During an implementation review of a multiuser distributed application, an IS auditor finds minor
weaknesses in three areas-the initial setting of parameters is improperly installed, weak
passwords are being used and some vital reports are not beingchecked properly. While preparing
the audit report, the IS auditor should:

A.
record the observations separately with the impact of each of them marked against each
respective finding.

B.
advise the manager of probable risks without recording the observations, as the control
weaknesses are minor ones.

C.
record the observations and the risk arising from the collective weaknesses.

D.
apprise the departmental heads concerned with each observation and properly document it in
the report.

Explanation:

Individually the weaknesses are minor; however, together they have the potential to substantially
weaken the overall control structure. Choices A and D reflect a failure on the part of an IS auditor
to recognize the combined affect of the control weakness. Advising the local manager without
reporting the facts and observations would conceal the findings from other stakeholders.