What evidence should support a user access review?
A useful access review needs more than a sign-off. The auditor should look for the user listing reviewed, the review date, the reviewer, evidence of follow-up on exceptions, and support that the population was complete.
For example, if Lakeside Claims reviews access to its claims system, the evidence should show which users had access, which roles they held, whether terminated employees were removed, and whether incompatible duties were resolved. A checkbox without the user list and exception follow-up is weak evidence.
- Related article:
cpa-itgc-dependency-controls-map - Related QB item:
qb-cpa-terminated-user-access-risk
Master AUD with our CPA Course
86 lessons · 160+ hours· Expert instruction
Related Questions
How does the 80 percent control test work in a Section 351 transfer?
When do liabilities assumed trigger gain under Section 357?
How do I compute stock basis and corporate basis in a Section 351 transaction?
Do services in exchange for stock create ordinary income at corporate formation?
Why do CPA AUD transaction-cycle questions feel like FAR questions?
Related Articles
Join the Discussion
Ask questions and get expert answers.