Which of the following should concern an IS auditor when reviewing security in a client-server environment?