Which of the following statements about creating a disaster recovery team is most

correct?
Individual task responsibility must be clearly defined and communicated to the
personnel involved.
Failure to perform essential tasks prolongs the recovery period and diminishes the
prospects for a successful recovery.
Disaster recovery team members should be experts in their areas and have assigned
tasks.
All of the above statements are equally correct.

Specific IT assets of a specific client are of little value to an outsourcing company

because the outsourcing company can not achieve economies of scale if it employs
them elsewhere. In addition, since a client will become dependent to the outsourcing
company when it transfers its specific IT assets, the outsourcing company may raise
service rates to an exorbitant level. This is a risk of IT outsourcing pertaining to
failure to perform.
vendor exploitation.
outsourcing costs exceed benefits.
reduced security.

An arrangement involving two or more user organizations that buy or lease a building
and remodel it into a completely equipped computer site is a type of second-site back-
up pertaining to
empty shell or cold site.
recovery operations center or hot
site.
internally-provided back-up.
none of the above.

Which of the following statements about the audit objective and procedures about DRP
is least correct?
The auditor should verify that management's disaster recovery plan is adequate and
feasible for dealing with a catastrophe that could deprive the organization of its
computing resources.
The auditor should verify backup procedures, supplies, documents and documentation
and verify the members of the disaster recovery team.
The auditor should review the list of critical applications.
None. All of the above statements are correct.
A disaster recovery plan is a comprehensive statement of all actions to be taken
________ a disaster along with documented, tested procedures that will ensure
continuity of operations.
before
during
after
all of the above

SSAE 16 report is prepared by

the client.
the client's auditor.
the outsourcing vendor.
the outsourcing vendor's
auditor.

Backup of data files should be done at least

hourly.
daily.
weekly.
monthly.

Which theory states that an organization should focus exclusively on its core business
competencies while allowing outsourcing vendors to manage non-core areas such as IT
functions efficiently?
IT Outsourcing Theory
Core Competency Theory
Transaction Cost Economics (TCE) Theory testing to be
performed.
Pecking Order Theory

Which of the following statements about SSAE 16 Report is least correct?

Type 1 report attests to the vendor mgt's description of their system and the suitability
of the design of controls
Type 2 report attests to the vendor mgt's description of their system and the suitability
of the design of controls, and operating effectiveness of controls.
When using the carve-out method, the vendor management would exclude the
subservice organization's relevant control objectives, the related controls from the
description of its system and the nature of the services performed by the subservice
organization.
All of the above statements are correct.
Statement on Standards for Attestation Engagements No. 16 (SSAE 16)

is an internationally recognized third-party attestation report designed for

service organizations such as IT outsourcing vendors.
is the definitive standard by which third party vendor's auditors can determine whether
processes and controls at the client organization are adequate to prevent or detect
material errors that could impact the vendor's financial statements
specifically states that the use of a service organization does not reduce
management's responsibility to maintain effective internal control over financial
reporting.
both a and b.

Among the DRP groups in a disaster recovery team, which group prepares the backup
site for operation and acquire hardware from vendors?
Data Conversion and Data Control Group
Program and Data Backup Group
Second Site Facilities Group
Audit Group

Which of the following statements about identifying critical applications is most correct?
An essential element of a DRP involves procedures to identify the critical
applications and data files of the firm to be restored
For most organizations, short-term survival requires the restoration of those functions
that generate cash flows sufficient to satisfy long-term obligations.
Applications should be identified but may not be prioritized in the restoration plan.
The task of identifying and prioritizing critical applications requires active participation
of management and user departments, excluding the internal auditors.

In testing the DRP,

Tests provide measures of the preparedness of personnel and identify
omissions or bottlenecks in the plan.
A test is most useful in the form of a scheduled simulation of a disruption.
DRP tests should be performed at least every two years.
Both a and b.

According to TCE Theory, commodity IT assets are assets not unique to an

organization and easily acquired in the marketplace, example of which is
help-desk function.
 systems development.
application maintenance.
data warehousing.

All of the following are clear weaknesses in the controls for Hexagon EXCEPT

the building is constructed with fire prone exterior wooden shingles with exposed interior wooden beams.

there are inadequate backup procedures because backup tapes and disks are stored on site until the end of the
week.

documentation and recovery instructions are stored onsite.

disaster recovery plan is not tested regularly.