An IS auditor has assessed a payroll service provider`s security policy and finds significant topics are missing. Which of the following is the auditor`s BEST course of action? 

Answer options:

A. Recommend the service provider update their policy.
B. Notify the service provider of the discrepancies.
C. Report the risk to internal management.
D. Recommend replacement of the service provider.

C