An IS auditor discovers that due to resource constraints, a database administrator (DBA) is responsible for developing and executing changes into the production environment. Which of the following should the auditor do FIRST?
An IS auditor discovers that due to resource constraints, a database administrator (DBA) is responsible for developing and executing changes into the production environment. Which of the following should the auditor do FIRST?
When a database administrator (DBA) is responsible for both developing and executing changes in the production environment, this creates a segregation of duties (SoD) conflict. Reporting this potential SoD violation should be prioritized to immediately highlight the risk associated with insufficient separation of responsibilities. Such a situation may enable unauthorized changes or errors that can compromise the system's integrity and security. Once reported, appropriate steps can be taken to address the issue and enforce suitable controls.
B. Identify whether any compensating controls exist.
When database administrators (DBAs) are responsible for developing and implementing changes to a production environment, it is important that those changes are properly managed. A change management process is a framework for consistently managing the planning, approval, implementation, monitoring, and evaluation of change.
Identifying and reporting a segregation of duties (SoD) violation is crucial because it highlights the potential risk associated with a single individual having both development and execution responsibilities in the production environment. This situation poses a risk of unauthorized or erroneous changes, and reporting the SoD violation can trigger corrective actions to mitigate this risk. Addressing the segregation of duties issue is a fundamental concern that needs immediate attention to enhance control and security. The auditor can then work collaboratively with the organization to implement appropriate measures, such as a change management process or additional controls, to mitigate the identified risk.
Due to resource constraints. I think there should be compensating controls. so the answer is B
B is answer.
I'll go with D; the first order of business should be to report the SoD violation as its a direct risk