Certified in Risk and Information Systems Control (CRISC) — Question 689

An organization has decided to use an external auditor to review the control environment of an outsourced service provider. The BEST control criteria to evaluate the provider would be based on:

Answer options

• A. the service provider's existing controls.
• B. guidance provided by the external auditor.
• C. a recognized industry control framework.
• D. the organization's specific control requirements.

Correct answer: D

Explanation

The correct answer is D because the organization's specific control requirements are tailored to their unique needs and risks, making them the most relevant criteria for evaluation. While the service provider's existing controls (A), guidance from the auditor (B), and industry frameworks (C) can provide useful insights, they may not fully address the specific context and requirements of the organization.