Certified Information Systems Auditor (CISA) — Question 373

An IS auditor is asked to review a large organization's change management process. Which of the following practices presents the GREATEST risk?

Answer options

• A. Transaction data changes can be made by a senior developer.
• B. Change management tickets do not contain specific documentation.
• C. A system administrator performs code migration on planned downtime.
• D. Emergency code changes are promoted without user acceptance testing (UAT).

Correct answer: D

Explanation

The correct answer is D because promoting emergency code changes without user acceptance testing increases the risk of introducing defects or vulnerabilities into the production environment. Options A, B, and C, while potentially risky, do not present the immediate threat to the stability and functionality of the system as emergency changes without testing do.