Certified Internal Auditor (CIA) Part 3: Business Knowledge for Internal Auditing — Question 58

According to IIA guidance, which of the following would be the best first step to manage risk when a third party is overseeing the organization's network and data?

Answer options

• A. Creating a comprehensive reporting system for vendors to demonstrate their ongoing due diligence in network operations.
• B. Drafting a strong contract that requires regular vendor control reports and a right-to-audit clause.
• C. Applying administrative privileges to ensure right-to-access controls are appropriate.
• D. Creating a standing cybersecurity committee to identify and manage risks related to data security.

Correct answer: D

Explanation

Creating a standing cybersecurity committee is the best first step as it provides a structured approach to identify and manage risks effectively. The other options, while important, are more reactive measures that do not establish a foundational strategy for ongoing risk management.