To determine who has been given permission to use a particular system resource, an IS auditor
should review:
A.
activity lists.
B.
access control lists.
C.
logon ID lists.
D.
password lists.
Explanation:
Access control lists are the authorization tables that document the users who have been given
permission to use a particular system resource and the types of access they have been granted.
The other choices would not document who has been given permission to use (access) specific
system resources.