ExpertHard1 markMultiple Choice
CPA · Question 30 · Area I: Information Systems
An auditor is reviewing the 'Change Management' process. They observe that emergency changes are allowed to bypass the standard testing phase to restore service quickly. What is the compensating control that MUST be in place for this process to be acceptable?
An auditor is reviewing the 'Change Management' process. They observe that emergency changes are allowed to bypass the standard testing phase to restore service quickly. What is the compensating control that MUST be in place for this process to be acceptable?
Answer options:
A.
Pre-approval by the CEO.
B.
Post-implementation review and retrospective approval
C.
No control is needed for emergencies.
D.
The developer must have admin access permanently.
How to approach this question
Emergency = Do it now, check it later. The 'check it later' is the control.
Full Answer
B.Post-implementation review and retrospective approval✓ Correct
Post-implementation review and retrospective approval
Emergency changes often bypass standard testing to restore service (Availability). To mitigate the risk of bad code or fraud, a rigorous post-implementation review and formal retrospective approval are required.
Common mistakes
Thinking emergency changes don't need controls.
Practice the full CPA ISC Practice Exam 4
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...HardQ02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...HardQ03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...HardQ04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...HardQ05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard