Application testing cases - describe possible insecure direct object access issues.

Does the application display object references (e.g. acct=100001) in the URL? Can a user access other application functions for which they are not authorized? Are administrative functions directly accessible via direct URI reference?​