An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor’s NEXT course of action?
A. Obtain a verbal confirmation from IT for this exemption.
B. Review the list of end-users and evaluate for authorization.
C. Verify management’s approval for this exemption.
D. Report this control process weakness to senior management.
A. Obtain a verbal confirmation from IT for this exemption.
B. Review the list of end-users and evaluate for authorization.
C. Verify management’s approval for this exemption.
D. Report this control process weakness to senior management.