What should be of primary concern to an IS auditor reviewing external IT service provider management?

Determining if services were provided as contracted is of primary concern to an IS auditor reviewing external IT service provider management because it directly relates to the effectiveness and compliance of the services being offered. An external IT service provider is typically bound by a contract that stipulates specific deliverables, performance metrics, and quality standards that are expected.

An IS auditor’s role includes assessing whether the provider meets these contractual obligations, as any deviation could point to risks such as service disruptions, financial implications, or potential breaches of compliance. The auditor would evaluate service level agreements (SLAs), monitor performance reports, and examine user feedback to ensure that the service provider truly delivers what is promised. This assessment is crucial for regulatory compliance and maintaining the integrity of the organization's operations.

While minimizing costs, prohibiting subcontracting, and transferring knowledge are important considerations, they are secondary to verifying that the core services are being performed as agreed upon. Ensuring adherence to the contracted terms protects the organization from risks associated with inadequate service delivery, which is why this aspect takes precedence in the review process.