An IS audit team is evaluating the documentation related to the most recent application user-access review performed by IT and business management. It is determined the user list was not system-generated. Which of the following should be the GREATEST concern?
When evaluating an application user-access review, the greatest concern should be the completeness of the user list reviewed. If the list is not system-generated, there is a higher risk that it may be incomplete, which could lead to oversight of certain users' access rights. This could result in unauthorized access going undetected and posing significant security risks. Ensuring the completeness of the user list is crucial for an accurate and effective user-access review.
CISA Review Manual pg. 395 - Reports generated from the system—These represent the data that management relies upon for business decisions and review of business results. Therefore, ensuring the integrity of data in reports is key for the reliability of information in information systems. An IS auditor should validate that the reports are accurate and provide correct representation of the source data.
I think D should be the answer.
In my opinion the correct answer is 'A'. Because prior to performing the C&A procedures the IS auditor needs to verify the source of the data. The source of the data should be from the in-scope application's production server/db. If the source is not established C&A will not matter.
i think completeness and accuracy should be of greatest concern,
Exactly my thoughts too. Answer should be D
I think the correct answer is A. While completeness is definitely an important consideration, you could still make up a complete but corrupt data. In that case, the data is complete but still corrupt.
In audit, the source of data is always the most important factor, even more important than completeness. What if the source is the client and they have knowingly omitted information (i.e. completeness) or added false information? Then the data is worthless, regardless if it is "complete".
What is the meaning of complete but corrupt ?
What happens if the user list is incomplete? There may be users inthe system but not in the list. So the list has to be extracted from system. Whatever source may be, the list may not be complete
I think A is correct. To get the complete user list the source should be reliable.
Relying on manually compiled user lists increases the likelihood of errors, omissions, and inconsistencies, which can undermine the effectiveness of the access review process. It may also lead to incomplete or inaccurate assessments of user access rights, potentially exposing the organization to security risks and compliance issues. While the completeness of the user list (option D) is indeed a concern, the source of the user list reviewed is typically of greater importance. A system-generated user list is generally more reliable and comprehensive, providing a more accurate representation of user access rights within the application.
If the list was not system-generated, there's a greater risk that it's incomplete or inaccurate.
not system-generated being the key. Completeness and Accuracy will be the greatest concern