What should an IS auditor recommend if they find a disaster recovery plan (DRP) is outdated and not circulated?

The optimal recommendation in this scenario is to establish a workable disaster recovery plan (DRP) that reflects current processing volumes. An outdated DRP presents significant risks to an organization, particularly in the event of a disaster. If the plan does not encompass the current technology, processes, or workforce capabilities, it may not effectively address the needs of the organization during a crisis.

Creating a new DRP that accurately reflects the current state of operations ensures that all necessary resources, personnel, and protocols are accounted for, improving the likelihood of a successful recovery from any potential disruptions.

Incorporating these current processing volumes and operational realities into the plan allows the organization to be proactive, rather than reactive, in its disaster recovery efforts. This ensures that all stakeholders are prepared and that the strategies outlined in the DRP are both practical and achievable based on the present organizational context.