An IS auditor is asked to review a large organization's change management process.
Which of the following practices presents the GREATEST risk?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
In the context of change management, organizations use a structured approach to ensure that changes to information systems are implemented in a controlled manner, with the aim of minimizing the risk of unintended consequences. In this scenario, the IS auditor has been tasked with reviewing the organization's change management process and identifying the practice that presents the greatest risk.
A. Emergency code changes are promoted without user acceptance testing: This practice presents a significant risk because emergency changes are typically made to address critical issues, and there is often pressure to implement them quickly. In such a scenario, it may be tempting to skip some of the steps in the change management process, such as user acceptance testing. However, if changes are implemented without adequate testing, there is a high risk of introducing errors or other unintended consequences that could negatively impact the organization.
B. A system administrator performs code migration on planned downtime: This practice is generally considered to be a best practice in change management because it allows changes to be made in a controlled environment. By performing code migration during planned downtime, the organization can minimize the risk of disruption to business operations.
C. Change management tickets do not contain specific documentation: While documentation is an important component of change management, the absence of specific documentation in change management tickets is not necessarily a significant risk in and of itself. The risk associated with this practice would depend on the nature of the documentation that is missing, and whether its absence could impact the ability of stakeholders to understand the change and its potential impacts.
D. Transaction data changes can be made by a senior developer: This practice presents a significant risk because it allows a single individual to make changes to transaction data without adequate oversight or controls. This could lead to errors, fraud, or other issues that could negatively impact the organization.
In conclusion, of the four practices listed, the practice that presents the greatest risk is emergency code changes being promoted without user acceptance testing. This is because the absence of user acceptance testing increases the risk of introducing errors or unintended consequences that could negatively impact the organization.