ExpertMedium1 markMultiple Choice
CPA · Question 34 · Area I: Information Systems
An auditor is reviewing the 'Change Management' process. They find that the 'Request for Change' (RFC) form does not require a back-out plan. Why is this a control deficiency?
An auditor is reviewing the 'Change Management' process. They find that the 'Request for Change' (RFC) form does not require a back-out plan. Why is this a control deficiency?
Answer options:
A.
Without a back-out plan, the organization may not be able to restore operations quickly if the change fails.
B.
It violates the principle of least privilege.
C.
It prevents the change from being approved by the CAB.
D.
It increases the risk of SQL injection.
How to approach this question
Connect the missing document (back-out plan) to the risk (failed change = downtime).
Full Answer
A.Without a back-out plan, the organization may not be able to restore operations quickly if the change fails.✓ Correct
A back-out (rollback) plan is critical for availability. If a change causes system instability or errors, the team must have a tested method to revert to the previous stable state immediately.
Common mistakes
Focusing on approval bureaucracy rather than the operational risk.
Practice the full CPA ISC Practice Exam 3
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based s...MediumQ02During a review of a client's cloud governance structure, an auditor notes that the client uses a...MediumQ03An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan ...HardQ04A company uses a batch processing system to update inventory records overnight. The 'Grandfather-...HardQ05During a walkthrough of the change management process, an auditor observes that the 'Developer' r...Medium