The most important validation point is whether the VM replication process is periodically tested to confirm that recovery will actually work. ISACA guidance on backup and recovery states that when using new backup methodologies or technologies, management should test the data afterward to ensure the process is reliably recording all required data, and auditors should ensure periodic health checks are performed.

Option B is correct because recovery adequacy is not proven by the mere existence of replication. ISACA specifically warns that replication alone can increase risk, since corruption can be replicated as well, and it emphasizes validating the reliability of the backup or replication process through testing and health checks.

Option A is important for resilience, but offsite location alone does not prove recoverability. A replica that is never tested may still fail when needed.

Option C is not the most important factor for evaluating recovery procedures. Load balancing supports performance and availability, but it is not the key evidence that replicated systems can be recovered successfully.

Option D is a useful security precaution. ISACA does note that VM backup administrators should not have Internet access to reduce ransomware exposure, but that is a security-hardening issue, not the primary validation of recovery adequacy.

Therefore, B is the best answer because periodic testing is the most important way to validate that VM replication will support actual recovery.

References (Official ISACA):

ISACA Journal, IS Audit Basics: Backup and Recovery — replication can increase risk if corruption is copied; auditors should ensure backup/recovery processes are tested and health checks are performed.

ISACA Journal, A Five-Layer View of Data Center Systems Security — disaster recovery design should consider criticality and RPO/RTO.