If an IS auditor discovers that a disaster recovery plan does not include a cloud-hosted application, what should be the auditor's next course of action?

When an IS auditor finds that a disaster recovery plan (DRP) does not include a cloud-hosted application, one of the most prudent next steps is to review the vendor contract to determine its disaster recovery capabilities. This step is essential because the vendor contract should specify the responsibilities of the cloud service provider in terms of disaster recovery.

Understanding the terms of the contract is crucial for assessing whether the cloud vendor has provisions in place to ensure business continuity and data availability in the event of a disaster. The contract may outline service level agreements (SLAs), recovery time objectives (RTOs), recovery point objectives (RPOs), and other relevant details that directly impact the reliability of the cloud service in a crisis situation.

By reviewing the contract, the auditor can ascertain the level of risk posed by excluding the cloud-hosted application from the organization's DRP. This understanding will help the auditor to address any potential gaps in the DR strategy, providing a basis for recommendations on how to mitigate risks related to the cloud service. Consequently, this option effectively supports the objectives of an IS audit focused on ensuring comprehensive disaster recovery preparedness.