Properly planned risk-based audit programs shall increase audit efficiency and effectiveness. The sophistication and formality of this kind of audit do vary a lot depending on the target's size and complexity.

Explanation/Reference:
A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over an otherwise unsecured channel such as the Internet.

Section: The process of Auditing Information System
Explanation/Reference:
Audit undertaken to confirm whether a firm is following the rules and regulations (prescribed by its internal
authority or control system) applicable to an activity or practice.
Compliance testing is basically an audit of a system carried out against a known criterion. A compliance
test may come in many different forms dependent on the request received but basically can be broken
down into several different types:
Operating Systems and Applications: A verification that an operating system and/or applications are
configured appropriately to the companies needs and lockdown requirements, thus providing adequate and
robust controls to ensure that the Confidentiality, Integrity and Availability of the system will not be affected
in its normal day to day operation.
Systems in development: A verification that the intended system under development meets the
configuration and lockdown standards requested by the customer.
Management of IT and Enterprise Architecture: A verification that the in-place IT management
infrastructure encompassing all aspects of system support has been put in place. This is to ensure
effective change control, audit, business continuity and security procedures etc. have been formulated,
documented and put in place.
Interconnection Policy: A verification that adequate security and business continuity controls governing the
connection to other systems, be they Telecommunications, Intranets, Extranets and Internet etc. have been
put in place, have been fully documented and correspond to the stated customer requirements.
The following answers are incorrect:
Substantive testing - A procedure used during accounting audits to check for errors in balance sheets and
other financial documentation. A substantive test might involve checking a random sample of transactions
for errors, comparing account balances to find discrepancies, or analysis and review of procedures used to
execute and record transactions.
Sanity testing - Testing to determine if a new software version is performing well enough to accept it for a
major testing effort. If application is crashing for initial use, then system is not stable enough for further
testing and build or application is assigned to fix.
Recovery testing - Testing how well a system recovers from crashes, hardware failures, or other
catastrophic problems.
The following reference(s) were/was used to create this question:
CISA review manual 2014 page number 52 and 53
http://www.wikijob.co.uk/wiki/substantive-testing

Section: Protection of Information Assets
Explanation:
An IS auditor does not have a finding unless it can be shown that the alternative hardware cannot support
the live processing system. Even though the primary finding is the lack of a proven and communicated
disaster recovery plan, it is essential that this aspect of recovery is included in the audit. If it is found to be
inadequate, the finding will materially support the overall audit opinion. It is certainly not appropriate to take
no action at all, leaving this important factor untested. Unless it is shown that the alternative site is
inadequate, there can be no comment on the expenditure, even if this is considered a proper comment for
the IS auditor to make. Similarly, there is no need for the configurations to be identical. The alternative site
could actually exceed the recovery requirements if it is also used for other work, such as other processing
or systems development and testing. The only proper course of action at this point would be to find out if
the recovery site can actually cope with a recovery.