An IS auditor noted a recent production incident in which a teller transaction system incorrectly charged fees to customers due to a defect from a recent release. Which of the following should be the auditor's NEXT step?
An IS auditor noted a recent production incident in which a teller transaction system incorrectly charged fees to customers due to a defect from a recent release. Which of the following should be the auditor's NEXT step?
The IS auditor's next step should be to evaluate the change management process. This step is crucial because the defect that caused the incorrect charging of fees was introduced during a recent release. By evaluating the change management process, the auditor can determine how the release with the defect was approved and identify any weaknesses in the testing and approval procedures. This evaluation can help prevent similar incidents in the future by ensuring that changes are properly reviewed and tested before being deployed to production.
Answer: C evaluating the incident management process, is typically the more immediate and pressing concern following a production incident.
D for me. The auditor should review the change mgmt process to determine how this release was approved. It is likely that testing procedures were insufficient
C is perfect
The defect originated from a recent release, suggesting that the issue is likely related to the change management process. Evaluating change management will help determine whether proper procedures were followed during the release and if the defect was introduced due to issues in planning, testing, or implementing the change.
Since the defect in the teller transaction system was caused by a recent release, it is likely tied to a change made in the system. The auditor should assess the change management process to determine if proper procedures were followed, such as: Were the changes thoroughly tested before being deployed to production? Did the change management process include adequate reviews, approvals, and documentation? Were the necessary rollback or mitigation procedures in place in case of an issue? By evaluating the change management process, the auditor can determine if weaknesses in th