Certified Information Systems Auditor (CISA) — Question 1133

An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of MOST concern?

Answer options

• A. Timeliness of the user list review
• B. Availability of the user list
• C. Completeness of the user list
• D. Confidentiality of the user list

Correct answer: C

Explanation

The completeness of the user list is the most critical concern because a manually created list may be prone to errors or omissions, leading to unauthorized access. While timeliness, availability, and confidentiality are important, they are secondary to ensuring that the list includes all relevant users accurately.