ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Area I: Information SystemsChange ManagementSegregation of DutiesIT Audit

CPA · Question 02 · Area I: Information Systems

During a walkthrough of a client's change management process, the auditor notes that developers have write access to the production environment to facilitate quick hotfixes. The client argues that a code review tool logs all changes. Which of the following represents the MOST significant risk associated with this configuration?

Answer options:

A.

The code review tool may not be compatible with the production server version.

B.

Unauthorized or untested code could be deployed directly to production, bypassing established controls.

C.

Developers might accidentally delete the transaction logs required for recovery.

D.

The production environment performance will degrade due to development activities.

How to approach this question

Identify the Segregation of Duties (SoD) conflict. Developers write code; they should not deploy it. Identify the risk that arises when this barrier is removed.

Full Answer

B.Unauthorized or untested code could be deployed directly to production, bypassing established controls.✓ Correct
B
Segregation of duties is a fundamental IT general control. Developers should work in development/test environments. Migration to production should be performed by a separate release manager or automated process after approval. Direct access allows bypassing these checks.

Common mistakes

Focusing on operational efficiency or logging rather than the preventive control failure.
01All questions03

Practice the full CPA ISC Practice Exam

82 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...HardQ03A service organization provides a real-time transaction processing platform. The service level ag...HardQ04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...HardQ05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...HardQ06An auditor is evaluating the design of a disaster recovery plan (DRP). The organization uses a 'd...Hard
View all 82 questions →