Certified Information Systems Auditor (CISA) — Question 486

During a software acquisition review, an IS auditor should recommend that there be a software escrow agreement when:

Answer options

• A. the product is new in the market.
• B. the deliverables do not include the source code.
• C. there is no service level agreement (SLA).
• D. the estimated life for the product is less than 3 years.

Correct answer: B

Explanation

A software escrow agreement is important when the deliverables do not include the source code, as it protects the buyer's investment by ensuring access to the code in case the vendor fails to support the product. The other options do not necessarily warrant an escrow agreement since new products and short life spans do not guarantee the need for source code access, and the absence of an SLA does not directly relate to source code availability.