Certified Information Systems Auditor (CISA) — Question 707

Which of the following would be of GREATEST concern to an IS auditor when evaluating governance processes for a user-developed tool?

Answer options

• A. Penetration testing has not been conducted.
• B. Significant changes to the tool were not documented.
• C. The backup strategy has not been tested.
• D. A risk assessment has not been performed.

Correct answer: D

Explanation

The absence of a risk assessment is the greatest concern because it identifies potential threats and vulnerabilities associated with the user-developed tool. While the other options are important, they are secondary to understanding the overall risk landscape, which is essential in governance evaluation.