CISSP Question #500: Real Exam Question with Answer & Explanation

Question

An organization is outsourcing its payroll system and is requesting to conduct a full audit on the third-party information technology (IT) systems. During the due diligence process, the third party provides previous audit report on its IT system. Which of the following MUST be considered by the organization in order for the audit reports to be acceptable?

Options

• AThe audit assessment has been conducted by an independent assessor.
• BThe audit reports have been signed by the third-party senior management.
• CThe audit reports have been issued in the last six months.
• DThe audit assessment has been conducted by an international audit firm.

Explanation

The most important factor that the organization must consider in order for the audit reports to be acceptable is that the audit assessment has been conducted by an independent assessor. An independent assessor is a person or an entity that has no affiliation or interest with the third party or the organization, and that can perform the audit assessment objectively and impartially. An independent assessor can provide a credible and reliable evaluation of the third party's information technology (IT) systems, and identify any risks, issues, or gaps that may affect the security, performance, or compliance of the outsourced payroll system. An independent assessor can also verify that the third party's IT systems meet the organization's requirements and expectations, and that the third party follows the best practices and standards for IT security and management. The audit reports being signed by the third-party senior management, being issued in the last six months, or being conducted by an international audit firm are not as critical as the audit assessment being conducted by an independent assessor, as they do not guarantee the quality, validity, or relevance of the audit reports, or they may not be applicable or feasible in all

No community discussion yet for this question.