Which combination of roles in an IT function should raise the greatest concern for an IS auditor?

The combination of roles where system administrators also act as application programmers raises significant concern for an IS auditor due to the inherent conflict of interest and lack of segregation of duties. In a well-controlled IT environment, it is crucial to maintain boundaries between different roles and responsibilities to prevent unauthorized changes, ensure checks and balances, and enhance accountability.

When a single individual has control over both system administration and application programming, they may have the ability to modify system settings and applications without oversight. This concentration of power can lead to vulnerabilities, such as the risk of unauthorized access, data manipulation, or even creating backdoors for malicious purposes. The potential for such actions to go undetected is a serious audit concern, as it undermines the integrity and security of the IT systems.

In contrast, while the other options present scenarios that may have their own risks, they do not concentrate as much power in a single role. Network administrators focused on quality assurance or end users serving as security administrators for critical applications imply other compliance or training concerns but do not directly facilitate both development and administrative control like the combination of system administrators and application programmers does. Lastly, the situation of systems analysts also working as database administrators, while again not ideal, does not present the same level of risk to the integrity