What should be the primary concern of an IS auditor reviewing external IT service provider management?

The primary concern of an IS auditor reviewing external IT service provider management should indeed be determining if the services were provided as contracted. This focus is crucial because the main objective of engaging an external service provider is to ensure that they deliver on their defined contractual obligations. Evaluating whether the services meet the agreed-upon standards affects the overall performance, compliance, and satisfaction of the organization.

Monitoring compliance with service level agreements (SLAs) not only verifies that the service provider is fulfilling its duties but also safeguards the organization’s interests, mitigates risks, and provides assurance regarding the quality and reliability of services received. The auditor's role includes confirming that the service provider's deliverables align with the organization's needs and expectations, as set out in the contract. This alignment is essential for maintaining operational efficiency and managing potential discrepancies between service expectations and actual performance.

While minimizing costs, evaluating knowledge transfer processes, and prohibiting subcontracting are important considerations, they do not directly address the primary responsibility of confirming service delivery compliance. These factors can influence overall service quality and cost efficiency but are secondary to ensuring that the contractual requirements are being met effectively.