Assess Change Management And Version Control
Help Questions
CPA Information Systems and Controls (ISC) › Assess Change Management And Version Control
The primary purpose of a formal change management process in IT is to:
Ensure that changes to IT systems are authorized, tested, and implemented in a controlled manner to minimize risk and disruption.
Prevent end users from requesting new system features or enhancements.
Reduce the cost of software development by eliminating testing phases.
Require all IT staff to document every action they take in production systems.
Explanation
Change management provides a structured process for evaluating, approving, testing, and implementing changes, reducing the risk of unauthorized changes, system instability, and operational disruption. Answer B is correct. Eliminating testing (A) would increase risk. Documenting every action (C) describes logging, not change management. Preventing user requests (D) is not a change management objective.
An emergency change is required to patch a critical security vulnerability in a production system. Which of the following represents the best practice for handling emergency changes?
Implement the change with expedited approval from authorized management, followed by full documentation and post-implementation review.
Wait for the next scheduled change window, even if it is weeks away, to follow standard procedures.
Implement the change immediately without documentation to minimize the window of vulnerability.
Allow any available IT staff member to make the change without approval to save time.
Explanation
Emergency changes require rapid action but should still receive authorization from appropriate management, followed by complete documentation and review after implementation to maintain control. Answer D is correct. Skipping documentation entirely (A) and unlimited authorization (C) bypass controls. Waiting weeks for a critical patch (B) leaves the organization exposed.
An organization uses a 'configuration management database' (CMDB). The primary purpose of a CMDB is to:
Track software license compliance for all installed applications.
Maintain an accurate inventory of IT assets (configuration items) and their relationships to support change management and incident resolution.
Store encrypted backup copies of the organization's databases.
Monitor real-time network traffic for security threats.
Explanation
A CMDB is a repository of information about IT configuration items (hardware, software, services) and their interdependencies, providing the foundation for informed change management decisions. Answer A is correct. Encrypted backups (B), license tracking (C), and network monitoring (D) are separate systems and functions.
In IT change management, a 'standard change' differs from a 'normal change' in that:
Standard changes can only be made by senior IT managers.
Standard changes are limited to hardware replacements and do not include software modifications.
Standard changes are pre-approved, low-risk, routine changes with well-established procedures that do not require individual CAB review each time.
Standard changes require more extensive testing and CAB approval than normal changes.
Explanation
Standard changes are pre-approved categories of routine, low-risk changes (e.g., password resets, standard software installs) that follow predefined procedures and do not need individual CAB review for each occurrence. Answer C is correct. Standard changes require less oversight, not more (A). Any authorized staff can execute them (B). They can cover software and hardware (D).
Which of the following is the primary benefit of using a version control system with branching strategies (such as feature branches) in software development?
Version control systems eliminate the need for formal testing before deployment.
The production environment automatically receives updates as soon as code is committed.
Developers can work on new features in isolation without affecting the stable main codebase, and changes are only merged after review and testing.
All developers share a single version of the code at all times, ensuring no conflicts arise.
Explanation
Branching allows parallel development in isolated environments, protecting the stable codebase while enabling code review and testing before merging - a key practice in controlled software development. Answer A is correct. Shared single-version development (B) is the older, riskier model. Automatic production updates (C) bypass controls. Version control does not replace testing (D).
Which of the following represents a key detective control in an IT change management framework?
Separating developer and production administrator roles.
Implementing automated deployment pipelines that enforce change approvals.
Comparing actual changes in production to the approved change request log to identify unauthorized modifications.
Requiring written approval from the CAB before any change is implemented.
Explanation
Comparing production changes against the approved change log is a detective control - it identifies changes that occurred without authorization after the fact. Answer D is correct. CAB approval (A), automated pipelines (B), and role separation (C) are all preventive controls.
Which of the following testing phases should occur before a change is deployed to the production environment?
User acceptance testing (UAT) should only be performed after the change has been live in production for one week.
Testing is not required for changes that have been approved by the CAB.
Only security testing is required before production deployment; functionality testing can occur post-deployment.
Unit testing, integration testing, and user acceptance testing (UAT) should all be completed in non-production environments before production deployment.
Explanation
Best practice requires progressive testing - unit, integration, and UAT - all completed in test/staging environments before production deployment to minimize the risk of defects or disruptions. Answer B is correct. Post-production testing (A) and no testing for CAB-approved changes (C) are inadequate. Testing all dimensions before deployment (D) is incomplete.
In the context of IT general controls, program change controls are designed to:
Track the physical location of all IT hardware assets.
Monitor network traffic for unauthorized access to application servers.
Ensure that only authorized, tested, and properly approved changes are made to production application programs.
Ensure that software licenses are renewed before they expire.
Explanation
Program change controls are a category of IT general controls (ITGCs) that govern the authorization, testing, and migration of application changes to production. Answer D is correct. Network monitoring (A), license management (B), and asset tracking (C) are separate IT control domains.
When auditing program change controls, which of the following procedures would provide the most direct evidence that unauthorized changes are not being made to production?
Reviewing the IT department's organizational chart to verify segregation of duties.
Reviewing the disaster recovery plan for evidence of change management procedures.
Selecting a sample of production changes and tracing each to a corresponding approved change request and test evidence.
Interviewing the CIO about the change management policy.
Explanation
Tracing production changes to approved change requests and test documentation is the most direct audit procedure for verifying that changes are authorized and tested. Answer C is correct. Org chart review (A) and management interviews (B) provide indirect evidence. Disaster recovery plans (D) address recovery, not change authorization.
A company's development team uses a 'continuous integration/continuous deployment' (CI/CD) pipeline. From a controls perspective, what is most important to ensure in this environment?
The CI/CD pipeline should be disabled during financial reporting periods to prevent unauthorized changes.
Automated testing, code reviews, and approval gates must be embedded in the pipeline to maintain change management controls despite the rapid deployment cadence.
The CI/CD pipeline should only be used for development environment deployments, never for production.
All CI/CD deployments should be reviewed by external auditors before going live.
Explanation
CI/CD accelerates deployment, so controls must be embedded in the pipeline itself - automated tests, peer code reviews, and approval gates - rather than relying on manual processes that cannot keep pace. Answer B is correct. Disabling CI/CD periodically (A) disrupts business. External auditor pre-review (C) is impractical. Limiting CI/CD to development only (D) defeats its purpose.