During an implementation review of a multiuser distributed application, an IS auditor finds minor weaknesses in
three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some
vital reports are not being checked properly. While preparing the audit report, the IS auditor should:

A.
record the observations separately with the impact of each of them marked against each respective finding.

B.
advise the manager of probable risks without recording the observations, as the control weaknesses are
minor ones.

C.
record the observations and the risk arising from the collective weaknesses.

D.
apprise the departmental heads concerned with each observation and properly document it in the report.

Explanation:
Individually the weaknesses are minor; however, together they have the potential to substantially weaken the
overall control structure. Choices A and D reflect a failure on the part of an IS auditor to recognize the
combined affect of the control weakness. Advising the local manager without reporting the facts and
observations would conceal the findings from other stakeholders.