In a small organization, an IS auditor finds that security administration and system analysis functions are performed by the same employee. Which of the following is the MOST significant finding?
A. The security policy has not been updated to reflect the situation.
B. The employee's formal job description has not been updated.
C. The employee has not signed the security policy.
D. The employee's activities are not independently reviewed.
A. The security policy has not been updated to reflect the situation.
B. The employee's formal job description has not been updated.
C. The employee has not signed the security policy.
D. The employee's activities are not independently reviewed.