An IS auditor is reviewing the logical access controls for a financial application. The auditor notices that user access reviews are performed annually by the application owner, but there is no documentation indicating that managers confirm the continued need for access. Which of the following is the MOST significant risk associated with this finding?
Trap 1: Increased likelihood of successful social engineering attacks
Social engineering is not directly related to access recertification.
Trap 2: Non-compliance with regulatory requirements for access controls
While this may be a concern, the most significant risk is the operational risk of unauthorized access.
Trap 3: Inability to detect insider threats in a timely manner
While related, the primary risk is excessive privileges leading to unauthorized access.
- A
Unauthorized access to sensitive data due to excessive privileges
Without manager confirmation, users may retain access they no longer need, increasing the risk of unauthorized access.
- B
Increased likelihood of successful social engineering attacks
Why wrong: Social engineering is not directly related to access recertification.
- C
Non-compliance with regulatory requirements for access controls
Why wrong: While this may be a concern, the most significant risk is the operational risk of unauthorized access.
- D
Inability to detect insider threats in a timely manner
Why wrong: While related, the primary risk is excessive privileges leading to unauthorized access.