Certified Information Systems Auditor (CISA) — Question 488

An organization has implemented a quarterly job schedule to update database tables so prices are adjusted in line with a price index. These changes do not go through the regular change management process. Which of the following is the MOST important control to have in place?

Answer options

• A. An overarching approval is obtained from the change advisory board.
• B. User acceptance testing (UAT) is performed after the production run.
• C. Each production run is approved by an authorized individual.
• D. Exception reports are generated to identify anomalies.

Correct answer: C

Explanation

The correct answer, C, is crucial because having each production run approved by an authorized individual ensures accountability and minimizes the risk of unauthorized changes. Options A and B, while important, do not directly address the issue of unauthorized changes in production runs. Option D, although useful for monitoring, does not prevent issues from occurring in the first place.