why not C? developing a system takes time--may not be the most efficient

While developing a process (option B) to identify authorization conflicts can be valuable in the long term, it requires more time and effort initially to define the criteria, implement monitoring mechanisms, and ensure ongoing compliance. In contrast, reviewing a security rights report provides immediate insights into segregation of duties issues present in the system. Therefore, option C is the most efficient way for an IS auditor to identify segregation of duties violations in a new system.

C is more appropriate

C. Review a report of security rights in the system. Reviewing a report of security rights in the system allows the auditor to quickly identify any conflicts in authorization assignments. By analyzing the roles, permissions, and access rights assigned to different users or user groups, the auditor can assess whether there are any instances where conflicting duties are assigned to the same individual. This method provides a systematic and comprehensive approach to identifying SoD violations without the need for extensive manual observation or analysis.

system would be voluminous and time consuming to review; therefore, this technique is not as effective as building a program. As complexities increase, it becomes more difficult to verify the effectiveness of the systems and complexity is not, in itself, a link to segregation of duties. It is good practice to review recent access rights violation cases; however, it may require a significant amount of time to truly identify which violations actually resulted from an inappropriate segregation of duties