ExpertMedium1 markMultiple Choice
CPA · Question 42 · Area III: SOC Engagements
An auditor is testing the 'Logical Access' domain. They find that a terminated employee's account remained active for 3 weeks after departure. The policy requires removal within 24 hours. This is an example of:
An auditor is testing the 'Logical Access' domain. They find that a terminated employee's account remained active for 3 weeks after departure. The policy requires removal within 24 hours. This is an example of:
Answer options:
A.
A design deficiency.
B.
A control deviation.
C.
A material weakness.
D.
Inherent risk.
How to approach this question
Distinguish between Design (Policy) and Operation (Execution).
Full Answer
B.A control deviation.✓ Correct
A control deviation.
A deviation occurs when the control is not applied as prescribed. It indicates an operating effectiveness issue.
Common mistakes
Calling it a design deficiency (the design was 24h removal, which is good).
Practice the full CPA ISC Practice Exam 2
82 questions · hints · full answers · grading
More questions from this exam
Q01A service organization provides a cloud-based payroll platform where clients access the software ...MediumQ02An auditor is reviewing the backup strategy for a financial institution that requires a Recovery ...HardQ03During a walkthrough of the change management process, an auditor observes that developers have w...MediumQ04An auditor is reviewing a SQL query used to generate a list of active customers for a marketing c...HardQ05Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?Medium