An IS auditor has assessed a payroll service provider’s security policy and finds significant topics are missing. Which of the following is the auditor’s BEST course of action?
A. Recommend the service provider update their policy.
B. Notify the service provider of the discrepancies.
C. Report the risk to internal management.
D. Recommend replacement of the service provider.
A. Recommend the service provider update their policy.
B. Notify the service provider of the discrepancies.
C. Report the risk to internal management.
D. Recommend replacement of the service provider.