Which of the following should be of concern to an IS auditor performing a software audit on virtual machines?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Virtual machines (VMs) are software-based emulations of computer systems that enable multiple operating systems and applications to run on a single physical host machine. A software audit on virtual machines is an assessment of the software installed on the VMs to ensure that it is properly licensed, secure, and functioning as intended.
Out of the options provided, the concern that an IS auditor performing a software audit on virtual machines is most likely to have is option A: "Software licensing does not support virtual machines." This concern arises because some software vendors may have licensing agreements that do not support the use of their software on virtual machines or may require specific virtualization technology or licensing models that need to be adhered to. As a result, if an organization is not compliant with these licensing agreements, it may be liable for legal penalties or fines. Therefore, the IS auditor must ensure that the software installed on the VMs is licensed correctly and in accordance with the vendor's agreements.
Option B: "Software has been installed on virtual machines by privileged users," is also a concern for IS auditors. Privileged users, such as system administrators or network engineers, have access to the VMs and can install software without proper authorization or documentation, which could result in software vulnerabilities, compatibility issues, or license violations. The auditor must ensure that only authorized personnel install software on the VMs and maintain proper documentation.
Option C: "Multiple users can access critical applications," is a general concern for any software audit, and it is not specific to virtual machines. However, in a virtualized environment, multiple users can access the same VM simultaneously, which increases the risk of unauthorized access, data breaches, or malware infections. Therefore, the auditor must ensure that the access controls and security mechanisms are properly configured to prevent unauthorized access.
Option D: "Applications have not been approved by the CFO," is a management concern rather than an audit concern. The CFO's approval is essential for budgeting and financial planning, but it is not related to the audit objective of assessing the software installed on virtual machines. Nonetheless, the IS auditor must verify that the software installed on the VMs is authorized and complies with the organization's policies and procedures.
In conclusion, an IS auditor performing a software audit on virtual machines must be concerned about software licensing agreements that may not support virtual machines, unauthorized software installation by privileged users, and inadequate access controls that can expose critical applications to multiple users.