Certified Information Systems Auditor (CISA) — Question 658

Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization’s configuration and release management process?

Answer options

• A. The organization does not use an industry-recognized methodology.
• B. Changes and change approvals are not documented.
• C. There is no centralized configuration management database (CMDB).
• D. All changes require middle and senior management approval.

Correct answer: B

Explanation

The correct answer is B because documenting changes and their approvals is crucial for accountability and traceability, which are key components of effective configuration management. Options A and C, while important, do not directly impact the integrity and oversight of the change process as significantly as lacking documentation does. Option D, requiring management approval, may slow down processes but does not inherently pose a risk to the auditing process.