An organization has been recently downsized, in light of this, an IS auditor decides to test logical access controls. The IS auditor’s PRIMARY concern should be that:
A.
all system access is authorized and appropriate for an individual’s role and responsibilities.
B.
management has authorized appropriate access for all newly-hired individuals.
C.
only the system administrator has authority to grant or modify access to individuals.
D.
access authorization forms are used to grant or modify access to individuals.
Explanation:
The downsizing of an organization implies a large number of personnel actions over a relatively short period of time. Employees can be assigned new duties while retaining some or all of their former duties. Numerous employees may be laid off. The auditor should be concerned that an appropriate segregation of duties is maintained, that access is limited to what is required for an employee’s role and responsibilities, and that access is revoked for those that are no longer employed by the organization. Choices B, C and D are all potential concerns of an IS auditor, but in light of the particular risks associated with a downsizing, should not be the primary concern.