Certified in Risk and Information Systems Control (CRISC) — Question 1436

An organization is outsourcing data processing to a third-party data center facility to reduce costs. Who is responsible for the performance of data retention controls?

Answer options

• A. The organization’s control owner
• B. The third-party senior management
• C. The third-party control owner
• D. The organization’s internal audit team

Correct answer: A

Explanation

The correct answer is A because the organization’s control owner retains responsibility for ensuring that data retention controls are effectively implemented, even when outsourcing. The third-party senior management (B) and control owner (C) are responsible for their own operations but do not assume liability for the organization’s controls. The internal audit team (D) may review compliance but is not responsible for the performance of retention controls.