An IS auditor reviewing change management should be MOST concerned when?

When an IS auditor reviews change management processes, the greatest concern arises when the configuration management database (CMDB) is not maintained. The CMDB is crucial because it contains all relevant information about the organization’s IT assets and their configurations. When the CMDB is outdated or inaccurate, it poses significant risks, as it could lead to improper assessments of the impact of changes, increased likelihood of failed changes, and difficulties in troubleshooting incidents. Accurate and up-to-date configuration information is essential for effective change management, ensuring that all changes are tracked, assessed for impact, and properly communicated throughout the organization.

While the other scenarios highlight relevant issues, they do not directly undermine the overarching change management process as critically as the lack of a maintained CMDB. For example, test systems running different configurations could create inconsistencies in understanding how changes will affect the production environment, and paper-based records could lead to inefficiencies and errors. However, these issues can often be addressed through proper documentation and process adjustments. In contrast, an unmaintained CMDB fundamentally weakens the integrity of the change management framework, making it the most pressing concern for an auditor.