IT operations for a large organization have been outsourced. An IS auditor reviewing the
outsourced operation should be MOST concerned about which of the following findings?
A.
The outsourcing contract does not cover disaster recovery for the outsourced IT operations.
B.
The service provider does not have incident handling procedures.
C.
Recently a corrupted database could not be recovered because of library management problems.
D.
incident logs are not being reviewed.
Explanation:
The lack of a disaster recovery provision presents a major business risk. Incorporating such a
provision into the contract will provide the outsourcing organization leverage over the service
provider. Choices B, C and D are problems that should be addressed by the service provider, but
are not as important as contract requirements for disaster recovery.