Certified Internal Auditor (CIA) Part 3: Business Knowledge for Internal Auditing — Question 258

An organization is considering outsourcing its IT services, and the internal auditor is assessing the related risks. The auditor grouped the related risks into three categories:

- Risks specific to the organization itself.
- Risks specific to the service provider.
- Risks shared by both the organization and the service provider.

Which of the following risks should the auditor classify as specific to the service provider?

Answer options

• A. Unexpected increases in outsourcing costs.
• B. Loss of data privacy.
• C. Inadequate staffing.
• D. Violation of contractual terms.

Correct answer: C

Explanation

The correct answer is C, as inadequate staffing directly relates to the service provider's ability to fulfill their obligations. Options A and D pertain to financial and legal aspects that can affect both parties, while option B concerns data security, which is a shared risk rather than service provider-specific.