An auditor is testing the 'Change Management' process. They select a sample of 30 changes. They find that 2 changes were deployed to production without the required 'User Acceptance Testing' (UAT) sign-off. The IT Manager explains these were 'Emergency Changes'. What should the auditor look for next?

Answer options:

Nothing, emergency changes do not require testing.

Evidence of retrospective approval and testing for the emergency changes.

A verbal confirmation from the developer.

The source code of the changes.

How to approach this question

Understand the Emergency Change procedure.

Full Answer

B.Evidence of retrospective approval and testing for the emergency changes.✓ Correct

Emergency change procedures usually allow deployment first, but require documentation and approval immediately after to ensure the change didn't introduce new risks.

Common mistakes

Assuming emergency changes are exempt from controls.

Question 49 All questions Question 51

Practice the full CPA ISC Practice Exam 2

82 questions · hints · full answers · grading

More questions from this exam

Q01A service organization provides a cloud-based payroll platform where clients access the software ...Medium Q02An auditor is reviewing the backup strategy for a financial institution that requires a Recovery ...Hard Q03During a walkthrough of the change management process, an auditor observes that developers have w...Medium Q04An auditor is reviewing a SQL query used to generate a list of active customers for a marketing c...Hard Q05Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?Medium

View all 82 questions →