1.a : Outsourcing Quiz Flashcards
(1) Which of the following clauses in outsourcing contract help MOST to improve service level and
minimize the costs?
A. use of latest O/S and hardware
B. Gain-sharing performance bonuses
C. Penalties for noncompliance
D. training to outsourced staff
Answer: Gain-sharing performance bonuses
Explanation:
Other clauses are important and must be in an outsourcing agreement but element of bonus will provide a financial incentive to go beyond stated terms of the agreement.
(2) An organization has outsourced some of its IS processes. What is the MOST important function
to be performed by IS management in such scenario?
A. Ensuring that outsourcing charges are paid as per SLA.
B. Training to staffs of outsourced vendors.
C. Levy of penalty for non-compliance
D. Monitoring the outsourcing provider’s performance
Answer: D. Monitoring the outsourcing provider’s performance
Explanation:
Though other parameters are important, the most important function of IS management is to
monitor the performance of vendors. It is critical the outsourcing provider’s performance be
monitored to ensure
that services are delivered to the company as required
(3) IS auditor observed that outsourcing vendors have been appointed without formal written
agreements? The IS auditor should recommend that management:
A. obtains independent assurance of the third-party service providers.
B. sets up a process for monitoring the service delivery of the third party.
C. ensures that formal contracts are in place.
D. appointment of outsourcing vendors to be revoked.
Answer. ensures that formal contracts are in place.
Explanation:
It is difficult to enforce the terms of contract in absence of formal written agreement. Written
agreements would assist management in ensuring compliance with contractual requirements.
(4) An organization has outsourced IT support service. A probable advantage of outsourcing is that:
A. reliance can be placed on expertise of outsourcing vendors.
B. more control can be exercised over IT processing.
C. organization can transfer their accountability in terms of privacy laws.
D. employee satisfaction may increase
The correct answer is: A. reliance can be placed on expertise of outsourcing vendors.
Explanation:
Through outsourcing arrangement, service of an expert can be obtained in absence of in-house
expertise. No organization can transfer their accountability through outsourcing.
(5) An organization has outsourced designing of IT security policy. Which of the following function
cannot be outsourced?
A. Accountability for the IT security policy
B. Benchmarking security policy with other organization in industry
C. Implementing the IT security policy
D. User awareness for IT security policy
Answer: A. Accountability for the IT security policy
Explanation:
In no circumstance, accountability can be transferred to external parties. Other functions can be
outsourced as long as accountability remains within the organization.
(6) An organization has outsourced IT support service to a provider in another country. Which of the
following conclusions should be the main concern of the IS auditor?
A. Legal jurisdiction can be questioned.
B. Increase in overall cost.
C. Delay in providing service due to time difference.
D. Difficult to monitor performance of outsourced vendor due to geographical distance
Answer: A. Legal jurisdiction can be questioned.
Explanation:
Here main concern is legal jurisdiction. In absence of proper clarification there can be compliance
as well as legal issues. The other choices are not as relevant as legal jurisdiction. Also, even if service
provider is in different country, that not necessarily indicate delay in service or difficulty in
monitoring. Generally, outsourcing to other countries is done to save cost.
(7) An IS auditor reviewing an outsourcing contract of IT facilities. He should be MOST concerned if
which of the following clause is not included in contract:
A. types of hardware
B. software configuration
C. ownership of intellectual property
D. employee training policy
Answer: C. ownership of intellectual property
Explanation:
Clause with respect to ownership of intellectual property is a must in an outsourcing contract. The
contract specifies who owns the intellectual property. Ownership of intellectual property will have a
significant cost and is a key aspect to be defined in an outsourcing contract. Other choices though
important may not have that much significance as compared to intellectual property clause
(8) An organization has outsourced data operations service to a provider in another country. Which
of the following conclusions should be the main concern of the IS auditor?
A. Communication issues due to geographical differences.
B. Scope creep due to cross-border differences in project implementation.
C. Privacy laws could prevent cross-border flow of information.
D. Dissatisfaction of in-house IT team.
Answer: C. Privacy laws could prevent cross-border flow of information.
Explanation:
Main concern will be regulatory issue that can prohibit flow of information.
(9) An IS auditor is reviewing request for proposal (RFP) floated by IT department to procure
services from independent service provider. Inclusion of which of the below clause is MOST
important while floating such RFP?
A. Details about Maintenance plan
B. Details about Proof of Concept (POC)
C. References from other customers.
D. Details about BCP
Answer is: C. References from other customers
Explanation:
Reference from other customers will help IT department to get idea about performance level of
service provider. Checking references is a means of obtaining an independent verification that the
vendor can perform the services it says it can. Other options are important and needs to be
understood before awarding contracts. However, most important clause will be references from
other customers.
(10) An organization has outsourced IT support service to an independent service provider. Which of
the following clause would be the best to define in the SLA to control performance of service
provider?
A. Total number of users to be supported
B. Minimum percentage of incidents solved in the first call
C. Minimum percentage of incidents reported to the help desk
D. Minimum percentage of agents answering the phones
Answer: B. Minimum percentage of incidents solved in the first call
Explanation:
Since it is about service level (performance) indicators, the percentage of incidents solved on the
first call is the most relevant control. It helps to control performance of the service provider. Other
options are not relevant.
(11) An organization is in process of entering into agreement with outsourced vendor. Which of the
following should occur FIRST?
A. Deciding periodicity of contract
B. Approval from compliance team.
C. Decide the level of penalties.
D. Finalize the service level requirements.
Answer: D. Draft the service level requirements.
Explanation:
Out of options given, very first step should be finalizing the service level requirements. This SLR will
form part of SLA. Other options are performed once the service level requirements are finalized.
(12) Which of the following document will serve the purpose for vendor performance review by an IS
Auditor?
A. Market Feedback of the vendor.
B. Service level agreement (SLA)
C. Penalty levied reports
D. Performance report submitted by vendor.
Answer: B. Service level agreement (SLA)
Explanation:
A Service Level Agreement (SLA) is considered as most independent document for performance
review of the vendor.
(13) An IS auditor has been asked to recommend effective control for providing temporary access
rights to outsourced vendors. Which of the following is the MOST effective control?
A. Penalty clause in service level agreement (SLA).
B. User accounts are created as per defined role (least privilege) with expiration dates.
C. Full access is provided for a limited period.
D. Vendor Management to be given right to delete Ids when work is completed.
Answer: B. User accounts are created as per defined role (least privilege) with expiration dates
Explanation:
(1) Creation of need-based user ID and automated revocation of IDs as per expiration date will
serve as most effective control under the given scenario and options.
(2) Penalty clause in SLA may act as a deterrent control but automated revocations of Ids are more
effective method of control.
(3) Providing full access is a risky affair.
(4) Control in terms of providing rights to vendor management for deletion of IDs may not be
reliable.
(14) Which of the following is the GREATEST concern in reviewing system development approach?
A. User manages acceptance testing.
B. A quality plan is not part of the contracted deliverables.
C. Application will be rolled out in 3 phases.
D. Compliance with business requirements are done through prototyping.
Answer: B. A quality plan is not part of the contracted deliverable.
Explanation:
A quality plan is critical element to be included in contracted deliverable. It is critical that the
contracted supplier be required to produce such a plan. Other areas are not point of concerns.
(15) An IS Auditor is reviewing process of acquisition of application software. Which of the
following is MOST important consideration?
A. documented operating procedure to be available.
B. a backup server be loaded with all the relevant software and data.
C. training to staff.
D. escrow arrangement for source code.
Answer: D. escrow arrangement for source code.
Explanation:
Source code escrow is the deposit of the source code of software with a third-party escrow agent.
The software source code is released to the licensee if the licensor files for bankruptcy or otherwise
fails to maintain and update the software as promised in the software license agreement. Escrow
arrangement is very important in such cases. This will ensure that the purchasing company will
have the opportunity to modify the software should the vendor cease to be in business
