Certified Information Systems Auditor (CISA) — Question 971

During the walk-through procedures for an upcoming audit, an IS auditor notes that the key application in scope is part of a Software as a Service (SaaS) agreement. What should the auditor do NEXT?

Answer options

• A. Verify whether a third-party security attestation exists.
• B. Verify whether IT management monitors the effectiveness of the environment.
• C. Verify whether a right-to-audit clause exists.
• D. Verify whether service level agreements (SLAs) are defined and monitored.

Correct answer: D

Explanation

The correct answer is D because verifying service level agreements (SLAs) ensures that the performance and availability of the SaaS application meet the organization's requirements. Options A and C, while important, are secondary to confirming SLAs, and option B focuses on IT management's monitoring rather than the specifics of the SaaS agreement.