Prev Question
Next Question

An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing
organization has discovered the following:
-The existing disaster recovery plan was compiled two years earlier by a systems analyst in the
organization’s IT department using transaction flow projections from the operations department.
-The plan was presented to the deputy CEO for approval and formal issue, but it is still awaiting
his/her attention.
-The plan has never been updated, tested or circulated to key management and staff, though
interviews show that each would know what action to take for its area in the event of a disruptive
The basis of an organization’s disaster recovery plan is to reestablish live processing at an
alternative site where a similar, but not identical, hardware configuration is already established. An
IS auditor should:

take no action as the lack of a current plan is the only significant finding.

recommend that the hardware configuration at each site is identical.

perform a review to verify that the second configuration can support live processing.

report that the financial expenditure on the alternative site is wasted without an effective plan.

An IS auditor does not have a finding unless it can be shown that the alternative hardware cannot
support the live processing system. Even though the primary finding is the lack of a proven and
communicated disaster recovery plan, it is essential that this aspect of recovery is included in the
audit. If it is found to be inadequate, the finding will materially support the overall audit opinion. It is
certainly not appropriate to take no action at all, leaving this important factor untested. Unless it is
shown that the alternative site is inadequate, there can be no comment on the expenditure, even if
this is considered a proper comment for the IS auditor to make. Similarly, there is no need for the
configurations to be identical. The alternative site could actually exceed the recovery requirements
if it is also used for other work, such as other processing or systems development and testing. The
only proper course of action at this point would be to find out if the recovery site can actually cope
with a recovery.

Prev Question
Next Question

Leave a Reply

Your email address will not be published. Required fields are marked *