Exam IIA-CIA-Part3 Topic 6 Question 67 Discussion
Actual exam question for IIA's IIA-CIA-Part3 exam
Question #: 67
Topic #: 6
Question #: 67
Topic #: 6
During an audit of the payroll system, the internal auditor identifies and documents the following condition:
"Once a user is logged into the system, the user has access to all functionality within the system." What is the most likely root cause for tins issue?
"Once a user is logged into the system, the user has access to all functionality within the system." What is the most likely root cause for tins issue?
Suggested Answer: B Vote an answer
The issue described suggests a systemic authorization flaw, where users gain unrestricted access once logged in. This points to an improperly configured authorization system, which should enforce role-based or least-privilege access to restrict users based on their job responsibilities.
* (A) Incorrect - The authentication process relies on a simple password only, which is a weak method of authorization.
* While weak authentication is a security risk, the issue described relates to excessive access permissions, not weak login credentials.
* (B) Correct - The system authorization of the user does not correctly reflect the access rights intended.
* The problem is that users have access to all functionality, which indicates an authorization issue
, not an authentication flaw.
* Proper role-based access controls (RBAC) should limit user permissions based on job functions.
* (C) Incorrect - There was no periodic review to validate access rights.
* While periodic reviews are important for detecting unauthorized access, the issue here is a system-level authorization design flaw rather than a failure in periodic reviews.
* (D) Incorrect - The application owner apparently did not approve the access request during the provisioning process.
* Even if an access request was approved incorrectly, the broader issue remains that all users have unrestricted access, which suggests a system misconfiguration rather than a single provisioning error.
* IIA's GTAG (Global Technology Audit Guide) - Access Control and Authorization
* Emphasizes the need for role-based access control (RBAC) to prevent unauthorized access.
* COBIT Framework - IT Security Governance
* Discusses proper authorization mechanisms to align system access with business needs.
* NIST Cybersecurity Framework - Access Management Controls
* Recommends restricting access rights based on the principle of least privilege (PoLP).
Analysis of Answer Choices:IIA References and Internal Auditing Standards:
* (A) Incorrect - The authentication process relies on a simple password only, which is a weak method of authorization.
* While weak authentication is a security risk, the issue described relates to excessive access permissions, not weak login credentials.
* (B) Correct - The system authorization of the user does not correctly reflect the access rights intended.
* The problem is that users have access to all functionality, which indicates an authorization issue
, not an authentication flaw.
* Proper role-based access controls (RBAC) should limit user permissions based on job functions.
* (C) Incorrect - There was no periodic review to validate access rights.
* While periodic reviews are important for detecting unauthorized access, the issue here is a system-level authorization design flaw rather than a failure in periodic reviews.
* (D) Incorrect - The application owner apparently did not approve the access request during the provisioning process.
* Even if an access request was approved incorrectly, the broader issue remains that all users have unrestricted access, which suggests a system misconfiguration rather than a single provisioning error.
* IIA's GTAG (Global Technology Audit Guide) - Access Control and Authorization
* Emphasizes the need for role-based access control (RBAC) to prevent unauthorized access.
* COBIT Framework - IT Security Governance
* Discusses proper authorization mechanisms to align system access with business needs.
* NIST Cybersecurity Framework - Access Management Controls
* Recommends restricting access rights based on the principle of least privilege (PoLP).
Analysis of Answer Choices:IIA References and Internal Auditing Standards:
by Ronald at Oct 12, 2025, 10:58 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).