CGEIT Question #88: Real Exam Question with Answer & Explanation

Question

A healthcare enterprise that is subject to strict compliance requirements has decided to outsource several key IT services to third-party providers. Which of the following would be the BEST way to assess compliance and avoid reputational damage?

Options

• ARequire quarterly reports from the providers demonstrating compliance.
• BRequire documentation that the providers have adequate controls in place.
• CExercise the right to perform an audit.
• DImpose monetary penalties for noncompliance.

Explanation

For a healthcare enterprise outsourcing critical IT services with strict compliance needs, the best way to assess compliance and avoid reputational damage is to exercise the right to perform an independent audit. This allows for direct verification of controls and adherence to regulatory requirements.

Common mistakes.

• A. Requiring quarterly reports is helpful for ongoing monitoring, but reports are self-attestations and may not provide the same level of independent verification as an audit, especially in high-risk, regulated environments.
• B. Requiring documentation of adequate controls is a necessary foundational step, but simply having documented controls does not guarantee they are implemented effectively or operating as intended.
• D. Imposing monetary penalties for noncompliance is a corrective measure and a contractual deterrent, but it occurs after noncompliance has been identified and damage may have already occurred, rather than proactively assessing and preventing it.

Concept tested. Third-party risk and compliance assessment

Reference. https://www.isaca.org/resources/isaca-journal/issues/2021/volume-2/securing-the-third-party-risk-management-process

No community discussion yet for this question.