Exam CISA topic 1 question 184 discussion

When an IS auditor discovers that terminated users' accounts have not been disabled, this poses a security and fraud risk. The NEXT best step is to determine whether these accounts were used after termination, which would indicate unauthorized access or malicious activity. Why A is BEST: It helps assess actual impact or risk (e.g., did someone use the account to perform unauthorized transactions?). It provides evidence-based insights to support further action, such as escalation or control recommendations. It aligns with the principle of investigating before concluding or escalating. Why not the others? B. Conclude that IT general controls are ineffective ✘ Premature without first assessing actual usage or impact. C. Communicate risks to the application owner ✘ Important, but should follow a review of the account activity for context and severity. D. Perform substantive testing of terminated users' access rights ✘ Useful later, but activity review takes priority to assess whether the risk materialized.

an auditors job is to inform and detect and not necessarily review the access (although that could be the next step) answer C is the more correct answer for an auditor

Which is more important? C that helps enhance awareness of the owner or A investigate further to detect malicious activity? I will go with A. C comes next.

Communicating the identified risks to the application owner is crucial for raising awareness and initiating corrective actions. The application owner needs to understand the potential security implications of not disabling terminated users' accounts, including unauthorized access to sensitive financial data and increased risk of security breaches. Once the risks are communicated, the application owner can take appropriate measures, such as disabling unused accounts and implementing better account management practices. After this step, performing a review of terminated users' account activity (option A) might be necessary to assess any potential unauthorized access or suspicious activities associated with those accounts.

Q: During an audit of a financial application, it was determined that the users' accounts were not disabled. Answer: C

should communicate this finding to app owner so appropriate control can tale place to mitigate the risk. then, substantial testing can proceed if needed.

A. Perform a review of terminated users' account activity.

A. Performing Substantive testing of terminated users' access rights wont be the action since question already says that accounts were not disabled. That means they might have some sort of access. Performing review of account activity in 1st place would definitely provide with the clear picture.

If an IS auditor discovers that many terminated users' accounts have not been disabled, the next step should be to review the account activity of those terminated users. This helps to determine if there has been any unauthorized access or fraudulent activities carried out using these accounts. Perform substantive testing of terminated users' access rights: This step may be useful in understanding the extent of the problem, but the immediate concern is to review the account activity to determine if there has been any unauthorized access or fraudulent activities using the terminated users' accounts.

D. should test whether the terminated employee could access the system first.

C - is the answer ! Even after checking , if nothing is found the risk continues to exist. So this should be communicated as a first step

as the question is about terminated users , i would go with D.

A is one of the activities of substantive testing. I would go for D as it will include A in it. Correct ans is D.

D please. When compliance is violated, substantive testing is next for transaction related items. Already you're doing a review.