What should an IS auditor do if the number of program change requests is insufficient to provide reasonable assurance?

In situations where the number of program change requests is insufficient to provide reasonable assurance, developing an alternate testing procedure is the most appropriate action. This approach allows the auditor to adapt their testing strategy in response to the limited data available, ensuring that they can still evaluate the effectiveness of the change management process.

By employing an alternate testing procedure, the auditor can potentially increase the scope of the audit and leverage different methods or sources of evidence to assess controls related to program changes. This might involve sampling techniques, utilizing heuristic evaluations, or examining related documentation that might not have been part of the initial sample. The goal is to obtain enough evidence to support reliable conclusions regarding the change management process, thereby maintaining the audit's integrity and effectiveness.

Other actions, while also important, may not address the immediate challenge in a manner that ensures adequate assurance. For instance, reporting the finding to management may communicate the issue but does not directly resolve the insufficiency of data for assurance purposes. Performing a walkthrough of the change management process could help understand how changes are handled but might not yield sufficient evidence without a clear sample of changes. Creating additional sample data could introduce biases or fail to reflect actual control efficacy, thus not fulfilling the need for the testing to assess real change requests accurately.