An audit of disaster recovery planning (DRP) identifies that: 1) The current DRP was completed two years ago by the IT department using transaction flows projections from Operations, 2) The plan was provided to the deputy chief executive officer (CEO) but it was never officially approved and 3) The plan has not been updated, tested, or distributed to the appropriate senior management and staff. Interviews conducted with the appropriate stakeholders indicate that they are aware of the key actions to take in response to an incident. What should the IT auditor include as a recommendation?

A board of senior managers is set up to review and approve the existing plan.

A manager coordinates the creation of a new or revised plan within a defined time limit.

The deputy CEO be reprimanded for their failure to approve the plan.

The existing plan is approved and circulated to all key management and staff.

Explanation

The primary concern is to establish a workable disaster recovery plan, which reflects current processing volumes to protect the organization from any disruptive incident. Censuring the deputy CEO will not achieve this and is generally not within the scope of an IS auditor to recommend. Establishing a board to review the plan, which is two years out of date, may achieve an updated plan, but is not likely to be a speedy operation, and issuing the existing plan would be folly without first ensuring that it is workable. The best way to achieve a disaster recovery plan in a short time is to make an experienced manager responsible for coordinating the knowledge of other managers into a single, formal document within a defined time limit. <== I believe that reviewing and updating an existing plan is definitely more effective than starting from scratch with a new team since a DR plan is a multi-year project. XXXXXXXXXX The correct answer is what was first proposed, the existing plan can stay in situ but it needs to be updated asap and it needs a person ( not a Board) to own this task XXXXXXXXXXXXXXXX