Following request for proposal (RFP) responses, a project seeking to acquire a new application system has identified a short list of vendors.
At this point, the IS auditor should:
Click on the arrows to vote for the correct answer
A. B. C. D.C.
When an organization seeks to acquire a new application system, an RFP is typically issued to potential vendors, and a shortlist of vendors is selected after reviewing their responses. At this point, the IS auditor should take several steps to ensure that the organization selects a vendor that meets its needs and does not pose undue risk.
Option A: Encourage contact with current users of the vendor's products The IS auditor should encourage the organization to contact current users of the vendor's products to obtain feedback on their experiences with the vendor and its products. This can help the organization assess the vendor's reputation, reliability, and support quality.
Option B: Perform a detailed cost-benefit exercise on the proposed application The IS auditor should review the proposed application system and perform a detailed cost-benefit analysis to determine whether the system is worth the cost of acquisition, implementation, and ongoing maintenance. This analysis should consider factors such as the system's functionality, compatibility with existing systems, ease of use, and potential ROI.
Option C: Require that contract terms include a right-to-audit clause The IS auditor should recommend that the contract terms include a right-to-audit clause, which allows the organization to conduct audits of the vendor's security controls, data privacy practices, and other relevant areas. This clause can help the organization ensure that the vendor is complying with its contractual obligations and protecting the organization's data and systems.
Option D: Recommend performing system integration tests The IS auditor should recommend that the organization perform system integration tests to ensure that the new application system can function effectively with existing systems and infrastructure. These tests should cover areas such as data migration, user access controls, and system performance.
In summary, the IS auditor should encourage the organization to contact current users of the vendor's products, perform a detailed cost-benefit analysis on the proposed application, recommend including a right-to-audit clause in the contract terms, and recommend performing system integration tests. All of these steps can help the organization select a vendor that meets its needs and minimizes risk.