CISA Certified Information Systems Auditor – Question0227

An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor’s NEXT course of action?

A.
Obtain a verbal confirmation from IT for this exemption.
B. Review the list of end-users and evaluate for authorization.
C. Verify management’s approval for this exemption.
D. Report this control process weakness to senior management.

Correct Answer: C