What action should an IS auditor take when a disaster recovery plan (DRP) does not cover all systems?

When a disaster recovery plan (DRP) does not encompass all systems, the most appropriate action for an IS auditor is to alert management and evaluate the impact of the omission. This step is crucial because the effectiveness of a disaster recovery plan relies heavily on its comprehensiveness in addressing all critical systems that support business operations.

By notifying management, the auditor ensures that leadership is aware of potential vulnerabilities that could affect business continuity. Evaluating the impact involves assessing the risks associated with the uncovered systems, understanding the potential consequences of a disaster on those systems, and determining whether existing safeguards are adequate. This process not only provides valuable insights for management to make informed decisions regarding the DRP but also highlights the importance of incorporating all relevant systems in disaster recovery planning.

Taking this action aligns with the auditor's responsibility to provide assurance that the organization's risk management processes are effective and that all significant systems are considered in their recovery strategies.