Certified Information Systems Auditor (CISA) — Question 936

Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?

Answer options

• A. IT administrators have access to the production and development environment.
• B. Some user acceptance testing (UAT) was completed by members of the IT team.
• C. Post-implementation testing is not conducted for all system releases.
• D. Access to change testing strategy and results is not restricted to staff outside the IT team.

Correct answer: C

Explanation

The correct answer, C, highlights a significant risk as post-implementation testing is crucial for identifying issues after a system goes live. Options A and B, while concerning, do not indicate as critical a problem as lacking post-implementation testing. Option D raises a security concern, but it is not as directly impactful on the reliability of the system's performance.