Database administrators (DBAs) have privileged access, meaning they can make unauthorized or hidden changes to data, database structures, and security settings without detection. This presents a high risk of fraud, data manipulation, and security breaches.
A. The risk that database administrators will disagree with temporarily preventing user access to the database for auditing purposes. (Incorrect)
While resistance from DBAs during an audit can be a challenge, it is not a significant risk compared to the ability to manipulate data unnoticed.
B. The risk that database administrators do not receive new patches from vendors that support database software in a timely fashion. (Incorrect)
Patch management is a security concern but does not directly relate to the unique risk of DBAs abusing privileged access.
C. The risk that database administrators set up personalized accounts for themselves, making the audit time-consuming. (Incorrect)
While personal accounts can complicate audits, the greater risk is that DBAs can make changes without detection.
IIA GTAG 4 – Management of IT Auditing emphasizes the need for controls over privileged access to prevent unauthorized database modifications.
IIA Standard 2110 – Governance requires internal auditors to assess risks related to IT governance and privileged access management.
IIA GTAG 8 – Auditing Application Controls highlights that auditors must review DBA activity logs and ensure segregation of duties.
Explanation of Answer Choices:IIA References:Thus, the correct answer is D. The risk that database administrators could make hidden changes using privileged access.
Submit