You are conducting an account management review. Which of the following is not a good practice? (Wentz QOTD)
A. Select all accounts for review
B. Assess the list of carefully selected accounts by system administrators
C. Verify former employees’ accounts
D. Review the paper trail or records for specific accounts
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Assess the list of carefully selected accounts by system administrators.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Assessing the list of carefully selected accounts by the auditee, system administrators, can be biased. The selection of accounts should be determined by the auditor based on the audit sampling principle or standard.
Selecting all accounts for review is not uncommon. It is appropriate for auditors to 100% examine a population, the entire set of data from which a sample, when the population is small.
Verifying former employees’ accounts and reviewing the paper trail or records for specific accounts are common practices.
However, “the use of sampling is widely adopted in auditing because it offers the opportunity for the auditor to obtain the minimum amount of audit evidence, which is both sufficient and appropriate, in order to form valid conclusions on the population.” (ACCA Global)
The definition of audit sampling is: “The application of audit procedures to less than 100% of items within a population of audit relevance such that all sampling units have a chance of selection in order to provide the auditor with a reasonable basis on which to draw conclusions about the entire population.” (ISA 530)
Sampling can be statistical or nonstatistical. According to The Institute of Internal Auditors, “statistical sampling (e.g., random and systematic) involves the use of techniques from which mathematically constructed conclusions regarding the population can be drawn. Nonstatistical sampling is an approach used by the auditor who wants to use his or her own experience and knowledge to determine the sample size. Nonstatistical sampling (e.g., judgmental) may not be based objectively and, thus, results of a sample may not be mathematically supportable when extrapolated over the population. That is, the sample may be subject to bias and not representative of the population. The purpose of the test, efficiency, business characteristics, inherent risks, and impacts of the outputs are common considerations the auditor will use to guide the sampling approach. Nonstatistical sampling may be used when results are needed quickly and needed to confirm a condition rather than being needed to project the mathematical accuracy of the conclusions.”
您正在進行帳戶管理審核。 以下哪項不是一個好的做法？ (Wentz QOTD)