Which of the following should be of PRIMARY concern to an IS auditor reviewing the management
of external IT service providers?
Minimizing costs for the services provided
Prohibiting the provider from subcontracting services
Evaluating the process for transferring knowledge to the IT department
Determining if the services were provided as contracted
From an IS auditor’s perspective, the primary objective of auditing the management of service
providers should be to determine if the services that were requested were provided in a way that is
acceptable, seamless and in line with contractual agreements. Minimizing costs, if applicable and
achievable (depending on the customer’s need) is traditionally not part of an IS auditor’s job. This
would normally be done by a line management function within the IT department. Furthermore,
during an audit, it is too late to minimize the costs for existing provider arrangements.
Subcontracting providers could be a concern, but it would not be the primary concern. Transferring
knowledge to the internal IT department might be desirable under certain circumstances, but should
not be the primary concern of an IS auditor when auditing IT service providers and the management