Best Source of Information for an IS Auditor

A.

When planning an audit of a business application's controls, the IS auditor needs to identify the relevant sources of information that can help in the assessment of the application's controls. Among the options provided, the BEST source of information is dependent on the specific context of the audit. However, in general, the most comprehensive and useful source of information for an IS auditor when planning an audit of a business application's controls is the process flow diagrams.

Process flow diagrams provide a visual representation of the business process or application under review, which can help the auditor in understanding the data flow, the application's control points, and the dependencies among various application components. The process flow diagrams can also provide information about the system inputs, outputs, and the specific application controls designed to ensure the accuracy, completeness, and validity of the data processed by the application.

User documentation, change control procedures, and access control lists are also useful sources of information for an IS auditor, but they may not provide the same level of detail as process flow diagrams. User documentation can help in understanding the application's functionality and features, while change control procedures can provide insights into how changes to the application are managed and tested. Access control lists can help the auditor in evaluating the effectiveness of the application's security controls. However, these sources of information are limited to specific aspects of the application and may not provide a holistic view of the application's controls.

In conclusion, while user documentation, change control procedures, and access control lists can provide valuable information for an IS auditor when planning an audit of a business application's controls, the process flow diagrams are the BEST source of information for a comprehensive and detailed understanding of the application's controls.