Certified Information Systems Auditor (CISA) — Question 1130

An IS auditor finds that management has signed a contract with a new application service provider but did not obtain third-party audit reports as part of the due diligence process. Which of the following is the GREATEST risk associated with this finding?

Answer options

• A. Roles and responsibilities may not be understood.
• B. Service level agreements (SLAs) may not be achievable.
• C. Service provider controls may not be in place.
• D. Service provider policies may not be properly documented.

Correct answer: C

Explanation

The most significant risk is that service provider controls may not be in place (C), as third-party audit reports are critical for assessing the effectiveness of those controls. Without these reports, it is impossible to verify if the provider has adequate security measures, making the other options less impactful in comparison. Roles, SLAs, and documentation can still be addressed, but lacking controls poses a direct threat to security and compliance.