Certified Information Systems Auditor (CISA) — Question 161

What is the BEST way to evaluate a control environment where the organization and a third party have shared responsibility?

Answer options

• A. Conduct a control self-assessment (CSA).
• B. Review the service level agreement (SLA).
• C. Perform an onsite evaluation.
• D. Review complementary user entity controls.

Correct answer: D

Explanation

Reviewing complementary user entity controls is vital as it provides insights into how both the organization and third party manage shared responsibilities. While conducting a CSA and reviewing an SLA can provide useful information, they do not fully address the shared control environment. An onsite evaluation, though thorough, may not capture the specific dynamics of shared responsibilities.