During an audit, which concern is most troubling if the HR department uses a cloud-based app without proper vendor management?

The most troubling concern when an HR department uses a cloud-based application without proper vendor management is that organization-defined security policies are not applied to the application. This situation poses significant risks as it means that the application may not be adhering to the organization’s established protocols for data protection, confidentiality, integrity, and compliance with regulations.

When security policies are not enforced, sensitive employee data managed by the HR department is at increased risk of unauthorized access, breaches, or misuse. Lack of adherence to these security policies can lead to vulnerabilities in the application that cyber threats could exploit, potentially resulting in data leaks or compliance violations that can have serious legal and financial repercussions for the organization.

While the other concerns listed—such as maximum acceptable downtime metrics, vendor relationship management, and the location of the help desk—are important in ensuring the overall resilience and effectiveness of the service, the primary concern with security policies directly impacts the organization's ability to protect its sensitive information and maintain trust with employees.