Certified Information Systems Auditor (CISA) — Question 959

An IS auditor noted a recent production incident in which a teller transaction system incorrectly charged fees to customers due to a defect from a recent release. Which of the following should be the auditor's NEXT step?

Answer options

• A. Evaluate developer training.
• B. Evaluate secure code practices.
• C. Evaluate the incident management process.
• D. Evaluate the change management process.

Correct answer: D

Explanation

The correct answer is D because evaluating the change management process will help identify how the defect was introduced during the recent release. The other options, while relevant to software quality, do not directly address the immediate issue of managing changes that led to the production incident.