An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days of
termination. The IS auditor should:

A.
report that the control is operating effectively since deactivation happens within the time frame stated in the
IS policy.

B.
verify that user access rights have been granted on a need-to-have basis.

C.
recommend changes to the IS policy to ensure deactivation of user IDs upon termination.

D.
recommend that activity logs of terminated users be reviewed on a regular basis.

Explanation:
Although a policy provides a reference for performing IS audit assignments, an IS auditor needs to review the
adequacy and the appropriateness of the policy. If, in the opinion of the auditor, the time frame defined for
deactivation is inappropriate,the auditor needs to communicate this to management and recommend changes
to the policy. Though the deactivation happens as stated in the policy, it cannot be concluded that the control is
effective. Best practice would require that the ID of a terminated user be deactivated immediately. Verifying that
user access rights have been granted on a need-to-have basis is necessary when permissions are granted.
Recommending that activity logs of terminated users be reviewed on a regular basis is a good practice, but not
as effective as deactivation upon termination.