A company uses a 'Continuous Integration/Continuous Deployment' (CI/CD) pipeline. An auditor notes that code is automatically deployed to production after passing automated tests. What is the most appropriate compensating control to look for?

Answer options:

Manual approval by the CEO for every deployment.

Automated code scanning and peer review enforcement in the repository before merge.

Removing the automated tests.

Granting developers access to production logs.

How to approach this question

In modern DevOps, controls shift 'left' (earlier in the process).

Full Answer

B.Automated code scanning and peer review enforcement in the repository before merge.✓ Correct

Automated code scanning and peer review enforcement in the repository before merge.

In CI/CD, the control point moves to the 'Pull Request' or 'Merge' stage. Requiring peer reviews and passing automated security scans before code can be merged into the main branch acts as the approval gate.

Common mistakes

Looking for traditional manual change advisory boards in a DevOps environment.

Question 20 All questions Question 22

Practice the full CPA ISC Practice Exam 5

82 questions · hints · full answers · grading

More questions from this exam

Q01A service organization provides a cloud-based payroll processing application to its user entities...Medium Q02An auditor is reviewing the shared responsibility model for a client using an Infrastructure as a...Hard Q03A financial institution requires a cloud deployment model that offers the highest level of contro...Medium Q04During an IT audit, you observe that a company uses a 'Hybrid Cloud' architecture. Which scenario...Medium Q05Which component of IT architecture is primarily responsible for translating domain names (like ww...Easy

View all 82 questions →