The DRP is a set of procedures and resources that enable an organization to restore its critical IT functions and operations in the event of a disaster or disruption. The DRP should be tested regularly to ensure its effectiveness, validity, and readiness. Testing the DRP can help to identify and resolve any gaps, issues, or weaknesses in the plan, as well as to evaluate the performance and capability of the recovery team and resources. If the DRP has not been tested during the past three years, it may not reflect the current IT environment, business requirements, or recovery objectives, and it may fail to meet the expectations and needs of the stakeholders.
References
ISACA CISA Review Manual, 27th Edition, page 255
Disaster Recovery Plan Testing: The Ultimate Checklist
What is a Disaster Recovery Plan (DRP) and How Do You Write One?

The best approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks is to prioritize the organization's IT risk scenarios. IT risk appetite is the amount and type of IT risk that an organization is willing to accept in pursuit of its objectives. IT risk scenarios are hypothetical situations that describe the potential impact of IT risk events on the organization's objectives, processes, and resources. By prioritizing the organization's IT risk scenarios, the IS auditor can identify the most significant IT risks that affect the organization as a whole, and align them with the organization's strategic goals, values, and culture. Prioritizing the organization's IT risk scenarios can also help to communicate and monitor the IT risk appetite across the organization, and facilitate consistent and informed decision making. The other approaches (A, B and D) are not effective for determining the overall IT risk appetite of an organization, as they do not consider the impact and likelihood of IT risks on the organization's objectives, nor do they account for the diversity and complexity of IT risks across different business units. References: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of Information Technology, Section 2.3: Information Technology Risk Management

An audit universe is a comprehensive list of all the auditable entities, processes, and activities within an organization. It helps the IS auditor to identify the scope, objectives, and priorities of the audit plan, as well as the resources and methodologies required to conduct the audits. An audit universe can also help the IS auditor to ensure that all the key risks, controls, and regulations are covered by the audit plan, and that there are no gaps or overlaps in the audit coverage.
The first activity that the IS auditor should perform when preparing a plan for audits to be carried out over a specified period is to determine the audit universe. This involves defining the criteria and methods for identifying and categorizing the auditable units, such as by business function, process, system, location, or risk level. The IS auditor should also consult with the management and other stakeholders to obtain their input and expectations for the audit plan. The IS auditor should then document and validate the audit universe, and update it regularly to reflect any changes in the organization's structure, operations, or environment.
The other three activities are also important for preparing an audit plan, but they should be performed after determining the audit universe. Allocating audit resources involves assigning staff, time, budget, and tools to each audit based on their complexity, priority, and availability. Prioritizing risks involves assessing the likelihood and impact of each risk associated with each auditable unit, and ranking them according to their significance and urgency. Reviewing prior audit reports involves analyzing the findings, recommendations, and actions from previous audits related to each auditable unit, and evaluating their current status and relevance.
Therefore, determining the audit universe is the best answer.
References:
* Audit Universe - UPDATED 2022 - Examples, Templates & More!
* 01 February 2023 Audit universe - IIA

The best reason to implement a data retention policy is to limit the liability associated with storing and protecting information. A data retention policy is a business' established protocol for maintaining information, typically defining what data needs to be retained, the format in which it should be kept, how long it should be stored for, whether it should eventually be archived or deleted, who has the authority to dispose of it, and what procedure to follow in the event of a policy violation1. A data retention policy can help an organization to:
Comply with legal and regulatory requirements that mandate the retention and disposal of certain types of data, such as financial records, health records, or personal data Reduce the risk of data breaches, theft, loss, or corruption by minimizing the amount of data stored and ensuring proper security measures are in place Save costs and resources by optimizing the use of storage space and reducing the need for backup and recovery operations Enhance operational efficiency and performance by eliminating unnecessary or outdated data and improving data quality and accessibility Support business continuity and disaster recovery plans by ensuring critical data is available and recoverable in case of an emergency Facilitate audit trails and investigations by providing evidence of data authenticity, integrity, and provenance Therefore, by implementing a data retention policy, an organization can limit its liability associated with storing and protecting information, as well as improve its data governance and management practices.
References:
Data Retention Policy 101: Best Practices, Examples & More