An IS auditor finds that management has signed a contract with a new application service provider but did not obtain third-party audit reports as part of the due diligence process. Which of the following is the GREATEST risk associated with this finding?
The greatest risk from not obtaining third-party audit reports is that service provider controls may not be in place (Option C), as this exposes the organization to unverified and potentially nonexistent safeguards critical to its operations and security.