What should the IS auditor recommend? In a small organization, an employee performs computer operations and, when the situation demands, program modifications.

C. Procedures that verify that only approved program changes are implemented

While it would be preferred that strict separation of duties be adhered to and that additional staff is recruited, as suggested in choice B, this practice is not always possible in small organizations. The IS auditor must look at recommended alternative processes. Of the choices, C is the only practical one that has an impact. The IS auditor should recommend processes that detect changes to production source and object code, such as code comparisons, so the changes can be reviewed on a regular basis by a third party. This would be a compensating control process. Choice A, involving logging of changes to development libraries, would not detect changes to production libraries. Choice D is in effect requiring a third party to do the changes, which may not be practical in a small organization.