The primary role of an internal auditor is to provide independent and objective assurance on the effectiveness of risk management and control processes. To ensure risk mitigation within change management, an auditor performs validation procedures. This involves examining evidence to confirm that key controls are designed appropriately and operating effectively. The activities listed—validating authorization, segregation of duties, testing, and final approval—are the core control points in a change management process that an auditor would test to gain assurance that changes are processed in a controlled and secure manner.

A. Developing and enforcing policies is a management responsibility. An auditor's involvement in these activities would impair their independence and objectivity.

B. Imposing segregation of duties is a management function. The auditor's role is to assess the adequacy of SoD, not to implement or impose it.

C. Implementing controls is a management responsibility. The internal auditor's role is to evaluate the effectiveness of controls implemented by management, not to implement them.

1. The Institute of Internal Auditors (IIA). (2012). Global Technology Audit Guide (GTAG) 2: Change and Patch Management Controls (2nd ed.). The guide outlines the auditor's role in reviewing the change management process. On page 16

under "Auditing Change Management

" it lists key audit steps

including: "Verify that changes are appropriately authorized

" "Verify that segregation of duties exists between personnel

" and "Verify that testing procedures are documented and followed." This directly supports the validation activities mentioned in option D.

2. The Institute of Internal Auditors (IIA). (2017). International Professional Practices Framework (IPPF). Standard 2130.A1 states

"The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance

operations

and information systems..." The actions in option D are a direct application of this standard to the change management process.

3. Weber

R. (2012). Information Systems Control and Audit. Pearson Education. Chapter 11

"Auditing Computer Application Systems

" details the audit of program change controls

emphasizing the auditor's need to check for evidence of proper authorization

testing

and approval before changes are moved to production

which aligns perfectly with the activities described in option D.