An IS auditor is evaluating controls for monitoring the regulatory compliance of a third party that provides IT services to the organization. Which of the following should be the auditor's GREATEST concern?
An IS auditor is evaluating controls for monitoring the regulatory compliance of a third party that provides IT services to the organization. Which of the following should be the auditor's GREATEST concern?
The auditor's greatest concern should be that the organization has not communicated regulatory requirements to the third party. Without communicating these requirements, the third party may not be aware of the specific regulations they need to comply with, increasing the risk of noncompliance. Monitoring and ensuring regulatory compliance starts with clearly stating expectations and requirements to all involved parties.
It is D
if the third party has not been indicated expectations (regulatory requirements) - there is little hope of compliance
I think answer is C. If we reviewed other parties policies and procedures and do due diligence activities then even we couldnt submit our requirements it may be low or medium risk, because maybe we already check if third party is compliant. But if policies/procedures are not checked or due diligence performed that means we don't have any third party risk management that makes it high risk finding. Even we submit our requirements maybe other is not followed them.
No one will sit and review the 3rd party's policies and procedures. D is the correct answer
During due dil, third party policies are reviewed alongside Soc2 report or any certication they hold. Answer should be D
C I meant
Answer: B
regulatory issue
The question is related to "regulatory requirements". SO correct answer is D.
why not B please?
Policy is probably not a serious issue to be concerned about, only matter if it is law.
I think it's better when the third party disclose the matter to our organization than do not, so we can take actions.
Why doesn't C take precedence over D