Certified Information Systems Auditor (CISA) — Question 192

An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?

Answer options

• A. Audit logging is not enabled.
• B. Single sign-on is not enabled.
• C. Complex passwords are not required.
• D. Security baseline is not consistently applied.

Correct answer: A

Explanation

The absence of audit logging (option A) is the greatest concern because it prevents tracking of access and activities within the CRM system, making it difficult to detect unauthorized access or breaches. While single sign-on, complex passwords, and security baselines are important for security, they do not provide the critical oversight that audit logging offers.