PrepAway - Latest Free Exam Questions & Answers

Which of the following should the IS auditor recommend?

In a small organization, an employee performs computer operations and, when the situation
demands, program modifications. Which of the following should the IS auditor recommend?

PrepAway - Latest Free Exam Questions & Answers

A.
Automated logging of changes to development libraries

B.
Additional staff to provide separation of duties

C.
Procedures that verify that only approved program changes are implemented

D.
Access controls to prevent the operator from making program modifications

Explanation:

While it would be preferred that strict separation of duties be adhered to and that additional staff is
recruited as suggested in choice B, this practice is not always possible in small organizations. An
IS auditor must look at recommended alternative processes. Of the choices, C is the only practical
one that has an impact. An IS auditor should recommend processes that detect changes to
production source and object code, such as code comparisons, so the changes can be reviewed
on a regular basis by a third party. This would be a compensating control process. Choice A,
involving logging of changes to development libraries, would not detect changes to production
libraries. Choice D is in effect requiring a third party to do the changes, which may not be practical
in a small organization.


Leave a Reply