During an information security audit, an auditor discovers that the current disaster recovery plan was developed three years ago but never tested. There have been significant changes to information systems since the plan was developed. The auditor should:

Which of the following items should be addressed in an organization's privacy statement?
I. Intended use of collected information.
II. Data storage and security.
III. Network/infrastructure authentication controls.
IV. Data retention policy of the organization.
Parties authorized to access information.

According to IIA guidance, which of the following statements best justifies a chief audit executive's request for external consultants to complement internal audit activity (IAA) resources?

Which of the following factors should a chief audit executive consider when determining the audit universe?
1.Components of the organization's strategic plan.
2.Inputs from senior management and the board.
3.Views of competitors and business associates.
4.Results of exit interviews with departing employees.

Which of the following statements is correct regarding the assessment of risk in the annual audit planning process?
1.Activities requested by management should be considered higher risk than those requested by the audit committee.
2.Activities with lower budgets can be as high risk as those with higher budgets.
3.The potential financial or adverse exposure should always be considered in the assessment of risk.