Certified in Risk and Information Systems Control (CRISC) — Question 1259

Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?

Answer options

• A. Segregation of duties controls are overridden during user testing phases
• B. Testing is completed by IT support users without input from end users
• C. Data anonymization is used during all cycles of end user testing
• D. Testing is completed in phases with user testing scheduled as the final phase

Correct answer: A

Explanation

The correct answer, A, highlights a critical risk where segregation of duties is compromised, which can lead to conflicts of interest and unchecked access. Option B is a concern, but it does not directly impact the integrity of controls as much as A. Option C is a good practice that mitigates risks, and D, while it structures testing phases, does not pose the same level of concern regarding risk management as A.