Certified Information Systems Auditor (CISA) — Question 1146

Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?

Answer options

• A. Information provided by the audit team lead on the authentication systems used by the department
• B. Policies and procedures for managing documents provided by department heads
• C. Previous audit reports related to other departments’ use of the same system
• D. A system-generated list of staff and their project assignments, roles, and responsibilities

Correct answer: D

Explanation

The correct answer, D, is vital as it provides a current and comprehensive overview of who has access to the system and their specific roles, which is essential for assessing access controls. Option A, while informative, does not directly relate to individual access levels. Option B offers general policy information but lacks specificity on user access. Option C provides historical context but does not reflect the current access state of the system being audited.