Certified Information Systems Auditor (CISA) — Question 675

An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?

Answer options

• A. Outdated system documentation
• B. Developer access to production
• C. Lack of system integrity
• D. Loss of application support

Correct answer: C

Explanation

The most significant risk is the lack of system integrity, as untested patches can introduce vulnerabilities or instability. The other options, while concerning, do not directly impact the operational reliability and security of the application as severely as compromised system integrity does.