Regarding a disaster recovery plan, the role of an IS auditor should include:
identifying critical applications.
determining the external service providers involved in a recovery test.
observing the tests of the disaster recovery plan.
determining the criteria for establishing a recovery time objective (RTO).
The IS auditor should be present when disaster recovery plans are tested, to ensure that the test
meets the targets for restoration, and the recovery procedures are effective and efficient. As
appropriate, the auditor should provide a report of the test results. All other choices are a
responsibility of management.