Uncovering Unauthorized Changes to Production Programs

Determining Unauthorized Changes to Production Programs

Prev Question Next Question

Question

A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged.

Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?

Answers

A. Review a sample of PCRs for proper approval throughout the program change process.

B. Trace a sample of program changes from the log to completed PCR forms.

C. Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date.

D. Trace a sample of complete PCR forms to the log of all program changes.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

The correct answer to this question is option C, which involves using source code comparison software to determine whether any unauthorized changes have been made to a sample of programs since the last audit date.

Explanation:

In the given scenario, the company has implemented two control objectives to ensure that only authorized changes are made to production programs. First, all program change requests (PCRs) must be approved, and second, all modifications must be automatically logged. An IS auditor's task is to verify that these controls are working effectively and that no unauthorized changes have been made to the production programs.

Option A suggests reviewing a sample of PCRs for proper approval throughout the program change process. While this is a useful audit procedure to verify that PCRs are approved appropriately, it does not provide assurance that unauthorized changes have not been made to the production programs. A PCR could be approved but still result in an unauthorized change, or an unauthorized change could be made without going through the proper PCR process.

Option B proposes tracing a sample of program changes from the log to completed PCR forms. While this is another useful audit procedure, it is also limited in providing assurance that unauthorized changes have not been made. In this case, a change could have been authorized through the PCR process but not recorded in the log, or the log itself could have been tampered with to hide unauthorized changes.

Option D involves tracing a sample of complete PCR forms to the log of all program changes. This audit procedure is also limited in providing assurance that unauthorized changes have not been made. Again, a change could have been authorized through the PCR process but not recorded in the log, or the log itself could have been tampered with.

Option C, however, involves using source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date. This approach is more effective because it verifies whether any changes have been made to the actual code itself, rather than just relying on the approval or logging process. If any unauthorized changes are found, the auditor can investigate further to determine how they were made and take appropriate action.

Therefore, the most effective IS audit procedure in this scenario is to use source code comparison software to verify whether any unauthorized changes have been made to production programs since the last audit date.

Prev Question Next Question