Certified Information Systems Auditor (CISA) — Question 892

An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the business continuity plan (BCP). Which of the following is the auditor's BEST course of action?

Answer options

• A. Raise an audit issue for the lack of simulated testing.
• B. Review the effectiveness of the business response.
• C. Interview staff members to obtain commentary on the BCP's effectiveness.
• D. Confirm the BCP has been recently updated.

Correct answer: A

Explanation

The auditor's best action is to raise an audit issue for the lack of simulated testing, as this highlights a significant gap in the organization's preparedness. Reviewing the effectiveness of the business response, interviewing staff, or confirming BCP updates do not directly address the critical issue of simulation testing, which is essential for validating the business continuity plan.