An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to the risk practitioner?
A. The vendor will not achieve best practices
B. The vendor will not ensure against control failure
C. The controls may not be properly tested
D. Lack of a risk-based approach to access control
A. The vendor will not achieve best practices
B. The vendor will not ensure against control failure
C. The controls may not be properly tested
D. Lack of a risk-based approach to access control