Certified Information Systems Auditor (CISA) — Question 905

An IS auditor is reviewing a client’s outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's GREATEST concern?

Answer options

• A. Payroll processing costs have not been included in the IT budget.
• B. User access rights have not been periodically reviewed by the client.
• C. The third-party contract does not comply with the vendor management policy.
• D. The third-party contract has not been reviewed by the legal department.

Correct answer: B

Explanation

The correct answer is B because regular review of user access rights is critical to ensure that only authorized personnel have access to sensitive payroll information. Options A, C, and D, while important, do not directly impact the security and integrity of user access, making them less critical than the potential risks associated with inadequate access control.