Certified Information Systems Auditor (CISA) — Question 542

During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST:

Answer options

• A. conduct additional compliance testing.
• B. issue an intermediate report to management.
• C. perform a business impact analysis (BIA).
• D. evaluate the impact on current disaster recovery capability.

Correct answer: D

Explanation

The correct answer is D because evaluating the impact on current disaster recovery capability provides a context for understanding the significance of the missing BIA. Conducting additional compliance testing or issuing an intermediate report may be premature without first assessing the immediate implications on disaster recovery. Performing a BIA, while important, is not the first step in this scenario.