When auditing a disaster recovery plan for a critical business area, an IS auditor finds that it does
not cover all the systems. Which of the following is the MOST appropriate action for the IS auditor?
Alert management and evaluate the impact of not covering all systems.
Cancel the audit.
Complete the audit of the systems covered by the existing disaster recovery plan.
Postpone the audit until the systems are added to the disaster recovery plan.
An IS auditor should make management aware that some systems are omitted from the disaster
recovery plan. An IS auditor should continue the audit and include an evaluation of the impact of
not including all systems in the disaster recovery plan. Cancelling the audit, ignoring the fact that
some systems are not covered or postponing the audit are inappropriate actions to take.