Exam IIA-CIA-Part3 Topic 6 Question 67 Discussion

Actual exam question for IIA's IIA-CIA-Part3 exam
Question #: 67
Topic #: 6
During an audit of the payroll system, the internal auditor identifies and documents the following condition:
"Once a user is logged into the system, the user has access to all functionality within the system." What is the most likely root cause for tins issue?

Suggested Answer: B Vote an answer

The issue described suggests a systemic authorization flaw, where users gain unrestricted access once logged in. This points to an improperly configured authorization system, which should enforce role-based or least-privilege access to restrict users based on their job responsibilities.
* (A) Incorrect - The authentication process relies on a simple password only, which is a weak method of authorization.
* While weak authentication is a security risk, the issue described relates to excessive access permissions, not weak login credentials.
* (B) Correct - The system authorization of the user does not correctly reflect the access rights intended.
* The problem is that users have access to all functionality, which indicates an authorization issue
, not an authentication flaw.
* Proper role-based access controls (RBAC) should limit user permissions based on job functions.
* (C) Incorrect - There was no periodic review to validate access rights.
* While periodic reviews are important for detecting unauthorized access, the issue here is a system-level authorization design flaw rather than a failure in periodic reviews.
* (D) Incorrect - The application owner apparently did not approve the access request during the provisioning process.
* Even if an access request was approved incorrectly, the broader issue remains that all users have unrestricted access, which suggests a system misconfiguration rather than a single provisioning error.
* IIA's GTAG (Global Technology Audit Guide) - Access Control and Authorization
* Emphasizes the need for role-based access control (RBAC) to prevent unauthorized access.
* COBIT Framework - IT Security Governance
* Discusses proper authorization mechanisms to align system access with business needs.
* NIST Cybersecurity Framework - Access Management Controls
* Recommends restricting access rights based on the principle of least privilege (PoLP).
Analysis of Answer Choices:IIA References and Internal Auditing Standards:

by Ronald at Oct 12, 2025, 10:58 PM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10