system ill reduce the amount of su/stantive testing that must /e performed. AN! #9. u/stantive testing techni&ues provide information a/out the accuracy and completeness of an application6s processes. AN! " %U$TIP$ C&OIC
1. ;hich of the folloing is NO an implication of section +9# of the ar/anesO8ley Acta. Auditors must determine3 hether changes in internal control has3 or is li*ely to3 materially affect internal control over financial reporting. /. Auditors must intervie management regarding significant changes in the design or operation of internal control that occurred since the last audit. c. Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting. d.
AN! C #. ;hich of the folloing is NO a re&uirement in management’s report on the effectiveness of internal controls over financial reportinga. A statement of management’s responsi/ility for esta/lishing and maintaining ade&uate internal control user satisfaction. /. A statement that the organizations internal auditors has issued an attestation report on management’s assessment of the companies internal controls. c. A statement identifying the frameor* used /y management to conduct their assessment of internal controls. d. An e8plicit ritten conclusion as to the effectiveness of internal control over financial reporting. AN! $ +. 'n a. /. c. d.
a computer/ased information system3 hich of the folloing duties needs to /e separatedprogram coding from program operations program operations from program maintenance program maintenance from program coding all of the a/ove duties should /e separated
AN! : ,. upervision in a computerized environment is more comple8 than in a manual environment for all of the folloing reasons e8cept a. rapid turnover of systems professionals complicates management6s tas* of assessing the competence and honesty of prospective employees /. many systems professionals have direct and unrestricted access to the organization6s programs and data c. rapid changes in technology ma*e staffing the systems environment challenging d. systems professionals and their supervisors or* at the same physical location AN! : . Ade&uate /ac*ups ill protect against all of the folloing e8cept a. natural disasters such as fires /. unauthorized access c. data corruption caused /y program errors d. system crashes AN! $ 2. ;hich is the most critical segregation of duties in the centralized computer services functiona. systems development from data processing /. data operations from data li/rarian c. data preparation from data control d. data control from data li/rarian AN! A 4. ystems development is separated from data processing activities /ecause failure to do so a. ea*ens data/ase access security /. allos programmers access to ma*e unauthorized changes to applications during e8ecution c. results in inade&uate documentation
d. results in master files /eing inadvertently erased AN! $ 5. ;hich organizational structure is most li*ely to result in good documentation proceduresa. separate systems development from systems maintenance /. separate systems analysis from application programming c. separate systems development from data processing d. separate data/ase administrator from data processing AN! A 7. All of the folloing are control ris*s associated ith the distri/uted data processing structure e8cept a. lac* of separation of duties /. system incompati/ilities c. system interdependency d. lac* of documentation standards AN! C 19. ;hich of the folloing is not an essential feature of a disaster recovery plana. offsite storage of /ac*ups /. computer services function c. second site /ac*up d. critical applications identified AN! $ 11. A second site /ac*up agreement /eteen to or more firms ith compati/le computer facilities to assist each other ith data processing needs in an emergency is called a. internally provided /ac*up /. recovery operations center c. empty shell d. mutual aid pact AN! : 1#. he ma0or disadvantage of an empty shell solution as a second site /ac*up is a. the host site may /e unilling to disrupt its processing needs to process the critical applications of the disaster stric*en company /. intense competition for shell resources during a idespread disaster c. maintenance of e8cess hardare capacity d. the control of the shell site is an administrative drain on the company AN! $ 1+. An advantage of a recovery operations center is that a. this is an ine8pensive solution /. the initial recovery period is very &uic* c. the company has sole control over the administration of the center d. none of the a/ove are advantages of the recovery operations center AN! $ 1,. "or most companies3 hich of the folloing is the least critical application for disaster recovery purposes-
a. /. c. d.
monthend ad0ustments accounts receiva/le accounts paya/le order entry=/illing
AN! A 1. he least important item to store offsite in case of an emergency is a. /ac*ups of systems softare /. /ac*ups of application softare c. documentation and /lan* forms d. results of the latest test of the disaster recovery program AN! : 12. ome companies separate systems analysis from programming=program maintenance. All of the folloing are control ea*nesses that may occur ith this organizational structure e8cept a. systems documentation is inade&uate /ecause of pressures to /egin coding a ne program /efore documenting the current program /. illegal lines of code are hidden among legitimate code and a fraud is covered up for a long period of time c. a ne systems analyst has difficulty in understanding the logic of the program d. inade&uate systems documentation is prepared /ecause this provides a sense of 0o/ security to the programmer AN! C 14. All of the folloing are recommended features of a fire protection system for a computer center e8cept a. clearly mar*ed e8its /. an ela/orate ater sprin*ler system c. manual fire e8tinguishers in strategic locations d. automatic and manual alarms in strategic locations AN! $ 15. ;hich concept is not an integral part of an audita. evaluating internal controls /. preparing financial statements c. e8pressing an opinion d. analyzing financial data AN! $ 17. ;hich statement is not truea. Auditors must maintain independence. /. ' auditors attest to the integrity of the computer system. c. ' auditing is independent of the general financial audit. d. ' auditing can /e performed /y /oth e8ternal and internal auditors. AN! C #9. ypically3 internal auditors perform all of the folloing tas*s e8cept a. ' audits /. evaluation of operational efficiency c. revie of compliance ith legal o/ligations d. internal auditors perform all of the a/ove tas*s
AN! : #1. he fundamental difference /eteen internal and e8ternal auditing is that a. internal auditors represent the interests of management and e8ternal auditors represent outsiders /. internal auditors perform ' audits and e8ternal auditors perform financial statement audits c. internal auditors focus on financial statement audits and e8ternal auditors focus on operational audits and financial statement audits d. e8ternal auditors assist internal auditors /ut internal auditors cannot assist e8ternal auditors AN! A ##. 'nternal auditors assist e8ternal auditors ith financial audits to a. reduce audit fees /. ensure independence c. represent the interests of management d. the statement is not true> internal auditors are not permitted to assist e8ternal auditors ith financial audits AN! A #+. ;hich statement is not correcta. Auditors gather evidence using tests of controls and su/stantive tests. /. he most important element in determining the level of materiality is the mathematical formula. c. Auditors e8press an opinion in their audit report. d. Auditors compare evidence to esta/lished criteria. AN! $ #,. All of the folloing are steps in an ' audit e8cept a. su/stantive testing /. tests of controls c. postaudit testing d. audit planning AN! C #. ;hen planning the audit3 information is gathered /y all of the folloing methods e8cept a. completing &uestionnaires /. intervieing management c. o/serving activities d. confirming accounts receiva/le AN! : #2. u/stantive tests include a. e8amining the safety deposit /o8 for stoc* certificates /. revieing systems documentation c. completing &uestionnaires d. o/servation AN! A
#4. ests of controls include a. confirming accounts receiva/le /. counting inventory c. completing &uestionnaires d. counting cash AN! C #5. All of the folloing are components of audit ris* e8cept a. control ris* /. legal ris* c. detection ris* d. inherent ris* AN! $ #7. Control ris* is a. the pro/a/ility that the auditor ill render an un&ualified opinion on financial statements that are materially misstated /. associated ith the uni&ue characteristics of the /usiness or industry of the client c. the li*elihood that the control structure is flaed /ecause controls are either a/sent or inade&uate to prevent or detect errors in the accounts d. the ris* that auditors are illing to ta*e that errors not detected or prevented /y the control structure ill also not /e detected /y the auditor AN! C +9. All of the folloing tests of controls ill provide evidence a/out the physical security of the computer center e8cept a. revie of fire marshal records /. revie of the test of the /ac*up poer supply c. verification of the second site /ac*up location d. o/servation of procedures surrounding visitor access to the computer center AN! C +1. All of the folloing tests of controls ill provide evidence a/out the ade&uacy of the disaster recovery plan e8cept a. inspection of the second site /ac*up /. analysis of the fire detection system at the primary site c. revie of the critical applications list d. composition of the disaster recovery team AN! $ +#. ;hich of the folloing is truea. 'n the C$' environment3 auditors gather evidence relating only to the contents of data/ases3 not the relia/ility of the computer system. /. Conducting an audit is a systematic and logical process that applies to all forms of information systems. c. u/stantive tests esta/lish hether internal controls are functioning properly. d. ' auditors prepare the audit report if the system is computerized. AN! $
++. 'nherent ris* a. e8ists /ecause all control structures are flaed in some ays. /. is the li*elihood that material misstatements e8ist in the financial statements of the firm. c. is associated ith the uni&ue characteristics of the /usiness or industry of the client. d. is the li*elihood that the auditor ill not find material misstatements. AN! C +,. Attestation services re&uire all of the folloing e8cept a. ritten assertions and a practitioner’s ritten report /. the engagement is designed to conduct ris* assessment of the client’s systems to verify their degree of O? compliance c. the formal esta/lishment of measurements criteria d. the engagement is limited to e8amination3 revie3 and application of agreedupon procedures AN! $ +. he financial statement of an organization reflects a set of management assertions a/out the financial health of the /usiness. All of the folloing descri/ed types of assertions e8cept a. that all of the assets and e&uities on the /alance sheet e8ist /. that all employees are properly trained to carry out their assigned duties c. that all transactions on the income statement actually occurred d. that all allocated amounts such as depreciation are calculated on a systematic and rational /asis AN! $ S&ORT #'S(R
1. ;hich of the folloing statements is truea. $oth the EC and the %CAO$ re&uires the use of the COO frameor* /.$oth the EC and the %CAO$ re&uires the CO$' frameor* c. he EC recommends CO$' and the %CAO$ recommends COO d.Any frameor* can /e used that encompass all of COO’s general themes AN! $oth c and d a/ove are true. #. COO identifies to /road groupings of information system controls. ;hat are theyAN! general> application +. he ar/anesO8ley Act contains many sections. ;hich sections are the focus of this chapterAN! he chapter concentrate on internal control and audit responsi/ilities pursuant to ections +9# and ,9,. ,. ;hat control frameor* is recommended /y the %CAO$AN! he %CAO$’s Auditing tandard No. # endorses the use of COO as the frameor* for control assessment.
. ;hat are the o/0ectives of application controlsAN! he o/0ectives of appl)cat)on controls are to ensure the validity3 completeness3 and accuracy financial transactions. 2. :efine general controls. AN! @eneral controls apply to all systems. hey are not application specific. @eneral controls include controls over ' governance3 the ' infrastructure3 security and access to operating systems and data/ases3 application ac&uisition and development3 and program changes. 4. :iscuss the *ey features of ection +9# of the ar/anesO8ley Act. AN! ection +9# re&uires that corporate management (including the CEO) certify &uarterly and annually their organization’s internal controls over financial reporting. he certifying officers are re&uired to! a. have designed internal controls /. they must disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal &uarter. 5. ;hat the three primary C$' functions that must /e separatedAN! %rogramming should /e separated from computer operations %rogramming maintenance should /e separated from ne systems development. End users should /e separate from systems design. 7. ist three pairs of system functions that should /e separated in the centralized computer services organization. :escri/e a ris* e8posure if the functions are not separated. "unctions to eparate
Bis* E8posure
AN! separate systems development from data processing operations (unauthorized changes to application programs during e8ecution)3 separate data/ase administrator from systems development (unauthorized access to data/ase files)3 separate ne systems development from systems maintenance (riting fraudulent code and *eeping it concealed during maintenance)3 separate data li/rary from computer operations (loss of files or erasing current files) 19. "or disaster recovery purposes3 hat criteria are used to identify an application or data as criticalAN!
Critical application and files are those that impact the shortrun survival of the firm. Critical items impact cash flos3 legal o/ligations3 and customer relations. 11. :escri/e the components of a disaster recovery plan. AN! Every disaster recovery plan should! designate a second site /ac*up identify critical applications prepare /ac*up and offsite storage procedures create a disaster recovery team test the disaster recovery plan 1#. ;hat is a mirrored data centerAN! :uplicating programs and data onto a computer at a separate location.
14. are intentional mista*es hile are unintentional mista*es. AN! 'rregularities3 Errors 15. E8plain the relationship /eteen internal controls and su/stantive testing. AN! he stronger the internal controls3 the less su/stantive testing must /e performed. 17. :iscuss the interrelationship of tests of controls3 audit o/0ectives3 e8posures3 and e8isting controls. AN! :uring the ris* analysis phase of the audit3 the auditor develops an understanding of the e8posures that threaten the firm and a/out the e8isting controls. $ased on that understanding3 the auditor develops audit o/0ectives. "rom the audit o/0ectives the auditor designs and performs tests of controls. #9. :istinguish /eteen errors and irregularities. ;hich do you thin* concern the auditors the mostAN! Errors are unintentional mista*es> hile irregularities are intentional misrepresentations to perpetrate a fraud or mislead the users of financial statements. Errors are a concern if they are numerous or siza/le enough to cause the financial statements to /e materially misstated. %rocesses hich involve human actions ill contain some amount of human error. Computer processes should only contain errors if the programs are erroneous3 or if systems operating procedures are not /eing closely and competently folloed. Errors are typically much easier to uncover than misrepresentations3 thus auditors typically are more concerned hether they have uncovered any and all irregularities. #1. :escri/e to tests that an auditor ould perform to ensure that the disaster recovery plan is ade&uate. AN! revie second site /ac*up plan3 critical application list3 and offsite /ac*ups of critical li/raries3 applications and data files> ensure that /ac*up supplies3 source documents and documentation are located offsite> revie hich employees are mem/ers of disaster recovery team ##. :istinguish /eteen inherent ris* and control ris*. Fo do internal controls and detection ris* fit inAN! 'nherent ris* is associated ith the uni&ue characteristics of the /usiness or industry of the client. "irms in declining industries are considered to have more inherent ris* than firms in sta/le or thriving industries. Control ris* is the li*elihood that the control structure is flaed /ecause internal controls are either a/sent or inade&uate to prevent or detect errors in the accounts. 'nternal controls may /e present in firms ith inherent ris*3 yet the financial statements may /e materially misstated due to circumstances outside the control of the firm3 such as a customer ith unpaid /ills on the verge of /an*ruptcy. :etection ris* is the ris* that auditors are illing to accept that errors are not detected or prevented /y the control structure. ypically3 detection ris* ill /e loer for firms ith higher inherent ris* and control ris*. #+. Contrast internal and e8ternal auditing. AN!
'nternal auditing is an independent appraisal function esta/lished ithin an organization to e8amine and evaluate its activities as a service to the organization. E8ternal auditing is often called Gindependent auditingG /ecause it is done /y certified pu/lic accountants ho are independent of the organization /eing audited. his independence is necessary since the e8ternal auditors represent the interests of thirdparty sta*eholders such as shareholders3 creditors3 and government agencies. #,. ;hat are the components of audit ris*AN! 'nherent ris* is associated ith the uni&ue characteristics of the /usiness itself> control ris* is the li*elihood that the control structure is flaed /ecause controls are a/sent or inade&uate> and detection ris* is the ris* that auditors are illing to ta*e that errors ill not /e detected /y the audit. #. Fo do the tests of controls affect su/stantive testsAN! ests of controls are used /y the auditor to measure the strength of the internal control structure. he stronger the internal controls3 the loer the control ris*3 and the less su/stantive testing the auditor must do. #2. ;hat is an auditor loo*ing for hen testing computer center controlsAN! ;hen testing computer center controls3 the auditor is trying to determine that the physical security controls are ade&uate to protect the organization from physical e8posures3 that insurance coverage on e&uipment is ade&uate3 that operator documentation is ade&uate to deal ith operations and failures3 and that the disaster recovery plan is ade&uate and feasi/le. #4. :efine and contrast attestation services and assurance services. AN! Attest services are engagements in hich a practitioner is engaged to issue3 or does issue3 a ritten communication that e8presses a conclusion a/out the relia/ility of a ritten assertion that is the responsi/ility of another party3 e.g.3 the financial statements prepared /y an organization. Assurance services are professional services that are designed to improve the &uality of information3 /oth financial and nonfinancial3 used /y decision ma*ers. he domain of assurance services is intentionally un/ounded. SS#*
1. :iscuss the *ey features of ection ,9, of the ar/anesO8ley Act AN! ection ,9, re&uires the management of pu/lic companies to assess the effectiveness of their organization’s internal controls over financial reporting and provide an annual report addressing the folloing points! 1) A statement of management’s responsi/ility for esta/lishing and maintaining ade&uate internal control. #) An assessment of the effectiveness of the company’s internal controls over financial reporting. +) A statement that the organizations e8ternal auditors has issued an attestation report on management’s assessment of the companies internal controls. ,) An e8plicit ritten conclusion as to the effectiveness of internal control over financial reporting. 2) A statement identifying the frameor* used /y management to conduct their assessment of internal controls.
#. ection ,9, re&uires management to ma*e a statement identifying the control frameor* used to conduct their assessment of internal controls. :iscuss the options in selecting a control frameor*. AN! he EC has made specific reference to the Committee of the ponsoring Organizations of the readay Commission (COO) as a recommended control frameor*. "urthermore3 the %CAO$’s Auditing tandard No. # endorses the use of COO as the frameor* for control assessment. Although other suita/le frameor*s have /een pu/lished3 according to tandard No. #3 any f rameor* used should encompass all of COO’s general themes. +. E8plain ho general controls impact transaction integrity and the financial reporting process. AN! Consider an organization ith poor data/ase security controls. 'n such a situation3 even data processed /y systems ith ade&uate /uilt in application controls may /e at ris*. An individual ho can circumvent data/ase security3 may then change3 steal3 or corrupt stored transaction data. hus3 general controls are needed to support the functioning of application controls3 and /oth are needed to ensure accurate financial reporting. ,. %rior to O?3 e8ternal auditors ere re&uired to /e familiar ith the client organization’s internal controls3 /ut not test them. E8plain. AN! Auditors had the option of not relying on internal controls in the conduct of an audit and therefore did not need to test them. 'nstead auditors could focus primarily of su/stantive tests. Hnder O?3 management is re&uired to ma*e specific assertions regarding the effectiveness of internal controls. o attest to the validity of these assertions3 auditors are re&uired to test the controls. . :oes a &ualified opinion on managements assessment of internal controls over the financial reporting system necessitate a &ualified opinion on the financial statements- E8plain. AN! No. Auditors are permitted to simultaneously render a &ualified opinion on management’s assessment of internal controls and an un&ualified opinion on the financial statements. 'n other ords3 it is technically possi/le for auditors to find internal controls over financial reporting to /e ea*3 /ut conclude through su/stantive tests that the ea*nesses did not cause the financial statements to /e materially misrepresented. 2. he %CAO$’s standard No. # specifically re&uires auditors to understand transaction flos in designing their test of controls. ;hat steps does this entailAN! his involves! 1. electing the financial accounts that have material implications for financial reporting. #. 'dentify the application controls related to those accounts. As previously noted3 the +. 'dentify the general that support the application controls. he sum of these controls3 /oth application and general3 constitute the relevant internal controls over financial reporting that need to /e revieed. 4. ;hat fraud detection responsi/ilities (if any) are imposed on auditors /y O?. AN!
tandard No. # places ne responsi/ility on auditors to detect fraudulent activity. he standard emphasizes the importance of controls designed to prevent or detect fraud that could lead to material misstatement of the financial statements. installation of ne softare> trou/leshooting hardare and softare pro/lems> technical training> firmide standard setting for the systems area> and performance evaluation of systems professionals. 7. :iscuss the advantages and disadvantages of the second site /ac*up options. AN! econd site /ac*ups include mutual aid pacts3 empty shell3 recovery operations center3 and internally provided /ac*ups. %+t+al #)d Pacts Advantages 'ne8pensive :isadvantages
'ne8pensive E8tended time lag /eteen disaster and initial recovery
Recovery Operat)ons Center Advantages Bapid initial recovery :isadvantages E8pensive Internally Prov)ded ac.+ps Advantages Controlled /y the firm Compati/ility of hardare and softare Bapid initial recovery :isadvantages E8pense of maintaining e8cess capacity year round
19. 'nternal control in a computerized environment can /e divided into to /road categories. ;hat are they- E8plain each. AN! 'nternal controls can /e divided into to /road categories. General controls apply to all or most of a system to minimize e8posures that threaten the integrity of the applications /eing processed. hese include operating system controls3 data management controls3 organizational structure controls3 system development controls3 system maintenance controls3 computer center security3 'nternet and 'ntranet controls3 E:' controls3 and %C controls. Application controls focus on e8posures related to specific parts of the system! payroll3 accounts receiva/le3 etc.
11. Auditors e8amine the physical environment of the computer center as part of their audit. construction of the computer center should /e sound> access to the computer center should /e controlled> air-conditioning should /e ade&uate given the heat generated /y electronic e&uipment and the failure that can result from overheating> fire suppression systems are critical> and ade&uate power supply is needed to ensure service. 1#. E8plain hy certain duties that are deemed incompati/le in a manual system may /e com/ined in a C$' environment- @ive an e8ample. AN! 'n a C$' environment it ould /e inefficient and contrary to the o/0ectives of automation to separate such tas*s and processing and recoding a transaction among several different application programs merely to emulate a manual control model. "urther3 the reason for separating tas*s is to control against the negative /ehavior of humans> in a C$' the computer performs the tas*s not humans. 1+. Compare and contrast the folloing disaster recovery options! mutual aid pact3 empty shell3 recovery operations center3 and internally provided /ac*up. Ban* them from most ris*y to least ris*y3 as ell as most costly to least costly. AN! A mutual aid pact re&uires to or more organizations to agree and trust one another to aid each other ith their data processing needs in the event of a disaster. his method is the loest cost3 /ut also somehat ris*y for to reasons. "irst3 the host company must /e trusted to scale /ac* its on processing in order to process the transactions of the disasterstric*en company. econd3 the to or more firms must not /e affected /y the same disaster or the plan fails. he ne8t loest cost method is internally provided /ac*up. ;ith this method3 organizations ith multiple data processing centers may invest in internal e8cess capacity and support themselves in the case of disaster in one data processing center. his method is not as ris*y as the mutual aid pact /ecause reliance on another organization is not a factor. 'n terms of cost3 the ne8t highest method is the empty shell here to or more organizations /uy or lease space for a data processing center. he space is made ready for computer installation> hoever3 no computer e&uipment is installed. his method re&uires lease or mortgage payments3 as ell as payment for air conditioning and raised floors. he ris* of this method is that the hardare3 softare3 and technicians may /e difficult3 if not impossi/le3 to have availa/le in the case of a natural disaster. "urther3 if multiple mem/ers6 systems crash simultaneously3 an allocation pro/lem e8ists. he method ith loest ris* and also the highest cost is the recovery operations center. his method ta*es the empty shell concept one step further the computer e&uipment is actually purchased and softare may even /e installed. Assuming that this site is far enough aay from the disaster stric*en area not to /e affected /y the disaster3 this method can /e a very good safeguard. 1,. ;hat is a disaster recovery plan- ;hat are the *ey featuresAN! A disaster recovery plan is a comprehensive statement of all actions to /e ta*en /efore3 during3 and after a disaster3 along ith documented3 tested procedures that ill ensure the continuity of operations. he essential features are! providing second site /ac*up3 identifying critical applications3 /ac*up and offsite storage procedures3 creating a disaster recovery team3 and testing the disaster recovery plan.