Exam CISA topic 1 question 564 discussion

If the user list was not system-generated, there is a risk that the list may be incomplete or inaccurate. A manually compiled list may omit some users or include irrelevant ones, which could result in incorrect access rights being granted or improper reviews of user access.

Lets say you extracted a system-generated user listing, but its not complete, then the list will not be reliable. Hence if you choose a completed listing, it doesnt matter whether what is the source, as long as the user listing is completed. In my 5 years of auditing, not all user listing can be generated from a system. Grow up dudes.

Relying on manually compiled user lists increases the likelihood of errors, omissions, and inconsistencies, which can undermine the effectiveness of the access review process. It may also lead to incomplete or inaccurate assessments of user access rights, potentially exposing the organization to security risks and compliance issues. While the completeness of the user list (option D) is indeed a concern, the source of the user list reviewed is typically of greater importance. A system-generated user list is generally more reliable and comprehensive, providing a more accurate representation of user access rights within the application.

I think D should be the answer.

If the list was not system-generated, there's a greater risk that it's incomplete or inaccurate.

CISA Review Manual pg. 395 - Reports generated from the system—These represent the data that management relies upon for business decisions and review of business results. Therefore, ensuring the integrity of data in reports is key for the reliability of information in information systems. An IS auditor should validate that the reports are accurate and provide correct representation of the source data.

In my opinion the correct answer is 'A'. Because prior to performing the C&A procedures the IS auditor needs to verify the source of the data. The source of the data should be from the in-scope application's production server/db. If the source is not established C&A will not matter.

i think completeness and accuracy should be of greatest concern,

not system-generated being the key. Completeness and Accuracy will be the greatest concern

I think the correct answer is A. While completeness is definitely an important consideration, you could still make up a complete but corrupt data. In that case, the data is complete but still corrupt.

What happens if the user list is incomplete? There may be users inthe system but not in the list. So the list has to be extracted from system. Whatever source may be, the list may not be complete