An internal auditor is reviewing a new automated human resources system. The system contains a table of pay rates which are matched to the employee job classifications. The best control to ensure that the table is updated correctly for only valid pay changes would be to:

During a systems development audit, software developers indicated that all programs were moved from the development environment to the production environment and then tested in the production environment. What should the auditor recommend?
I.Implement a test environment to ensure that testing is not performed in the production environment.
II.
Require developers to move modified programs from the development environment to the test environment and from the test environment to the production environment.
III.
Eliminate access by developers to the production environment.

Which of the following statements about assurance maps is correct?

An audit of a Web-based third-party payment processor determined that a programming error enabled customers to create multiple accounts for each mailing address. This caused problems during the processing of credit card transactions. Management agreed to correct the program and notify customers with multiple accounts that the accounts would be consolidated. What should the auditor do in response?
I. Amend the scope of the subsequent audit to verify that the program was corrected and that accounts were consolidated.
II. Evaluate the adequacy and effectiveness of the corrective action proposed by management.
III. Schedule a follow-up review to verify that the program was corrected and the accounts were consolidated.
IV. Do nothing because management has agreed to address the problem.

An organization's board would like to establish a formal risk management function and has asked the chief audit executive (CAE) to be involved in the process. According to IIA guidance, which of the following roles should the CAE not undertake?