Evaluate Change Management Controls
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate Change Management Controls
Which of the following change management scenarios most directly threatens the reliability of financial reporting?
An unapproved update to the company's website content management system.
An unauthorized change to the revenue recognition calculation module in the ERP system.
A change to the IT help desk ticketing system without proper approvals.
An unauthorized upgrade to the company's email client.
Explanation
Unauthorized changes to financial application logic can directly alter how transactions are processed, producing materially misstated financial reports. Answer A is correct. Email (B), help desk (C), and website (D) systems do not directly process financial transactions.
An organization has strong documented change management policies but the auditor's testing reveals that employees routinely bypass the process for 'minor' changes. This situation most likely indicates:
The change management policy needs to be simplified.
A gap between policy design and operating effectiveness - controls that exist on paper but are not followed do not provide actual protection.
The auditor's sample was too small to draw conclusions.
Minor changes present no risk and do not need formal controls.
Explanation
When documented controls are not followed in practice, the controls have failed at the operating effectiveness level. Answer C is correct. Policy simplification (A) does not address compliance. Minor changes have caused significant incidents (B). The finding is not a sampling issue if the pattern is consistent (D).
A company uses automated CI/CD pipelines with built-in approval gates. An auditor evaluating change management controls should primarily focus on:
Whether the approval gates are properly configured, enforced, and cannot be bypassed, and whether access to modify the pipeline is appropriately restricted.
The number of deployments completed per day.
Whether the CI/CD tool is from a reputable vendor.
Whether all developers attended CI/CD training.
Explanation
In automated environments, controls are embedded in the pipeline - the auditor must verify that automation enforces approvals, cannot be bypassed, and is protected from unauthorized modification. Answer D is correct. Vendor reputation (A), deployment volume (B), and training (C) do not address core control questions.
An auditor finds that a change management system shows 200 approved change requests, but deployment logs reveal 230 deployments. The most likely explanation and risk is:
The deployment logs include test environment deployments.
30 changes were deployed without approved change requests, indicating unauthorized changes that bypassed the control process.
The change management system failed to generate tickets for 30 changes due to a software bug.
Some changes were duplicates deployed twice with separate ticket numbers.
Explanation
Deployments exceeding approved requests indicates unauthorized changes. Answer B is correct. While other explanations (A, C, D) are possible, unauthorized changes is the primary conclusion subject to further investigation.
Which change management control most directly addresses the risk that a developer introduces malicious code into a production system?
Mandatory code review by a second developer and prohibition on developers deploying their own code to production.
Requiring all code to be written in a language approved by the security team.
Encrypting all source code in the version control repository.
Documenting all code changes in the change management system.
Explanation
Mandatory peer code review catches malicious or erroneous code before deployment; prohibiting self-deployment ensures a second person controls production. Answer A is correct. Language approval (B) and documentation (C) do not detect malicious code. Encryption (D) protects confidentiality, not code integrity.
An auditor evaluating change management controls for a company that recently migrated to a cloud-based ERP system should consider which risk most unique to cloud environments?
Change documentation may be incomplete.
Changes may not be properly tested before deployment.
The cloud vendor may push automatic updates without the organization's knowledge or approval, changing system behavior unexpectedly.
Developers may bypass the change management process.
Explanation
Cloud environments introduce vendor-controlled updates as a unique risk - SaaS providers may update systems automatically, altering functionality without the customer's change management process being applied. Answer C is correct. Developer bypass (A), testing gaps (B), and documentation issues (D) are risks in all environments.
When evaluating whether change management controls adequately protect financial reporting, an auditor should focus primarily on changes to:
Physical IT infrastructure such as servers and network equipment.
Systems that process, store, or transmit financial data, including the ERP, financial reporting applications, and related interfaces.
Only systems with a direct internet connection.
All IT systems regardless of their connection to financial data.
Explanation
For financial reporting purposes, change management controls are most critical for in-scope financial systems. Answer D is correct. Not all systems affect financial reporting (A). Internet connection is not the relevant criterion (B). Infrastructure changes are less directly relevant than application changes (C).
Which of the following represents the strongest evidence that an organization's change management controls operated effectively throughout the audit period?
An absence of IT incidents or outages during the period.
A signed statement from the CIO confirming all changes were properly approved.
A sample of production changes tested throughout the period, each with documented approval, testing evidence, and deployment by an authorized individual separate from the developer.
The existence of a change advisory board meeting schedule.
Explanation
Evidence of operating effectiveness comes from testing actual transactions against control requirements throughout the period. Answer C is correct. Management representations (A) and governance structures (B) are indirect evidence. No incidents (D) does not confirm controls operated effectively.
A company implements a 'four-eyes' principle for production deployments. This means:
Four managers must approve every change before deployment.
Deployments require review by four different departments.
At least two people must be involved in deploying a change - the developer cannot unilaterally push code to production without a second person's involvement.
Four separate test environments must be used before production deployment.
Explanation
The four-eyes principle requires at least two people on every production deployment - preventing a single developer from both creating and deploying code. Answer B is correct. It requires two people, not four managers (A) or four departments (C). Testing environments (D) are unrelated.
When performing a risk-based assessment of change management controls, an auditor should assign highest risk to changes affecting:
User interface cosmetic changes with no backend logic impact.
Helpdesk and ticketing systems used only by IT staff.
Core financial applications, access control systems, and interfaces that feed financial reporting data.
Static marketing content on the company's public website.
Explanation
Changes to financial applications, access controls, and financial data interfaces pose the highest risk to financial reporting integrity. Answer A is correct. Cosmetic UI changes (B), internal IT tools (C), and static marketing content (D) present minimal financial reporting risk.