An IS auditor finds that a DBA has read and write access to production datA. The IS auditor should:
accept the DBA access as a common practice.
assess the controls relevant to the DBA function.
recommend the immediate revocation of the DBA access to production data.
review user access authorizations approved by the DBA.
It is good practice when finding a potential exposure to look for the best controls. Though granting
the database administrator (DBA) access to production data might be a common practice, the IS
auditor should evaluate the relevant controls. The DBAshould have access based on a need-toknow and need-to-do basis; therefore, revocation may remove the access required. The DBA,
typically, may need to have access to some production datA. Granting user authorizations is the
responsibility of the dataowner and not the DBA.