Exam CISA topic 1 question 1404 discussion

This is C. No where in the question does it state they have an exemption for this, it just isn't happening. If it should be happening and it isn't what do you do. You take it to management to notify them.

I believe since it is already a control weakness, the best option seems D to identify for exemption in the policy before reporting.

D is wrong. Management is not allowed to approve exemptions, senior management is. The answer is B.

Yes the auditor can verify with management but first review the list of users and their access to have a batter understanding of the situation. I think approval from management should be after performing B.

The classification of data based on access authorizations is the responsibility of the data owner. So the next step is to first check this regular process, i.e. A. Additional involvement of the management of the organizational structure may or may not have been defined by the data owner when defining the authorization process in coordination with the security officer. I therefore rule out D. as the next step.

Before escalating the issue to senior management, it's essential for the IS auditor to confirm whether there's a valid reason for the exemption from periodic reviews of read-only users. Management's approval is necessary to ensure that the exemption is authorized and documented appropriately. By verifying management's approval, the auditor can understand the rationale behind the exemption and assess its compliance with organizational policies and standards. If management approval cannot be obtained or if the exemption is not justified, the auditor may need to report the control process weakness to senior management (option C) for further action. However, the initial step should be to confirm the legitimacy of the exemption through verifying management's approval.

Option B, "Review the list of end users and evaluate for authorization," could be considered as a potential course of action, but it's not the immediate next step.