Certified Information Systems Auditor (CISA) — Question 931

Which of the following should be of GREATEST concern to an IS auditor reviewing a report of an unsuccessful disaster recovery test?

Answer options

• A. A root cause analysis was not performed.
• B. The report was not discussed with the IT steering committee.
• C. The disaster recovery procedures are not up to date.
• D. The disaster recovery test was conducted during non-peak hours.

Correct answer: A

Explanation

The lack of a root cause analysis is critical because it prevents understanding the underlying issues that led to the test's failure, which is essential for improving future recovery efforts. While discussing the report with the IT steering committee and updating procedures are important, they are secondary to identifying the reasons for failure. Conducting the test during non-peak hours is a logistical concern but does not directly impact the effectiveness of the recovery process itself.