Certified Information Systems Auditor (CISA) — Question 120

Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?

Answer options

• A. Changes are promoted to production by the development group.
• B. Developers have access to the testing environment.
• C. Object code can be accessed by the development group.
• D. Change approvals are not formally documented.

Correct answer: A

Explanation

The greatest concern for an IS auditor is that changes are promoted to production by the development group, as this can lead to unauthorized changes and potential security risks. While access to the testing environment and object code are important, they do not pose as immediate a risk to the production environment as unregulated change promotions. Lack of formal documentation for change approvals is also a concern, but it is secondary to the risk of uncontrolled changes being implemented.