Certified Information Systems Auditor (CISA) — Question 759

An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs). Which of the following findings should be of MOST concern to the auditor?

Answer options

• A. Some KPIs are not documented.
• B. KPIs are not clearly defined.
• C. KPIs have never been updated.
• D. KPI data is not being analyzed.

Correct answer: B

Explanation

The correct answer is B because if KPIs are not clearly defined, it can lead to misunderstandings about performance metrics, making it difficult to assess the vendor's effectiveness. While undocumented KPIs, outdated KPIs, and lack of data analysis are concerning, unclear definitions pose the most immediate risk to understanding and evaluating vendor performance.