正解: B
A system-generated list of staff and their project assignments, roles, and responsibilities is the most useful to an IS auditor performing a review of access controls for a document management system (DMS). A DMS is a system used to create, store, manage, and track electronic documents and images of paper-based documents through software1. Access controls are the mechanisms that regulate who can access, modify, or delete documents in a DMS, and under what conditions2. A system-generated list of staff and their project assignments, roles, and responsibilities helps the IS auditor to verify the appropriateness, accuracy, and completeness of the access rights granted to different users or groups of users in the DMS, based on the principle of least privilege and the segregation of duties23.
Policies and procedures for managing documents provided by department heads (A) are not the most useful to an IS auditor performing a review of access controls for a DMS. Policies and procedures are the documents that define the rules, standards, and guidelines for managing documents in a DMS, such as the document lifecycle, retention, classification, security, etc1. Policies and procedures are important to establish the expectations and requirements for document management, but they do not provide sufficient evidence or assurance of the actual implementation and effectiveness of the access controls in the DMS.
Previous audit reports related to other departments' use of the same system are not the most useful to an IS auditor performing a review of access controls for a DMS. Previous audit reports are the documents that summarize the findings, conclusions, and recommendations of previous audits conducted on the same or similar systems or processes4. Previous audit reports are useful to identify the common or recurring issues, risks, or gaps in the access controls of the DMS, as well as the best practices or lessons learned from other departments. However, previous audit reports do not reflect the current state or performance of the access controls in the DMS, and they may not be relevant or applicable to the specific department or scope of the current audit.
Information provided by the audit team lead on the authentication systems used by the department (D) are not the most useful to an IS auditor performing a review of access controls for a DMS. Authentication systems are the systems that verify the identity and credentials of the users who attempt to access the DMS, such as passwords, tokens, biometrics, etc2. Authentication systems are important to ensure the integrity and accountability of the users who access the DMS, but they do not provide sufficient information or assurance of the authorization and restriction of the users who access the DMS. Authorization and restriction are the aspects of access control that determine what actions or operations the users can perform on the documents in the DMS, such as read, write, edit, delete, etc2.
