CO
CodeReviewTester2026-05-20
ciaCoreSDLC Audit Procedures
How should internal audit test code review controls?
- The development team says every pull request is reviewed. What evidence should I inspect?
48 upvotes
AcadiFi TeamVerified Expert
AcadiFi Certified Professionalauthor: AcadiFi Team
- Related article:
cia-software-defect-root-cause-controls-map - Related question-bank placeholders:
["code-review-control-evidence", "requirements-change-defect-risk"] - Question:
How should internal audit test code review controls? - Question detail:
- The development team says every pull request is reviewed. What evidence should I inspect?
- Answer:
- Internal audit should select a sample of changes and inspect whether code review occurred before merge or release, whether the reviewer was appropriate, whether required checks passed, whether comments were resolved, and whether exceptions were approved.
- For higher-risk changes, the auditor may also trace the change back to a requirement or defect ticket, inspect test results, and confirm that segregation exists between developer approval and independent review where the methodology requires it.
- The audit concern is not only whether a review box was checked. A review control should be designed to challenge quality, security, and completeness before the change reaches production.
🔍
Master Core with our CIA Course
45 lessons · 90+ hours· Expert instruction
#code-review#audit-procedures#evidence#sdlc
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
cia·CIA Part 2·46 upvotes
How should auditors prepare for a technical exit meeting?
cia·CIA Part 2·35 upvotes
When should audit quality concerns be escalated beyond the engagement team?
cia·CIA Part 2·56 upvotes
How does business knowledge affect internal audit quality?
cia·CIA Part 2·51 upvotes
Where should an auditor begin a full-company internal control audit?
cia·CIA Part 2·51 upvotes
Related Articles
Join the Discussion
Ask questions and get expert answers.