Certified Information Systems Auditor (CISA) — Question 1310

An IS auditor noted that a change to a critical calculation was placed into the production environment without being tested. Which of the following is the BEST way to obtain assurance that the calculation functions correctly?

Answer options

• A. Check regular execution of the calculation batch job.
• B. Interview the lead system developer.
• C. Obtain post-change approval from management.
• D. Perform substantive testing using computer-assisted audit techniques (CAATs).

Correct answer: D

Explanation

The correct answer is D because performing substantive testing with CAATs allows for a thorough examination of the calculation's accuracy and integrity, ensuring it functions as intended. Option A merely checks for execution and does not confirm correctness, while B relies on the developer's perspective, which may be biased. Option C involves management approval but does not ensure that the change was effective or correct.