Documented Approvals for System Accounts

D.

The FIRST thing an IS auditor should do when they find system accounts without documented approvals is to determine the purpose and risk of the accounts. Therefore, option D is the correct answer.

Explanation:

Option A: Having the accounts removed immediately is not the appropriate first step since the auditor does not yet know the purpose and risk of the accounts. These accounts may be essential for the system's functioning, and removing them without proper investigation can cause operational disruptions.

Option B: Obtaining sign-off on the accounts from the application owner is a good step to take, but it should not be the first one. Before obtaining sign-off, the auditor needs to evaluate the purpose and risk of the accounts.

Option C: Documenting a finding and reporting an ineffective account provisioning control is not the first step since the auditor needs to determine the purpose and risk of the accounts first. Documenting and reporting can come later after the auditor has a better understanding of the situation.

Option D: Determining the purpose and risk of the accounts should be the first step an auditor should take. The auditor should review system documentation and conduct interviews with relevant personnel to understand the nature of the accounts, why they exist, and what risks they pose to the system. Based on the findings, the auditor can then recommend appropriate actions, such as obtaining approvals, disabling accounts, or improving control processes.

In conclusion, the IS auditor should determine the purpose and risk of the accounts before taking any further action. Once the auditor has a better understanding of the situation, they can recommend appropriate actions to address the issue.