The correct answer is B. Review the terms and provisions in the contract.
When auditing an outsourced application, the auditor should first understand the contractual responsibilities, service scope, control expectations, reporting requirements, audit rights, compliance obligations, and security commitments. ISACA guidance on outsourcing and third-party assurance emphasizes that contracts are foundational because they define what the service provider is obligated to do and what the customer is entitled to review.
Option A is not first because billing validation is secondary to understanding the service arrangement and obligations.
Option C is incorrect because implementing access rights is a management responsibility, not an audit procedure.
Option D is important, but the auditor must first know whether such reporting is required, how it is defined, and under what timelines, all of which are typically governed by the contract or related agreement.
Therefore, the correct answer is B, because contract review establishes the basis for all further audit work over the outsourced HR application.
References (Official ISACA):
ISACA Journal, Third Party Assurance — highlights the importance of understanding outsourced service arrangements and related assurance expectations.
ISACA Now Blog, The Challenging Task of Auditing Social Media — states that when a function is outsourced, the contract should be reviewed to ensure it specifies required activities and expectations.
Submit