Certified Information Systems Auditor (CISA) — Question 1203

Which of the following is the BEST indicator that a third-party vendor adheres to the controls required by the organization?

Answer options

• A. Certifications maintained by the vendor
• B. Regular independent assessment of the vendor
• C. Review of monthly performance reports submitted by the vendor
• D. Substantive log file review of the vendor's system

Correct answer: B

Explanation

The correct answer is B because a regular independent assessment provides an objective evaluation of the vendor's adherence to controls. While certifications (A) and performance reports (C) can be useful, they do not guarantee compliance without independent verification. Substantive log file reviews (D) focus on specific incidents rather than overall control adherence.