An organization is considering outsourcing its IT services, and the internal auditor is assessing the related risks. The auditor grouped the related risks into three categories:
- Risks specific to the organization itself.
- Risks specific to the service provider.
- Risks shared by both the organization and the service provider.
Which of the following risks should the auditor classify as specific to the service provider?
When assessing risks specific to the service provider in an IT outsourcing agreement, the most relevant aspect is the provider's internal management and capabilities. Inadequate staffing at the service provider is a risk that is specific to them because it directly concerns their ability to deliver the agreed services effectively. Other options, such as unexpected increases in outsourcing costs, loss of data privacy, and violation of contractual terms, either involve shared responsibility or do not fall squarely on the provider's management alone.
the correct answer is C
Agree should be C
it's C