Hi, I'm reviewing access controls for a list of applications and some of the app owners claim they don't have human users. Is there a way to validate that? What procedures and evidence would give an auditor a good level of assurance that the app indeed has no users? Thanks.
P.S. I'm not talking about OS level accounts, only app layer accounts.