If an IS auditor discovers that access reviews are not performed by a third-party IT service provider, what should be the auditor's action?

The appropriate action for the auditor upon discovering that access reviews are not conducted by a third-party IT service provider is to report the issue to IT management. This step ensures that the organization's leadership is made aware of a significant control weakness in the management of user access rights, which is critical for maintaining information security and compliance.

By informing IT management, the auditor prompts the decision-makers to evaluate the risks associated with insufficient access controls. Management can then take appropriate actions, such as engaging with the service provider to rectify the situation, undertake a risk assessment to understand the potential impacts, or implement additional oversight mechanisms.

This approach aligns with the auditor's role in communicating findings that may affect the organization's risk and security posture, enabling them to focus on essential management decisions and improvements.