When improper database access risks are found, IS auditors should first verify the related audit trail is secured and reviewed before addressing operationally necessary vulnerabilities.
Table of Contents
Question
An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor’s FIRST action should be to:
A. recommend that the system require two persons to be involved in modifying the database.
B. determine whether the log of changes to the tables is backed up.
C. determine whether the audit trail is secured and reviewed.
D. recommend that the option to directly modify the database be removed immediately.
Answer
C. determine whether the audit trail is secured and reviewed.
Explanation
The IS auditor’s first action should be to determine whether the audit trail is secured and reviewed.
Though direct data modification introduces risk, immediate remediation may not be feasible if essential for system functionality. However, securing and scrutinizing the audit trail of changes provides compensating controls for accountability.
By prioritizing confirmation of audit logging and analysis controls, the IS auditor balances risk reduction with operational necessity. This sequenced audit approach pragmatically elevates monitoring first before pursuing changes in system behavior itself.
Reference
Isaca Certified Information Systems Auditor CISA certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Isaca Certified Information Systems Auditor CISA exam and earn Isaca Certified Information Systems Auditor CISA certification.