Which of the following would be most useful for an internal auditor to obtain during the preliminary survey of an engagement on internal controls over user access management?
A.
The policy for granting, modifying, and deleting user access to ensure processing requirements are clearly articulated.
B.
A sample of change request forms to verify whether the forms bear the required approval for the user access change.
C.
User access reports that were reviewed by management to ensure that access rights are appropriate for employee roles.
D.
A current listing of system users and an employee listing to determine whether system users are active employees of the organization.
A. The policy for granting, modifying, and deleting user access:Correct. Understanding the policy ensures the auditor knows the framework and controls in place.
B. A sample of change request forms:Useful for testing but not as foundational as reviewing the policy.
C. User access reports reviewed by management:This evaluates monitoring but does not establish a baseline understanding of controls.
D. A current listing of system users and employees:Important for reconciliation but secondary to understanding the control framework.
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit