An auditor is reviewing the 'Change Management' logs and notices a change labeled 'Emergency Fix' that was deployed without prior testing in the staging environment. The policy allows this but requires 'Post-Implementation Review' within 24 hours. The auditor finds the review was completed 3 days later. What is the finding?

Answer options:

No finding, as the review was eventually completed.

Control deviation regarding timeliness of review.

Material weakness in the control environment.

The emergency fix should have been rejected.

How to approach this question

Compare Actual (3 days) vs Policy (24 hours).

Full Answer

B.Control deviation regarding timeliness of review.✓ Correct

The control explicitly requires review within 24 hours. Completing it in 3 days is a deviation from the documented policy. While the fix was reviewed, the control objective of *timely* detection of issues was not met.

Common mistakes

Ignoring the timing aspect because the task was eventually done.

Question 65 All questions Question 67

Practice the full CPA ISC Practice Exam 3

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based s...Medium Q02During a review of a client's cloud governance structure, an auditor notes that the client uses a...Medium Q03An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan ...Hard Q04A company uses a batch processing system to update inventory records overnight. The 'Grandfather-...Hard Q05During a walkthrough of the change management process, an auditor observes that the 'Developer' r...Medium

View all 82 questions →