Generic User IDs in Violation of IT Security Policy | CISA Exam Answer

A.

The correct answer is A. Investigate the noncompliance.

Explanation:

The IT security policy of an organization requires that each user ID should uniquely identify an individual user and that users should not disclose their passwords. This policy is aimed at ensuring accountability for actions taken within the system and maintaining the confidentiality of information.

The IS auditor has discovered that several generic user IDs are being used, which means that multiple individuals may be accessing the system using the same user ID. This practice violates the IT security policy and could lead to a lack of accountability for actions taken within the system.

In this situation, the most appropriate course of action for the auditor is to investigate the noncompliance. The auditor should try to determine the reason behind the use of generic user IDs and whether there are any exceptions to the IT security policy that permit such use.

If the use of generic user IDs is found to be in violation of the policy and there are no valid exceptions, the auditor should report the finding in the final audit report. Depending on the severity of the violation, the auditor may also recommend disciplinary action against the individuals who are violating the policy. However, the primary objective of the audit is to ensure compliance with the policy, and the investigation should focus on identifying and addressing the root cause of the noncompliance.

It is not appropriate for the auditor to recommend a change in security policy without first investigating the noncompliance and understanding the reasons behind it. The auditor's role is to evaluate the effectiveness of existing policies and procedures, identify areas of noncompliance, and recommend corrective actions to improve compliance with the policy.