Certified Information Systems Auditor (CISA) — Question 914

Which of the following would be of GREATEST concern to an IS auditor assessing the organizational risk associated with fraud?

Answer options

• A. Unauthorized changes to the production environment have been detected.
• B. Periodic user access reviews to financial systems are inconsistent.
• C. A major financial application is developed and maintained by the application team.
• D. The organization does not require employees to take mandatory leave.

Correct answer: A

Explanation

The detection of unauthorized changes to the production environment raises immediate red flags regarding the integrity and security of critical systems, making it the highest concern for an IS auditor. Inconsistent user access reviews (Option B) and the development of financial applications by the application team (Option C) are also risks, but they do not present an immediate threat like unauthorized changes do. Mandatory leave policies (Option D) are important for fraud detection but are less critical than direct unauthorized changes.