CISA • Practice Test 36
Free CISA practice test — 15 questions with explanations. Set 36. No signup required.
An IS auditor is auditing the user access management process for a large healthcare organization that uses an electronic health records (EHR) system. The organization has 5,000 users including doctors, nurses, and administrative staff. The auditor reviews a sample of access requests and finds that 20% of the requests were approved by the user's manager but the approval was not documented in the system. The auditor also finds that there is no periodic review of user access rights. The IT security manager states that users are automatically provisioned based on their role in the HR system, and that access reviews are performed manually by managers but not documented. What is the auditor's BEST recommendation to address the most significant risk?