Certified Information Systems Auditor (CISA) — Question 835

An IS auditor is reviewing logical access controls for an organization's financial business application. Which of the following findings should be of GREATEST concern to the auditor?

Answer options

• A. Management does not review application user activity logs.
• B. Password length is set to eight characters.
• C. User accounts are shared between users.
• D. Users are not required to change their passwords on a regular basis.

Correct answer: C

Explanation

The greatest concern for the auditor is option C, as shared user accounts can lead to accountability issues and make it difficult to trace actions back to individual users. Options A and D, while concerning, do not pose as immediate a risk to security as shared accounts. Option B is also a concern, but the length of passwords can be mitigated by other security measures.