Certified Information Systems Auditor (CISA) — Question 1244

An IS auditor determines elevated administrator accounts for servers that are not properly checked out and then back in after each use. Which of the following is the MOST appropriate sampling technique to determine the scope of the problem?

Answer options

• A. Haphazard sampling
• B. Random sampling
• C. Statistical sampling
• D. Stratified sampling

Correct answer: D

Explanation

Stratified sampling is the best choice here as it allows the auditor to analyze different subgroups within the population, such as various types of servers or departments, thereby providing a more comprehensive understanding of the issue. The other sampling techniques, while useful, may not provide the same depth of insight into specific areas of concern.