Certified Information Systems Auditor (CISA) — Question 581

Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?

Answer options

• A. Determine if the organization has a secure connection to the provider.
• B. Review the roles and responsibilities of the third- party provider.
• C. Evaluate the organization's third-party monitoring process.
• D. Review the third party's monitoring logs and incident handling.

Correct answer: B

Explanation

The correct answer, B, is vital because understanding the roles and responsibilities of the third-party provider sets the foundation for the audit process. Options A, C, and D, while important, are secondary actions that rely on first clarifying the provider's responsibilities within the auditing framework.