ExpertMedium1 markMultiple Choice
CPA · Question 37 · Area II: Security
An auditor is reviewing the 'User Access Review' control. The policy states reviews happen quarterly. The auditor finds that for Q2, the review was signed off by the same person who has administrative rights to grant access. What is the risk?
An auditor is reviewing the 'User Access Review' control. The policy states reviews happen quarterly. The auditor finds that for Q2, the review was signed off by the same person who has administrative rights to grant access. What is the risk?
Answer options:
A.
The review was not timely.
B.
Self-review threat/Lack of independence.
C.
The sample size is too small.
D.
Access was not revoked.
How to approach this question
Identify the conflict of interest.
Full Answer
B.Self-review threat/Lack of independence.✓ Correct
Access reviews should be performed by someone independent of the access provisioning process or by the managers of the users, not the admin who grants the access.
Common mistakes
Focusing on the result rather than the control design flaw.
Practice the full CPA ISC Practice Exam 2
82 questions · hints · full answers · grading
More questions from this exam
Q01A service organization provides a cloud-based payroll platform where clients access the software ...MediumQ02An auditor is reviewing the backup strategy for a financial institution that requires a Recovery ...HardQ03During a walkthrough of the change management process, an auditor observes that developers have w...MediumQ04An auditor is reviewing a SQL query used to generate a list of active customers for a marketing c...HardQ05Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?Medium