Certified Information Systems Auditor (CISA) — Question 1237

During preparation for an IS audit of an organization's IT security processes, which of the following documents would BEST enable the IS auditor to understand the ownership of specific operational tasks?

Answer options

• A. IT service delivery procedures
• B. RACI chart
• C. Security risk register
• D. Documentation of non-functional requirements

Correct answer: B

Explanation

The RACI chart is the most suitable document for clarifying roles and responsibilities, making it easier for the IS auditor to identify who is accountable for specific operational tasks. In contrast, IT service delivery procedures outline processes, the security risk register focuses on risks rather than responsibilities, and documentation of non-functional requirements does not provide clear ownership of tasks.