The Auditor's Greatest Concern

D.

The IS auditor's greatest concern in this scenario is related to the lack of proper change control procedures and the potential risks associated with the emergency change request.

Change control is the process of managing changes to an organization's IT environment in a controlled manner to minimize disruption to operations and reduce the risk of errors, outages, or security breaches. It involves the formal authorization, documentation, and testing of changes before they are implemented in production environments.

In this scenario, the IT manager approved and implemented an emergency change request without following the proper change control procedures. This indicates a lack of proper change control governance and increases the risk of errors or outages resulting from the change.

Option B, which states that the change was made less than an hour after the request, is a concern as it implies that the change was implemented without proper testing and approval. However, this may be a necessary action for emergency changes, provided that proper documentation and justification is obtained.

Option A, which states that there was no follow-up approval from the business, is also a concern as it indicates a lack of oversight and governance. However, it is not the greatest concern as emergency changes may require expedited approval processes due to their time-sensitive nature.

Option C, which states that there was no testing prior to making the change in production, is also a concern as it increases the risk of errors and outages resulting from the change. However, it is not the greatest concern as emergency changes may not allow sufficient time for testing, provided that proper documentation and justification is obtained.

Option D, which states that the IT manager performed the change and resolved the ticket, is not a concern in itself as it is a common practice in IT operations. However, it is an issue when coupled with the lack of proper change control procedures, which may lead to unauthorized changes and increased risks.

Therefore, the greatest concern for the IS auditor is the lack of proper change control procedures and governance for emergency changes, which increases the risk of errors, outages, and unauthorized changes.