Certified Information Systems Auditor (CISA) — Question 699

An organization outsources its IT function to a third-party provider that supplies all hardware and support personnel. Which of the following poses the GREATEST risk that the provider's IT resources may not be available to meet the organization's objectives?

Answer options

• A. The service contract does not include penalty or termination provisions.
• B. The service provider does not make independent audit reports available.
• C. The service provider is located offshore.
• D. Service level agreements (SLAs) are not established and monitored.

Correct answer: D

Explanation

The absence of established and monitored service level agreements (SLAs) means there are no clear expectations or accountability for the service provider's performance, which can lead to unavailability of IT resources. While the other options present risks, they do not directly impact the provider's commitment to meeting service standards as significantly as the lack of SLAs does.