An IS auditor notes that patches for the operating system used by an organization are deployed by
the IT department as advised by the vendor. The MOST significant concern an IS auditor should
have with this practice is the nonconsideration bylT of:

A.
the training needs for users after applying the patch.

B.
any beneficial impact of the patch on the operational systems.

C.
delaying deployment until testing the impact of the patch.

D.
the necessity of advising end users of new patches.

Explanation:
Deploying patches without testing exposes an organization to the risk of system disruption or failure.
Normally, there is no need for training or advising users when a new operating system patch has
been installed. Any beneficial impact is less important than the risk of unavailability that could be
avoided with proper testing.