What should be the primary concern if an IS auditor discovers a lack of segregation of duties?

The primary concern when an IS auditor discovers a lack of segregation of duties is to report the condition. Segregation of duties is a fundamental internal control that helps prevent fraud and errors by ensuring that no single individual has control over all aspects of any critical business process. When this control is absent, there is an increased risk of unauthorized actions, as an individual can both perform and approve tasks.

Reporting the condition is critical because it alerts management and the relevant stakeholders to the control weakness, enabling them to take necessary actions to mitigate risks. This communication is essential for risk management and ensuring the integrity of financial reporting and operational processes. It is often a prerequisite for any follow-up actions or recommendations to be made.

While implementing compensating controls, enhancing the auditing process, and recommending training are all important actions that could follow the discovery of such a deficiency, the immediate priority lies in reporting the risk so that it can be addressed promptly.