Certified Information Systems Auditor (CISA) — Question 125

An IS auditor is evaluating controls for monitoring the regulatory compliance of a third party that provides IT services to the organization. Which of the following should be the auditor's GREATEST concern?

Answer options

• A. A gap analysis against regulatory requirements has not been conducted.
• B. The third-party disclosed a policy-related issue of noncompliance.
• C. The organization has not reviewed the third party's policies and procedures.
• D. The organization has not communicated regulatory requirements to the third party.

Correct answer: D

Explanation

The greatest concern is that the organization has not communicated regulatory requirements to the third party, which is crucial for compliance. Without this communication, the third party may not be aware of the standards they need to meet. While the other options indicate issues, they do not directly relate to the foundational requirement of ensuring that the third party understands the regulatory expectations.