An auditor is reviewing the 'Change Management' process. They find a change ticket labeled 'Emergency Fix' that was deployed to production without prior testing. The policy allows this if retrospective approval is granted within 24 hours. What is the auditor's primary concern?

Answer options:

Whether the ticket number was sequential.

Whether the retrospective approval was actually obtained and documented.

Whether the developer enjoyed their weekend.

Whether the fix improved performance.

How to approach this question

Emergency changes bypass standard controls. Therefore, the 'cleanup' (retro-approval) is the critical control to test.

Full Answer

B.Whether the retrospective approval was actually obtained and documented.✓ Correct

Emergency changes are necessary but risky. The standard control is retrospective review and approval to ensure the change was valid and didn't introduce new issues. The auditor must verify this step occurred.

Common mistakes

Thinking emergency changes are never allowed.

Question 53 All questions Question 55

Practice the full CPA ISC Practice Exam

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...Hard Q02During a walkthrough of a client's change management process, the auditor notes that developers h...Hard Q03A service organization provides a real-time transaction processing platform. The service level ag...Hard Q04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...Hard Q05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard

View all 82 questions →