Explore BrainMass

IT segregation of duties, auditing applications & results.

I need some help in addressing the question below. Thank you.

1. IT Segregation of Duties:
The IT Audit Director identifies an issue related to IT segregation of duties - several developers have access to production for support reasons. The VP of Application Development has stated that this access is needed to support the system and to address emergency change requests. Part 1: Explain the risks associated with this access. Part 2: Develop a recommendation that helps the VP of Application Development more effectively manage the risks you identified in Part 1.

2. Auditing Application Development:
Developer: "I can't believe how many approvals I have to obtain for a simple change to the application. This is ridiculous, I have better things to do with my time."
Explain how the IT auditor can assist management in terms of designing a more efficient and effective change management process.

3. Communicating Audit Results:
You are conducting an IT audit of your company's change management process. You are reviewing several recent changes and determine that the changes do not comply with your company's change management policies. Develop an audit recommendation that may help your company address the root cause and ultimately lead to sustainable policy compliance over time.

Solution Preview

Here are my thoughts to help get you started:

1. There are always risks based on the number of developers that have access to production, even if it is for support reasons. The main issue is that it lowers the level of internal control over information system functions. The access should be limited and should not include multiple people having access to address emergency change requests. If emergency change requests are that frequent, there are other issues that need to be addressed. The main reason in maintaining effective controls is to prevent risks associated with the theft of company proprietary data, and also to prevent the theft of customer and/or employee information from the system. In order to manage the risks identified, the VP of Application Development should determine who actually needs access to production. Developers are typically never given access to production. It is limited to the manager of IT and to any IT department head who is not a ...

Solution Summary

The solution discusses IT segregation of duties, auditing application development, and communicating audit results.