Chinmay Kulkarni has asked people on LinkedIn a question that appears to be from the ISACA Certified Information Systems Auditor (CISA) exam. He posted (I have included the current poll results, with 941 voting):
CISA Question 3
As an IS auditor, what is the FIRST step you will take upon identifying lack of segregation of duties [“SOD”] within the organization?
Document as audit finding 18%
Implement SODs 7%
Review Compensating Controls 46%
Review Access Controls 30%
I am not a CISA, although I could have “grandfathered” into it when ISACA first set up the CISA certification.
One of my problems with these exams is that I always question the question, and frequently think the available answers are wrong. (I was able to pass both the UK’s Chartered Accountancy and the US CPA exams.)
I have a problem with the available answers to this question.
1. Document as an audit finding
The auditor has “identified a lack of segregation of duties,” but:
- Has the auditor confirmed the facts with management?
- Does the auditor understand whether it matters? Where is the risk? Even if there is a deficiency, does the risk justify corrective action? If so, there is no “finding”.
- Does management already know? Have they assessed the risk and believe it is acceptable, given the cost, etc.?
- Are there other controls…
