Certified Information Systems Auditor (CISA) — Question 416

An IS auditor discovers that due to resource constraints, a database administrator (DBA) is responsible for developing and executing changes into the production environment. Which of the following should the auditor do FIRST?

Answer options

• A. Ensure a change management process is followed prior to implementation.
• B. Identify whether any compensating controls exist.
• C. Determine whether another database administrator (DBA) could make the changes.
• D. Report a potential segregation of duties (SoD) violation.

Correct answer: B

Explanation

The correct answer is B because identifying compensating controls helps assess whether any measures are in place to mitigate risks associated with the DBA's responsibilities. Options A and D are important but should be considered after understanding the existing controls. Option C may not address the root cause of the issue, which is the lack of appropriate resource allocation.