ExpertMedium1 markMultiple Choice
CPA · Question 50 · Area I: Information Systems
An auditor is testing the 'Change Management' process. They select a sample of 30 changes. They find that 2 changes were deployed to production without the required 'User Acceptance Testing' (UAT) sign-off. The IT Manager explains these were 'Emergency Changes'. What should the auditor look for next?
An auditor is testing the 'Change Management' process. They select a sample of 30 changes. They find that 2 changes were deployed to production without the required 'User Acceptance Testing' (UAT) sign-off. The IT Manager explains these were 'Emergency Changes'. What should the auditor look for next?
Answer options:
A.
Nothing, emergency changes do not require testing.
B.
Evidence of retrospective approval and testing for the emergency changes.
C.
A verbal confirmation from the developer.
D.
The source code of the changes.
How to approach this question
Understand the Emergency Change procedure.
Full Answer
B.Evidence of retrospective approval and testing for the emergency changes.✓ Correct
Evidence of retrospective approval and testing for the emergency changes.
Emergency change procedures usually allow deployment first, but require documentation and approval immediately after to ensure the change didn't introduce new risks.
Common mistakes
Assuming emergency changes are exempt from controls.
Practice the full CPA ISC Practice Exam 2
82 questions · hints · full answers · grading
More questions from this exam
Q01A service organization provides a cloud-based payroll platform where clients access the software ...MediumQ02An auditor is reviewing the backup strategy for a financial institution that requires a Recovery ...HardQ03During a walkthrough of the change management process, an auditor observes that developers have w...MediumQ04An auditor is reviewing a SQL query used to generate a list of active customers for a marketing c...HardQ05Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?Medium