Certified Information Systems Auditor (CISA) — Question 969
What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?
Answer options
- A. Determine service level requirements.
- B. Perform a business impact analysis (BIA).
- C. Complete a risk assessment.
- D. Conduct a vendor audit.
Correct answer: C
Explanation
The correct answer is C, as conducting a risk assessment helps identify potential vulnerabilities and threats associated with the SaaS vendor, ensuring that management can make an informed decision. While determining service level requirements, performing a business impact analysis, and conducting a vendor audit are important steps, they are secondary to understanding the risks involved before selection.