During an audit of the logical access control of an ERP financial system an IS auditor found some
user accounts shared by multiple individuals. The user IDs were based on roles rather than
individual identities. These accounts allow access to financial transactions on the ERP. What
should the IS auditor do next?

A.
Look for compensating controls.

B.
Review financial transactions logs.

C.
Review the scope of the audit.

D.
Ask the administrator to disable these accounts.

Explanation:
The best logical access control practice is to create user IDs for each individual to define
accountability. This is possible only by establishing a one-to-one relationship between IDs and
individuals. However, if the user IDs are created based on role designations, an IS auditor should
first understand the reasons and then evaluate the effectiveness and efficiency of compensating
controls. Reviewing transactions logs is not relevant to an audit of logical access control nor is
reviewing the scope of the audit relevant. Asking the administrator to disable the shared accounts

should not be recommended by an IS auditor before understanding the reasons and evaluating the
compensating controls. It is not an IS auditor’s responsibility to ask for disabling accounts during
an audit.