An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed.
Which of the following should be the IS auditor's NEXT course of action?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The IS auditor has found that periodic reviews of read-only users for a reporting system are not being performed. This finding suggests a control weakness that could result in unauthorized access to sensitive information by individuals who may no longer require access.
In response to this finding, the IS auditor should take the following course of action:
D. Report this control process weakness to senior management.
Explanation:
Option A is incorrect because verbal confirmation from IT may not be sufficient evidence to address the control weakness. This approach does not ensure that the issue will be addressed effectively and may not provide adequate documentation for future reference.
Option B is also incorrect because the review of end-users and evaluation for authorization is not enough to address the identified control weakness. This approach does not address the root cause of the problem, which is the lack of periodic reviews.
Option C is incorrect because verifying management's approval for this exemption may not be sufficient to address the control weakness. This approach does not ensure that the issue will be addressed effectively, and it may not provide adequate documentation for future reference.
The most appropriate course of action is to report the control process weakness to senior management. Senior management can then take corrective action to address the root cause of the problem, which is the lack of periodic reviews. This approach ensures that the issue is addressed effectively, and it provides adequate documentation for future reference. It also allows senior management to assess the risk associated with the control weakness and take necessary steps to mitigate it.