An auditor is reviewing the 'Change Management' process. They find that the 'Request for Change' (RFC) form does not require a back-out plan. Why is this a control deficiency?

Answer options:

Without a back-out plan, the organization may not be able to restore operations quickly if the change fails.

It violates the principle of least privilege.

It prevents the change from being approved by the CAB.

It increases the risk of SQL injection.

How to approach this question

Connect the missing document (back-out plan) to the risk (failed change = downtime).

Full Answer

A.Without a back-out plan, the organization may not be able to restore operations quickly if the change fails.✓ Correct

A back-out (rollback) plan is critical for availability. If a change causes system instability or errors, the team must have a tested method to revert to the previous stable state immediately.

Common mistakes

Focusing on approval bureaucracy rather than the operational risk.

Question 33 All questions Question 35

Practice the full CPA ISC Practice Exam 3

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based s...Medium Q02During a review of a client's cloud governance structure, an auditor notes that the client uses a...Medium Q03An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan ...Hard Q04A company uses a batch processing system to update inventory records overnight. The 'Grandfather-...Hard Q05During a walkthrough of the change management process, an auditor observes that the 'Developer' r...Medium

View all 82 questions →