Certified Information Systems Auditor (CISA) — Question 259

An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?

Answer options

• A. Monitoring access rights on a regular basis
• B. Referencing a standard user-access matrix
• C. Correcting the segregation of duties conflicts
• D. Granting user access using a role-based model

Correct answer: D

Explanation

The best way to prevent future misconfigurations is by implementing a role-based access model, which ensures that users have permissions aligned with their specific roles, thereby minimizing risk. While monitoring access rights and referencing user-access matrices are helpful, they do not fundamentally resolve the underlying issue. Correcting conflicts is reactive, whereas adopting a role-based model is proactive and sustainable.