Certified Information Systems Auditor (CISA) — Question 380

Which of the following observations should be of GREATEST concern to an IS auditor when auditing web application security control as part of an IT general controls audit?

Answer options

• A. The application control configuration is not available.
• B. An application control assessment has not been performed.
• C. An application control matrix has not been established.
• D. Application control is not aligned with an IT framework.

Correct answer: B

Explanation

The correct answer is B because without performing an application control assessment, the auditor cannot determine the effectiveness of security controls, which poses a significant risk. Options A, C, and D are concerns but do not directly indicate the lack of evaluation necessary to assess security control effectiveness.