Certified Information Systems Auditor (CISA) — Question 63

Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?

Answer options

• A. Ensure corrected program code is compiled in a dedicated server.
• B. Ensure change management reports are independently reviewed.
• C. Ensure programmers cannot access code after the completion of program edits.
• D. Ensure the business signs off on end-to-end user acceptance test (UAT) results.

Correct answer: B

Explanation

The best recommendation is B because independent review of change management reports helps catch any overlooked issues or malicious code before deployment. Option A does not address the root cause, option C restricts access but does not ensure thorough review, and option D is important but does not directly prevent the recurrence of the issue.