What is the PRIMARY concern of an IS auditor when a service provider outsources part of its work?

The primary concern of an IS auditor when assessing the outsourcing of work to a service provider revolves around the confidentiality of information. When an organization outsources tasks, especially those linked to sensitive data, there is an inherent risk that confidential information could be compromised. This concern stems from several factors, including the potential unauthorized access to or misuse of data by third-party vendors. Auditors are particularly focused on ensuring that adequate controls and safeguards are in place to protect this information during its handling by external parties.

Confidentiality is a critical aspect of information security, as breaches can lead to financial losses, reputational damage, and legal consequences for the organization. Thus, the auditor must evaluate whether the service provider has effective measures and policies to maintain confidentiality throughout the outsourcing process, including any obligations placed on subsequent suppliers, access controls, employee training, and incident response plans.

In contrast, while contract termination, auditing of subsequent suppliers, and direct approaches from the outsourcer to secondary providers are relevant issues, they typically focus on procedural or compliance aspects rather than the direct risk to the confidentiality of sensitive information, which is why the confidentiality concern takes precedence in the auditor's assessment.