Which combination of roles should raise the most concern for an IS auditor regarding separation of duties?

The combination of system administrators and application programmers raises significant concern regarding the separation of duties due to the critical nature of their roles within an organization’s IT environment.

System administrators have the responsibility for managing, configuring, and maintaining systems and networks, which includes access to sensitive system settings, user accounts, and the ability to implement changes across the system infrastructure. In contrast, application programmers are tasked with developing and maintaining applications, which can involve creating code that interacts with the underlying systems directly.

When these two roles overlap or are held by the same individual, it can lead to a situation where there is potential for malicious activity or unintentional errors to go unchecked. For instance, a programmer with administrative privileges could introduce vulnerabilities or backdoors into applications they develop, circumventing normal security controls. This lack of separation undermines the integrity and confidentiality of the IT systems and can significantly heighten the risk of fraud or security breaches.

In contrast, while the other role combinations listed may also present some risks, they typically do not pose as direct a threat to the integrity of systems as the pairing of system administrators and application programmers does. Maintaining a clear separation between development and administrative duties is fundamental to mitigating risks and ensuring that no single individual has excessive control over both application development