An organization’s IT security policy states that user IDs must uniquely identify individuals and that users should not disclose their passwords. An IS auditor discovers that several generic user IDs are being used. Which of the following is the MOST appropriate course of action for the auditor?
A. Investigate the noncompliance.
B. Include the finding in the final audit report.
C. Recommend disciplinary action.
D. Recommend a change in security policy.
A. Investigate the noncompliance.
B. Include the finding in the final audit report.
C. Recommend disciplinary action.
D. Recommend a change in security policy.