An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated
within 90 days of termination. The IS auditor should:

A.
report that the control is operating effectively since deactivation happens within the time frame
stated in the IS policy.

B.
verify that user access rights have been granted on a need-to-have basis.

C.
recommend changes to the IS policy to ensure deactivation of user IDs upon termination.

D.
recommend that activity logs of terminated users be reviewed on a regular basis.

Explanation:

Although a policy provides a reference for performing IS audit assignments, an IS auditor needs to
review the adequacy and the appropriateness of the policy. If, in the opinion of the auditor, the
time frame defined for deactivation is inappropriate,the auditor needs to communicate this to
management and recommend changes to the policy. Though the deactivation happens as stated
in the policy, it cannot be concluded that the control is effective. Best practice would require that
the ID of a terminated user be deactivated immediately. Verifying that user access rights have
been granted on a need-to-have basis is necessary when permissions are granted.
Recommending that activity logs of terminated users be reviewed on a regular basis is a good
practice, but not as effective as deactivation upon termination.