Answer: C The IS auditor does not have a finding unless it can be shown

An IS auditor conducting a review of disaster recovery
planning at a financial processing organization has
discovered the following:

* The existing disaster recovery plan was compiled two years
ago by a systems analyst in the organization's IT department
using transaction flow projections from the operations
department.

* The plan was presented to the deputy CEO for approval and
formal issue, but it is still awaiting his attention.

* The plan has never been updated, tested or circulated to
key management and staff, though interviews show that each
would know what action to take for their area in the event
of a disruptive incident.

The basis of an organization's disaster recovery plan is to
reestablish live processing at an alternative site where a
similar, but not identical hardware configuration is already
established. The IS auditor should:

A. take no action as the lack of a current plan is the only
significant finding.

B. recommend that the hardware configuration at each site
should be identical.

C. perform a review to verify that the second configuration
can support live processing.

D. report that the financial expenditure on the alternative
site is wasted without an effective plan.

Question Posted / guest

1 Answers
4501 Views
I also Faced
E-Mail Answers

Answer Posted / guest

Answer: C

The IS auditor does not have a finding unless it can be
shown that the alternative hardware cannot support the live
processing system. Even though the primary finding is the
lack of a proven and communicated disaster recovery plan, it
is essential that this aspect of recovery is included in the
audit. Since, if it is found to be inadequate the finding
will materially support the overall audit opinion. It is
certainly not appropriate to take no action at all, leaving
this important factor untested, and unless it is shown that
the alternative site is inadequate, there can be no comment
on the expenditure (even if this is considered a proper
comment for the IS auditor to make). Similarly, there is no
need for the configurations to be identical. The alternative
site could actually exceed the recovery requirements if it
is also used for other work, such as other processing or
systems development and testing. The only proper course of
action at this point would be to find out if the recovery
site can actually cope with a recovery.

Is This Answer Correct ?

2 Yes

0 No

Post New Answer View All Answers

Please Help Members By Posting Answers For Below Questions

purchase orders issued to vendors have been authorized as per the authorization matrix

1101

WHICH OF THE FOLLOWING IS OFTEN AN ADVANTAGE OF USING PROTOTYPING GOR DYDTEM DVELOPMENT

2851