Next Steps for Identifying Application Owners

B.

As an IS auditor, the auditor's primary objective is to assess the effectiveness and adequacy of an organization's information systems and related processes. In this scenario, the auditor has identified a significant issue related to the identity management solution of a financial organization. Some critical business applications do not have identified owners. This situation creates a significant risk to the organization's information security.

The auditor's next step should be to discuss the issue with the auditee. This is because the auditee is responsible for the organization's operations and should have a better understanding of the issue's scope and impact. The auditor should provide the auditee with a detailed report outlining the specific findings, their significance, and the potential consequences of the issue.

The auditor should also work with the auditee to identify the root cause of the problem and develop a plan to address the issue. This plan should include steps to identify and assign owners for the critical business applications, as well as measures to prevent similar issues from occurring in the future.

It's important to note that the auditor's role is not to revoke access rights to critical applications. This action could result in serious disruptions to the organization's operations and should only be taken as a last resort if there is evidence of malicious activity or if the organization's security is at immediate risk.

Writing a finding in the audit report is also an important step, but it should not be the auditor's next step. The audit report is a formal document that summarizes the auditor's findings, conclusions, and recommendations. It is typically prepared at the end of the audit process after all the relevant information has been gathered, analyzed, and discussed with the auditee.

Requesting a business risk acceptance is also not the next step because this action assumes that the organization is willing to accept the risk of not having identified owners for critical business applications. Before accepting such a risk, the organization must fully understand the potential consequences of this issue and take steps to mitigate the risk as much as possible.