What is the most appropriate action for an IS auditor upon discovering shared user accounts?

The most appropriate action for an IS auditor upon discovering shared user accounts is to document the finding and explain the risk of using shared IDs. This approach is crucial because shared user accounts can pose significant security risks, including the inability to properly track user activities, which complicates accountability and may lead to potential security incidents or breaches.

By documenting this finding, the auditor provides a clear record of the issue, which can be essential for both current risk assessments and future audits. Further, explaining the risks associated with shared IDs helps to educate stakeholders about the potential vulnerabilities inherent in the practice, such as unauthorized access, difficulty in identifying the responsible party in case of misuse, and compliance challenges with data protection regulations.

The auditor’s role includes not only identifying issues but also providing insights that can lead to improved security practices. While informing the audit committee, reviewing audit logs, or requesting account removals may be part of a broader response, the primary action should focus on documentation and risk communication to ensure that the organization understands the implications of shared user accounts and can take appropriate corrective actions.