Can someone help me with this question?

Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?

a)Object code can be accessed by the development group

b)Change approvals are not formally documented

c)Changes are promoted to production by the development group

d)Developers have access to the testing environment.

In my opinion, the answer should be A.

Edit: The correct answer is 'C'.