In a small organization, where segregation of duties is not
practical, an employee performs the function of computer
operator and application programmer. Which of the following
controls should the IS auditor recommend?
A. Automated logging of changes to development libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program changes
are implemented
D. Access controls to prevent the operator from making
program modifications
Answer Posted / guest
Answer: C
In smaller organizations, it generally is not appropriate to
recruit additional staff to achieve a strict segregation of
duties. The IS auditor must look at alternatives. Of the
choices, C is the only practical one that has an impact. The
IS auditor should recommend processes that detect changes to
production source and object code, such as code comparisons
so that the changes can be reviewed by a third party on a
regular basis. This would be a compensating control process.
Choice A, involving logging of changes to development
libraries, would not detect changes to production libraries.
Choice D is in effect requiring a third party to do the
changes, which may not be practical in a small organization.
Is This Answer Correct ? | 8 Yes | 0 No |
Post New Answer View All Answers