What should be an IS auditor's NEXT course of action when a review of an IT organizational structure reveals IT staff members have duties in other departments?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
When an IS auditor discovers that IT staff members have duties in other departments, the next course of action should be to determine whether any segregation of duties conflicts exist.
Segregation of duties is an essential control to prevent fraud, errors, and other malicious activities by ensuring that no single individual has complete control over a critical business process. It involves dividing tasks and responsibilities among multiple individuals to minimize the risk of inappropriate actions.
When IT staff members perform duties in other departments, it may create conflicts of interest and undermine the effectiveness of segregation of duties controls. For instance, an IT staff member who has access to financial systems and also works in the finance department may have an opportunity to manipulate financial records without being detected.
Therefore, the IS auditor should investigate the nature and extent of the IT staff members' duties in other departments to determine whether there is a risk of segregation of duties conflicts. If any conflicts are identified, the auditor should report them to the appropriate management or governance committee for resolution.
It may not always be necessary to recommend the implementation of segregation of duties controls because some duties can be combined without posing a significant risk. For instance, an IT staff member who assists with user support and also works in the marketing department may not create a significant risk of fraud or errors.
Reporting the issue to HR management may not be the most appropriate course of action unless the IT staff members' duties in other departments violate the company's policies or ethical standards. The IS auditor should focus on the risk of segregation of duties conflicts and not on the HR implications.
Reporting a potential finding to the audit committee may be necessary if the identified segregation of duties conflicts pose a significant risk to the organization's operations, financial reporting, or compliance obligations. However, the IS auditor should first investigate the issue and determine the extent of the risk before reporting to the audit committee.