Certified Information Systems Auditor (CISA) — Question 17

During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?

Answer options

• A. Perform a review of terminated users' account activity.
• B. Conclude that IT general controls are ineffective.
• C. Communicate risks to the application owner.
• D. Perform substantive testing of terminated users' access rights.

Correct answer: A

Explanation

The correct answer is A because reviewing terminated users' account activity helps identify any potential risks or unauthorized access that may have occurred. B is incorrect as it is premature to conclude controls are ineffective without further investigation. C, while important, does not address the immediate need to assess the risk through activity review. D is also not the next logical step as the auditor should first review account activity before testing access rights.