The Impact of Quarterly Self-Audits on User Administration Controls

B.

The correct answer is C. The controls may not be properly tested.

Explanation: Outsourcing user administration controls for a critical system to a third-party vendor requires careful consideration of the potential risks involved. In this scenario, the vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits. While this may appear to be a cost-effective option for the organization, it raises concerns about the effectiveness of the vendor's controls.

One of the main reasons why independent audits are preferred over self-audits is that independent auditors can provide an objective assessment of the controls in place. On the other hand, self-audits rely on the vendor's own assessment of their controls, which may not be as thorough or objective.

The greatest concern for the risk practitioner should be that the controls may not be properly tested. If the vendor's self-audit process is not comprehensive or rigorous enough, it may miss potential vulnerabilities or weaknesses in the controls. This could lead to control failures and ultimately compromise the security and integrity of the critical system.

While concerns about achieving best practices and ensuring against control failure are also important, they are not as significant as the risk of improper testing. A lack of a risk-based approach to access control may also be a concern, but it is not directly related to the vendor's self-audit process.

In summary, the risk practitioner should carefully evaluate the vendor's self-audit process to ensure that it is robust enough to adequately test the controls in place. If the self-audit process is not deemed to be sufficient, the organization should consider other options, such as engaging an independent auditor to perform regular audits.