What should an IS auditor do if they note that the daily reconciliation of visitor access card inventory is not aligned with procedures?

Reporting the lack of daily reconciliations is essential for several reasons. First, the primary responsibility of an IS auditor is to ensure that information systems are operating effectively and securely. The daily reconciliation of visitor access card inventory is a key control that helps identify any discrepancies or unauthorized access, thus maintaining the integrity of security measures in place.

When the reconciliation process deviates from established procedures, it potentially exposes the organization to security risks, such as fraud or unauthorized access. By reporting this lack of compliance, the auditor ensures that management is aware of the issue and can take corrective actions to mitigate any associated risks.

Moreover, reporting such discrepancies fosters accountability within the organization and encourages adherence to established procedures, thereby strengthening the overall control environment. It's a proactive approach to enhance security measures and compliance with organizational policies.

While suggesting regular physical inventory counts or a more secure access system could possibly address the issue, the immediate and crucial step is to make the appropriate stakeholders aware of the failure to follow established reconciliation procedures. This ensures that the organization can address any weaknesses in its access management controls effectively.