Certified Information Systems Auditor (CISA) — Question 394

During an audit of a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that not all critical systems are covered. What should the auditor do NEXT?

Answer options

• A. Evaluate the impact of not covering the systems
• B. Escalate the finding to senior management
• C. Evaluate the prior year's audit results regarding critical system coverage
• D. Verify whether the systems are part of the business impact analysis (BIA)

Correct answer: D

Explanation

The correct answer is D because verifying whether the systems are part of the BIA is essential to understand their significance in the disaster recovery process. Options A and C do not directly address the immediate need to verify system coverage in the BIA, while option B may escalate the issue but doesn't provide a solution to the oversight.