An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the business continuity plan (BCP). Which of the following is the auditor's BEST course of action?
An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the business continuity plan (BCP). Which of the following is the auditor's BEST course of action?
If an IS audit reveals that an organization has not performed a simulation test of the business continuity plan (BCP), the auditor's best course of action is to raise an audit issue for the lack of simulated testing. Simulation testing is a critical component of any BCP, as it ensures the plan is effective and identifies any potential weaknesses. Without such testing, the organization cannot be certain that its BCP will function correctly in an actual disaster situation. Therefore, raising an audit issue highlights this serious deficiency and prompts the organization to address it.
A. Raise an audit issue for the lack of simulated testing, this is the next course of action
effectiveness of the business response can be reviewed (B) after the result of the stimulated test
The auditor’s best course of action is to raise an audit issue for the lack of simulated testing (Option A). This directly addresses the identified control gap, ensures it is formally recorded, and prompts the organization to mitigate the risk by implementing testing in the future. While understanding the BCP’s current effectiveness is important, the priority is to acknowledge and report the deficiency, consistent with auditing principles.