Certified Information Systems Auditor (CISA) — Question 4

An IS audit team is evaluating the documentation related to the most recent application user-access review performed by IT and business management. It is determined the user list was not system-generated. Which of the following should be the GREATEST concern?

Answer options

• A. Source of the user list reviewed
• B. Availability of the user list reviewed
• C. Confidentiality of the user list reviewed
• D. Completeness of the user list reviewed

Correct answer: D

Explanation

The completeness of the user list is critical because a manually created list may miss users who should have access or include those who should not. If the user list is incomplete, it poses a risk to the application's security. The other options, while important, do not directly address the integrity of the access control that comes from having a complete user list.