Effective Methods for Assessing Control Functionality

A.

The most effective method for an IS auditor to determine which controls are functioning in an operating system is to compare the current configuration to the corporate standard (Option A).

Option A involves comparing the current configuration of the operating system to the corporate standard, which is a set of guidelines and requirements that define how the operating system should be configured and secured. This approach allows the IS auditor to identify any deviations from the standard and assess the effectiveness of the controls in place.

Consulting with the systems programmer (Option B) or the vendor of the system (Option C) may provide some insight into the system's controls, but they may not be able to provide a comprehensive view of all controls in place. The systems programmer may have limited knowledge of security controls, and the vendor may not be able to provide information on how the system is configured in a specific organization.

Comparing the current configuration to the default configuration (Option D) may not be an effective method for determining which controls are functioning because the default configuration may not be the most secure or appropriate configuration for the organization. Deviations from the default configuration may have been made for valid reasons, and the IS auditor needs to evaluate the current configuration against the corporate standard.

Therefore, Option A - comparing the current configuration to the corporate standard is the most effective method for an IS auditor to determine which controls are functioning in an operating system.