I’m not sure why, but sometimes deleting an ACL table or two covers a multitude of sins, errors, or just plain weird behavior.
No, I don’t get any error messages. That’s the strange part.
I’m talking about strange ACL behavior that you can’t troubleshoot by reviewing the log.
Always test the test plan and make sure it actually tests the control or risk being assessed. And make sure the tester (especially when you are observing the tester rather than performing the test yourself) actually follows the test plan.
During a segregation of duties (SOD) test for an expense report approval system, an auditor was observing a client perform a test. The client was supposed to enter his user ID into the Approver field to demonstrate that he could not approve his own expense report.
Filed under Audit
Tagged as auditor, duties, duty, error message, expense report, failure, gain confidence, lowercase, plan, segregation, SOD, test, trick, uppercase
ITauditSecurity