During an IT audit, the auditor discovers that the IT department has not conducted a business impact analysis (BIA) for three years. The organization's disaster recovery plan (DRP) is based on the previous BIA. The IT manager argues that the DRP is still valid because no major changes have occurred. What should the auditor recommend?
A current BIA is essential to identify changes in business processes and threats, ensuring the DRP is aligned.
Why this answer
A business impact analysis (BIA) is the foundation of a valid disaster recovery plan (DRP). Without a current BIA, the DRP may not reflect the organization's current critical processes, recovery time objectives (RTOs), or recovery point objectives (RPOs). Even if no major changes are perceived, subtle shifts in dependencies, resource availability, or regulatory requirements can render the DRP ineffective.
Therefore, the auditor should recommend conducting a new BIA to validate and update the DRP.
Exam trap
The trap here is that candidates may assume the IT manager's claim of 'no major changes' is sufficient, but the CISA exam emphasizes that a BIA must be periodically reviewed (typically annually) regardless of perceived stability, because hidden dependencies or gradual changes can still affect recovery requirements.
How to eliminate wrong answers
Option B is wrong because accepting the IT manager's rationale without evidence ignores the risk that the DRP may be outdated; the auditor's role is to verify, not assume, that no changes have impacted recovery requirements. Option C is wrong because terminating the current DRP would leave the organization without any recovery plan until the BIA is completed, increasing operational risk unnecessarily. Option D is wrong because accepting the risk and documenting the decision without further action is premature; the auditor should first recommend a BIA to determine the actual risk level before deciding to accept it.