When information processing is outsourced, the contract should explicitly require the service provider to comply with applicable legal and regulatory requirements. ISACA guidance on third-party risk and outsourcing consistently emphasizes that contracts must address legal obligations, compliance responsibilities, and regulatory expectations because the enterprise remains accountable for the data and services even when they are handled by a third party.

Option C is the best answer because legal compliance is broader and more fundamental than operational specifics such as backup procedures or security administration details. ISACA states that enterprises remain responsible for safeguarding sensitive information and complying with legal and regulatory requirements regardless of what the contract says or which third party processes the data. Therefore, an auditor should expect the contract to expressly address compliance with those requirements.

Option A may be included in many outsourcing contracts, especially for critical services, but backup and recovery processes are service-level or operational matters. They are important, yet not as fundamental as requiring compliance with legal obligations. If the contract fails to address legal compliance, the organization faces regulatory, liability, and governance exposure even if backups are adequate.

Option B is incorrect because audit objectives are normally defined by the auditor or audit plan, not by the outsourcing contract. The contract may include audit rights, access rights, reporting rights, or the right to inspect controls, but it would not typically define the auditor’s objectives. ISACA outsourcing guidance highlights right-to-audit clauses rather than audit objectives as contract content.

Option D may also appear in the contract through security requirements, roles, and responsibilities, but it is narrower than legal compliance. Security administration processes matter, yet they are subordinate to the overarching requirement that outsourced processing comply with applicable law, regulation, and contractual obligations.

So, the strongest answer is C because an outsourced processing contract must specify compliance with legal requirements, which is a core expectation in ISACA’s third-party governance and risk guidance.

References (Official ISACA):

ISACA Journal, A Risk-Based Management Approach to Third-Party Data Security Risk and Compliance — enterprises remain responsible for complying with legal and regulatory requirements even when using third parties.

ISACA Journal, Critical Information Systems Processes — contracts should include legal obligations and responsibilities.

ISACA Journal, Ensuring Vendor Compliance and Third-Party Risk Mitigation — contracts should include pertinent clauses for compliance requirements.

ISACA, Cloud Computing Evolution and Regulation in the Financial Services Industry — outsourcing arrangements should include audit and access rights in line with regulatory requirements.