What is the impact of not having auditing enabled on a sensitive information system?

Auditing creates a traceable record of security-relevant events—who accessed what, when, and what actions were taken. When auditing isn’t enabled on a sensitive information system, that visibility is lost. Without logs, breaches or misuse can occur without detection, and there’s no reliable trail for investigating what happened, who was responsible, or how to remediate. This directly increases the risk of data breaches and results in a clear lack of accountability, since actions can’t be independently verified or reviewed. It also makes it harder to prove compliance with data protection and security policies that require monitoring and logging. The other options don’t fit because turning auditing off doesn’t reduce network exposure, improve change control, or enhance performance; it primarily removes visibility, hampers detection and forensics, and undermines accountability and regulatory compliance.