CISA - Certified Information Systems Auditor Change Management Controls Questions and Answers

Question 1

An IS auditor reviewing an organization's change management process discovers that emergency changes are not subject to the same testing and approval procedures as standard changes. Which of the following is the MOST important compensating control for the auditor to verify?

Accepted Answer

A post-implementation review of the emergency change is conducted to ensure it was properly implemented and documented.

Answer

While all other options are good controls, the most critical compensating control for bypassing standard testing and approval is a post-implementation review. This review verifies that the emergency change resolved the issue, was implemented correctly, did not introduce new vulnerabilities, and is fully documented after the fact.

Question 2

During a review of a software development project, an IS auditor is most concerned about the lack of segregation of duties. Which of the following scenarios represents the GREATEST risk?

Accepted Answer

A developer can migrate their own code from the development environment to the production environment.

Answer

This scenario presents the highest risk because it allows a developer to introduce unauthorized, untested, or malicious code directly into the live production environment without any independent oversight or testing. This bypasses critical controls and could lead to significant system failure, data breaches, or fraud.

Question 3

Which of the following is the PRIMARY objective of a rollback plan in the change management process?

Accepted Answer

To provide a quick recovery mechanism in case of a failed implementation.

Answer

The primary purpose of a rollback plan is to provide a tested and documented procedure for reverting a system to its previous stable state if a change implementation fails or causes unforeseen critical issues. This minimizes downtime and business impact.

Question 4

An IS auditor is evaluating the change management process for a critical financial application. To ensure the integrity of the production environment, the auditor should verify that:

Accepted Answer

access to migrate changes into production is restricted to an independent group.

Answer

Restricting access to migrate changes into the production environment to an independent group (e.g., a release management or operations team) is a fundamental control. This enforces segregation of duties, preventing developers from promoting their own, potentially flawed or unauthorized, code into the live environment.

Question 5

A small organization has limited IT staff, making strict segregation of duties within the change management process difficult. Which of the following is the BEST compensating control an IS auditor should recommend?

Accepted Answer

Conducting independent event log and activity monitoring.

Answer

When segregation of duties is not feasible, a strong compensating control is independent monitoring and review of activities. Regularly reviewing detailed event logs and user activity can detect unauthorized or improper changes made by staff who may have conflicting permissions.

CISA - Certified Information Systems Auditor Practice Test

CISA - Certified Information Systems Auditor Practice Test

CISA - Certified Information Systems Auditor Change Management Controls Questions and Answers