Certified Information Systems Auditor (CISA) — Question 1119

Which of the following conditions should be of GREATEST concern to an IS auditor reviewing change management?

Answer options

• A. Vendors do not have access to apply changes to the quality assurance (QA) environment.
• B. The individual applying the changes is not responsible for approving the changes.
• C. Change management documentation is not submitted prior to development.
• D. The change management process does not include vendor-supplied changes.

Correct answer: C

Explanation

The correct answer is C because failing to submit change management documentation before development can lead to unauthorized changes and lack of accountability. Options A and D are concerns, but they are not as critical as ensuring proper documentation is in place before development starts. Option B, while important, does not directly impact the oversight and control of the change management process as significantly as incomplete documentation does.