The Best Evidence for Auditing Employee Access in a Financial System

When an Information Systems (IS) auditor reviews employee access to a large financial system, selecting the most reliable evidence is essential to ensure accuracy and compliance. The goal is to verify that employees have appropriate access based on their roles and identify any unauthorized access. Among the available options, the most reliable source is a system-generated list of accounts with access levels (Option C).

Why System-Generated Reports Are the Best Evidence

A system-generated access list provides a real-time, accurate snapshot of user access. Since the list is pulled directly from the system, it eliminates the risk of human error, outdated records, or manipulation. Auditors can compare it against approved access levels to quickly spot discrepancies.

Evaluating Other Evidence Options

1. Spreadsheets from the System Administrator (Option A)
2. HR Access Documents Signed by Managers (Option B)
3. Onsite Observations with a System Administrator (Option D)

Why System-Generated Reports Are the Best Choice (Option C)

• They provide a direct, objective record of actual access rights.
• They eliminate concerns about human error or outdated information.
• They are efficient and easy to compare against authorization records to identify inconsistencies.

How This Aligns with IS Audit Best Practices

Relying on system-generated reports supports a risk-based audit approach, ensuring the use of the most accurate and verifiable evidence. This aligns with professional IS auditing standards, particularly in the Information Systems Auditing Process.

Final Thoughts

For an IS auditor reviewing employee access to a financial system, system-generated reports (Option C) are the best evidence. They provide a real-time, objective view of user access, making it easier to detect unauthorized activity and ensure compliance. While other forms of evidence can support the audit, data directly from the system is the most reliable.