What method should an IS auditor use to determine unauthorized modifications to production programs?

The most effective method for determining unauthorized modifications to production programs is compliance testing. This process involves reviewing the relevant policies and procedures that govern access and changes to production environments, as well as testing to ensure that these protocols are being followed. Compliance testing can help identify instances where modifications did not follow the required change management processes, thus revealing unauthorized alterations.

By systematically checking if the modifications align with the expected controls and policies, an IS auditor can effectively pinpoint discrepancies that might indicate unauthorized changes. Moreover, compliance testing often involves examining configuration settings, user access logs, and change requests, making it a comprehensive approach to ensure adherence to established protocols.

While system log analysis can provide insights into user activity and access, it may not directly identify unapproved changes without a framework for evaluating compliance. Forensic analysis, while thorough, is more suited for investigating incidents after they occur rather than proactively identifying unauthorized changes. Analytical review techniques can help detect anomalies but may not sufficiently verify compliance with program modification protocols. Thus, compliance testing stands out as the most appropriate choice in identifying unauthorized modifications to production programs.