Certified Internal Auditor (CIA) Part 3: Business Knowledge for Internal Auditing — Question 189

An organization decided to outsource its human resources function. As part of its process migration, the organization is implementing controls over sensitive employee data. What would be the most appropriate directive control in this area?

Answer options

• A. Require a Service Organization Controls (SOC) report from the service provider
• B. Include a data protection clause in the contract with the service provider
• C. Obtain a nondisclosure agreement from each employee at the service provider who will handle sensitive data
• D. Encrypt the employee’s data before transmitting it to the service provider

Correct answer: B

Explanation

The correct answer, B, emphasizes the importance of a contractual agreement that explicitly addresses data protection, which is critical when outsourcing functions that involve sensitive information. While options A, C, and D are also important controls, they are more focused on compliance and technical measures rather than establishing a clear directive for the protection of data through contractual obligations.