An IS auditor has identified deficiencies within the organization’s software development life cycle (SDLC) policies. The SDLC is the process of planning, developing, testing, and deploying software applications1. SDLC policies are the guidelines and standards that govern the SDLC process and ensure its quality, security, and compliance2. Deficiencies in SDLC policies can lead to various risks, such as:
Software errors, bugs, or vulnerabilities that can affect the functionality, reliability, or security of the applications3
Software failures, delays, or overruns that can affect the delivery, performance, or customer satisfaction of the applications3
Software non-compliance that can result in legal, regulatory, or contractual violations or penalties3
The next step that the IS auditor should do after identifying deficiencies in SDLC policies is to communicate the observation to the auditee. The auditee is the person or entity that is subject to the audit and is responsible for the area being audited4. In this case, the auditee could be the software development manager, the project manager, or the senior management of the organization. Communicating the observation to the auditee is important for several reasons:
It allows the IS auditor to verify the accuracy and validity of the observation and gather additional evidence or information from the auditee4
It gives the auditee an opportunity to respond to the observation and provide their perspective, explanation, or justification for the deficiencies4
It enables the IS auditor to discuss with the auditee the potential impact, root cause, and remediation plan for the deficiencies4
It fosters a collaborative and constructive relationship between the IS auditor and the auditee and promotes transparency and accountability in the audit process4
The other options are not as appropriate as communicating the observation to the auditee. Documenting the findings in the audit report is a later stepthat should be done after communicating with the auditee and finalizing the observation. Identifying who approved the policies is not relevant for addressing the deficiencies and may imply blame or fault on a specific person or group. Escalating the situation to the lead auditor is not necessary unless there is a serious disagreement or conflict with the auditee that cannot be resolved by normal communication. Therefore, option D is the correct answer.
[References:, What Is The Software Development Life Cycle? | PagerDuty, Software Development Life Cycle (SDLC) Policy | StrongDM, What Is SDLC? Best Phases, Methodologies, and Benefits Revealed - Kellton, Communicating Audit Findings, , , , , , , , ]
