When an employee is terminated for fraudulent activity, the first priority is to immediately prevent further unauthorized or malicious activity. In ISACA guidance, terminated employees’ access rights should be removed promptly and effective controls must ensure they lose system access at termination. This makes disabling logical access the most immediate and appropriate first step.

Option C is correct because logical access allows the former employee to continue using systems, data, email, applications, or remote connections. If access is not disabled immediately, the organization remains exposed to sabotage, data theft, fraud continuation, or destruction of evidence. ISACA sources explicitly state that terminated employees should lose all access rights and that access restriction should occur immediately after departure.

Option A may be necessary as part of a fraud investigation, but it is not the first step. Reviewing approved transactions is investigative and retrospective; the organization must first contain the risk by cutting off access. In CISA exam logic, immediate risk containment generally comes before investigation.

Option B may also be appropriate from a physical security and HR perspective, especially if there is concern about confrontation or physical removal. However, from an IT audit and information security perspective, the most urgent action is disabling logical access because damage can occur remotely and instantly if access remains active.

Option D can be relevant for preserving evidence, but it still does not come before access removal. Evidence preservation is important, yet the first control priority is to stop ongoing access and prevent further compromise.

Therefore, the best answer is C because immediate revocation of system access is the first and most critical action when terminating an employee for fraudulent activity.

References (Official ISACA):

ISACA Journal, Mitigating IT Risks for Logical Access — effective controls should ensure terminated employees lose all access rights.

ISACA, Secure Management of Former Employee Data: A Practical Approach — “Immediate Access Restriction” as step 1 after employee departure.

ISACA Journal, What Every CISO Must Know About SSH Keys — access should be terminated when no longer needed.