Certified Information Systems Auditor (CISA) — Question 674

An IS auditor is reviewing a sample of production incidents and notes that a root cause analysis is not being performed. Which of the following is the GREATEST risk associated with this finding?

Answer options

• A. The same incident may occur in the future.
• B. Future incidents may not be resolved in a timely manner.
• C. Future incidents may be prioritized inappropriately.
• D. Service level agreements (SLAs) may not be met.

Correct answer: A

Explanation

The greatest risk is that without a root cause analysis, similar incidents are likely to happen again, as the underlying issues remain unaddressed. While other options highlight potential delays or mismanagement in handling future incidents, they do not capture the core risk of recurrence inherent in failing to analyze the root causes.