An IS auditor has assessed a payroll service provider's security policy and finds significant topics are missing.
Which of the following is the auditor's BEST course of action?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The IS auditor's best course of action in this scenario would be to notify the service provider of the discrepancies identified in their security policy, as stated in option B.
Option A, recommending that the service provider update their policy, may be a valid action, but it assumes that the service provider is willing and able to make the necessary updates. It is important to first notify the service provider of the discrepancies so that they are aware of the issues and can take appropriate action.
Option C, reporting the risk to internal management, may also be a valid action, but it assumes that the internal management has the authority and capability to address the issue with the service provider. It is important to involve the service provider directly in the discussion of the discrepancies so that they can provide context and work towards a solution.
Option D, recommending replacement of the service provider, may be an extreme measure and should only be considered if the identified discrepancies cannot be resolved or pose a significant risk to the organization. It is important to work with the service provider to address the issues before considering replacement.
Overall, the most appropriate course of action would be to notify the service provider of the discrepancies in their security policy and work with them to develop a plan to address the issues.