An auditor notes the administrator user ID is shared among three financial managers to perform month-end updates.
Which of the following is the BEST recommendation to ensure the administrator ID in the financial system is controlled effectively?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The practice of sharing a single user ID among multiple individuals violates the principle of least privilege and increases the risk of unauthorized access to sensitive financial information. Therefore, the auditor must recommend a control that effectively mitigates this risk.
Out of the given options, the best recommendation is to implement the use of individual software tokens (Option A). A software token is a piece of software that generates a unique one-time password (OTP) for each user. By implementing individual software tokens, each financial manager would have a unique OTP to access the financial system, thereby eliminating the need to share the administrator user ID.
Conducting employee awareness training (Option B) is a good control but may not be sufficient in this case. The financial managers may still feel the need to share the administrator user ID for convenience, and the risk of unauthorized access would persist.
Instituting user ID logging and monitoring (Option C) is a useful control to detect unauthorized access, but it does not prevent the practice of sharing the administrator user ID in the first place.
Ensuring data in the financial systems has been classified (Option D) is a good control for managing data sensitivity, but it does not address the issue of sharing the administrator user ID among multiple individuals.
Therefore, the best recommendation to ensure the administrator ID in the financial system is controlled effectively is to implement the use of individual software tokens (Option A).